本文中介绍如何在一台服务器中,生成 ssh-key,并为不同地址配置不同 ssh key,该方法适合为不同 git client 配置不同 key。
生成 ssh key
ssh-keygen
通常,要为多个邮箱账号分别生成公钥,公私钥都是放到~/.ssh下面,生成步骤如下:
mkdir -p ~/.ssh
cd ~/.ssh
ssh-keygen -t rsa -C "me@xiexianbin.cn" # 把这个文件命名为id_rsa_github,然后一路回车
ssh-keygen -t rsa -C "10972072@qq.com" # 把这个文件命名为id_rsa_aliyun,然后一路回车
ssh-keygen -t rsa -b 4096 -C "me@xiexianbin.cn"
将 SSH 私钥增加到 ssh-agent:
ssh-add ~/.ssh/id_rsa
查看已经 add 的SSH KEY:
ssh-add -l
若报错:Could not open a connection to your authentication agent.,执行:
ssh-agent bash
PS:将 ~/.ssh/id_rsa.pub 添加到目标及其的 .ssh/authorized_keys 可以实现 ssh 证书登录。
修改密码
ssh-keygen -f ~/.ssh/id_rsa -p
免密码登录
ssh-copy-id $IP #$IP为本虚机地址,按照提示输入yes 和密码,然后可以无密码登录服务器
上述过程,是将 id_rsa.pub 添加到对应主机的 ~/.ssh/authorized_keys 目录下。
多个服务器分别配置key
此时在~/.ssh下面生成了两对公私钥,把id_rsa_aliyun.pub的内容贴到aliyun的git服务的ssh keys中,把id_rsa_github.pub的内容贴到github的ssh keys中。然后touch一个配置文件:
touch ~/.ssh/config
chmod 600 ~/.ssh/*
最后在~/.ssh/config中添加如下内容即可:
host code.aliyun.com
# user xiexianbin
hostname code.aliyun.com
port 22
identityfile ~/.ssh/id_rsa_aliyun
host github.com
User git
hostname github.com
port 22
identityfile ~/.ssh/id_rsa_github
Host 10.0.0.* 10.0.1.*
port 22
IdentityFile ~/.ssh/id_rsa
User root
host vm1
User root
hostname 10.0.0.2
port 22
identityfile ~/.ssh/id_rsa
可以直接 ssh vm1 登录该机器。
测试
然后用ssh命令分别测试:
ssh -T git@github.com
调试
如果到这里你没有成功的话,可以 –debug,比如测试 github:
ssh -vT git@github.com
-v 是输出编译信息,然后根据编译信息自己去解决问题吧。
配置免确认
修改 ~/.ssh/config,内容如下:
UserKnownHostsFile=/dev/null
StrictHostKeyChecking=no
LogLevel=ERROR
修改权限:
chmod 400 ~/.ssh/config
ssh 免 hostkey check 登录:
sudo ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i .ssh/ssh_key.key ubuntu@10.0.0.1
自动登陆文件
cat 10.0.0.1
#!/bin/sh
user="root"
host=`basename $0`
ssh -i ~/.ssh/id_rsa $user@$host
高级用法
执行多个命令
ssh -CT -o BatchMode=yes c1
TCP port or Unix socket 转发
$ man ssh
-C Requests compression of all data (including stdin, stdout, stderr, and data for forwarded X11, TCP and
UNIX-domain connections). The compression algorithm is the same used by gzip(1). Compression is de‐
sirable on modem lines and other slow connections, but will only slow down things on fast networks.
The default value can be set on a host-by-host basis in the configuration files; see the Compression
option.
-g Allows remote hosts to connect to local forwarded ports. If used on a multiplexed connection, then
this option must be specified on the master process.
-L [bind_address:]port:host:hostport
-L [bind_address:]port:remote_socket
-L local_socket:host:hostport
-L local_socket:remote_socket
Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be
forwarded to the given host and port, or Unix socket, on the remote side. This works by allocating a
socket to listen to either a TCP port on the local side, optionally bound to the specified
bind_address, or to a Unix socket. Whenever a connection is made to the local port or socket, the
connection is forwarded over the secure channel, and a connection is made to either host port
hostport, or the Unix socket remote_socket, from the remote machine.
Port forwardings can also be specified in the configuration file. Only the superuser can forward
privileged ports. IPv6 addresses can be specified by enclosing the address in square brackets.
By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit
bind_address may be used to bind the connection to a specific address. The bind_address of
“localhost” indicates that the listening port be bound for local use only, while an empty address or
‘*’ indicates that the port should be available from all interfaces.
-N Do not execute a remote command. This is useful for just forwarding ports.
将远程5901转发到本地示例:
ssh -v -CNg -L 5901:127.0.0.1:5901 root@ip -p 22
Debug
ssh 链接慢
UseDNS no
# GSSAPI options, 使用 ssh -v xiexianbin@git.xiexianbin.cn 调试发现连接gssapi-with-mic消耗时间较长
GSSAPIAuthentication no
GSSAPICleanupCredentials no
w 命令查看当前ssh远程连接数,是否达到最大连接数
vim /etc/ssh/sshd_config
LoginGraceTime 2m # 参数表示登录验证时间
MaxAuthTries 6 # 最大验证重试次数
MaxSessions 10 # 最大远程连接数
last 命令查看最近登录日志/var/log/secure 系统安全日志/etc/hosts.all和/etc/hosts.deny查看限定的ip