实现SSH免密登录

实现两台机器之间的免密登录

为了运维的效率 有时会设置一台机器 可以免密登录其他部分主机。

实验环境：

主机A 192.168.100.200 用户root

主机B 192.168.100.201 用户root

主机C 192.168.100.202 用户osmgr

目的:为了让主机A的root用户 可以免密登录主机B的root用户和主机C的osmgr用户

操作步骤:

1. 在主机A上 root用户下 生成公钥和私钥 默认下/root/下没有.ssh这个文件夹

   ssh-keygen -t rsa/dsa 这个命令会创建/root/.ssh/目录,并在该目录下创建两个文件id_rsa,id_rsa.pub

   id_rsa 密钥文件

   id_rsa.pub 公钥文件

[root@Base01]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
[root@Base01 .ssh]# ll
-rw------- 1 root root  1679 Dec 14 11:26 id_rsa
-rw-r--r-- 1 root root   393 Dec 14 11:26 id_rsa.pub
[root@Base01 .ssh]# cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01

2. 将主机A的公钥拷贝到主机B的root用户下和主机C的root用户和osmgr用户下

   可以使用两种方法:

   a.由于公钥文件id_rsa.pub是明文的 所以可以直接copy文件内容至对应用户家目录下

   主机A:
   [root@Base01 .ssh]# pwd
   /root/.ssh
   [root@Base01 .ssh]# ls
   id_rsa  id_rsa.pub  known_hosts
   [root@Base01 .ssh]# cat id_rsa.pub 
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01
   
   主机B: 
   在主机/root/下 新建.ssh目录 如果存在这一步则跳过
   然后新建authorized_keys文件 将主机A的公钥拷贝过来
   要注意.ssh目录和authorized_keys文件的权限，前者是700，后者是600
   [root@docker01 ~]# cd /root/.ssh/
   [root@docker01 ~]# touch authorized_keys
   [root@docker01 .ssh]# ll
   total 4
   -rw------- 1 root root 393 Dec 14 14:06 authorized_keys
   [root@docker01 .ssh]# cat authorized_keys 
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01
   

   b.使用ssh-copy-id命令

   针对主机C 使用ssh-copy-id命令
   在主机A上执行 ssh-copy-id osmgr@192.168.100.202命令
   主机A:
   [root@Base01 .ssh]# ssh-copy-id osmgr@192.168.100.202  //将root用户的公钥内容拷贝到192.168.100.202上osmgr家目录下的.ssh文件夹下的authorized_keys文件中.
   /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
   The authenticity of host '192.168.100.202 (192.168.100.202)' can't be established.
   ECDSA key fingerprint is SHA256:CmTnWB7CXjAc288vV5bv1SZO1KNkgSh46l3EMBUqIHk.
   ECDSA key fingerprint is MD5:f0:a7:55:a1:17:f6:83:c4:69:24:04:14:c1:70:3d:0c.
   Are you sure you want to continue connecting (yes/no)? yes
   /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
   /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
   osmgr@192.168.100.202's password: 
   Permission denied, please try again.
   osmgr@192.168.100.202's password: 
   Number of key(s) added: 1
   Now try logging into the machine, with:   "ssh 'osmgr@192.168.100.202'"
   and check to make sure that only the key(s) you wanted were added.
   
   [root@Base01 .ssh]# ll //执行ssh-copy-id命令 还会将ssh目标主机ECDSA密钥指纹添加到主机的/root/.ssh/known_hosts中.下次再ssh连接目标主机的时候 就会校验ECDSA密钥指纹是否一致 不一致的话 就发出警告。
   total 12
   -rw------- 1 root root 1679 Dec 14 11:26 id_rsa
   -rw-r--r-- 1 root root  393 Dec 14 11:26 id_rsa.pub
   -rw-r--r-- 1 root root  177 Dec 14 11:34 known_hosts
   [root@Base01 .ssh]# cat known_hosts 
   192.168.100.212 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL3JnaKe0guEZv/G6DU6GZLyZ1q0nfx1Ya6Es1FlE59UgR+yobg0spNL/xb2A+cZ+TEdwcRRDD6TOyVEdPNAsdk=
   
   执行完ssh-copy-id命令之后 就可以免密登录192.168.100.202的osmgr用户,但是登录192.168.100.202的root用户 仍然需要密码
   [root@Base01 .ssh]# ssh 192.168.100.202
   root@192.168.100.212's password: 
   [root@Base01 .ssh]# ssh osmgr@192.168.100.202
   Last login: Mon Dec 14 11:38:58 2020 from 10.36.17.53
   [osmgr@git01 ~]$ 
   
   主机C: 
   主机C的变化 就是被动新建了一个/home/osmgr/.ssh/目录 并生成了一个authorized_keys文件 里面是主机A的公钥
   [root@git01 .ssh]# pwd
   /home/osmgr/.ssh
   [root@git01 .ssh]# ll
   total 4
   -rw------- 1 osmgr osmgr 393 Dec 14 13:23 authorized_keys
   [root@git01 .ssh]# cat authorized_keys 
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01
   

3. 为什么将主机A的公钥拷贝到主机B和主机C上 就可以实现免密登录了呢？
   通过密码登录
   
   通过密钥验证登录