实现两台机器之间的免密登录
为了运维的效率 有时会设置一台机器 可以免密登录其他部分主机。
实验环境:
主机A 192.168.100.200 用户root
主机B 192.168.100.201 用户root
主机C 192.168.100.202 用户osmgr
目的:为了让主机A的root用户 可以免密登录主机B的root用户和主机C的osmgr用户
操作步骤:
-
在主机A上 root用户下 生成公钥和私钥 默认下/root/下没有.ssh这个文件夹
ssh-keygen -t rsa/dsa 这个命令会创建/root/.ssh/目录,并在该目录下创建两个文件id_rsa,id_rsa.pub
id_rsa 密钥文件
id_rsa.pub 公钥文件
[root@Base01]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
[root@Base01 .ssh]# ll
-rw------- 1 root root 1679 Dec 14 11:26 id_rsa
-rw-r--r-- 1 root root 393 Dec 14 11:26 id_rsa.pub
[root@Base01 .ssh]# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01
-
将主机A的公钥拷贝到主机B的root用户下和主机C的root用户和osmgr用户下
可以使用两种方法:
a.由于公钥文件id_rsa.pub是明文的 所以可以直接copy文件内容至对应用户家目录下
主机A: [root@Base01 .ssh]# pwd /root/.ssh [root@Base01 .ssh]# ls id_rsa id_rsa.pub known_hosts [root@Base01 .ssh]# cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01 主机B: 在主机/root/下 新建.ssh目录 如果存在这一步则跳过 然后新建authorized_keys文件 将主机A的公钥拷贝过来 要注意.ssh目录和authorized_keys文件的权限,前者是700,后者是600 [root@docker01 ~]# cd /root/.ssh/ [root@docker01 ~]# touch authorized_keys [root@docker01 .ssh]# ll total 4 -rw------- 1 root root 393 Dec 14 14:06 authorized_keys [root@docker01 .ssh]# cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01
b.使用ssh-copy-id命令
针对主机C 使用ssh-copy-id命令 在主机A上执行 ssh-copy-id osmgr@192.168.100.202命令 主机A: [root@Base01 .ssh]# ssh-copy-id osmgr@192.168.100.202 //将root用户的公钥内容拷贝到192.168.100.202上osmgr家目录下的.ssh文件夹下的authorized_keys文件中. /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host '192.168.100.202 (192.168.100.202)' can't be established. ECDSA key fingerprint is SHA256:CmTnWB7CXjAc288vV5bv1SZO1KNkgSh46l3EMBUqIHk. ECDSA key fingerprint is MD5:f0:a7:55:a1:17:f6:83:c4:69:24:04:14:c1:70:3d:0c. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys osmgr@192.168.100.202's password: Permission denied, please try again. osmgr@192.168.100.202's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'osmgr@192.168.100.202'" and check to make sure that only the key(s) you wanted were added. [root@Base01 .ssh]# ll //执行ssh-copy-id命令 还会将ssh目标主机ECDSA密钥指纹添加到主机的/root/.ssh/known_hosts中.下次再ssh连接目标主机的时候 就会校验ECDSA密钥指纹是否一致 不一致的话 就发出警告。 total 12 -rw------- 1 root root 1679 Dec 14 11:26 id_rsa -rw-r--r-- 1 root root 393 Dec 14 11:26 id_rsa.pub -rw-r--r-- 1 root root 177 Dec 14 11:34 known_hosts [root@Base01 .ssh]# cat known_hosts 192.168.100.212 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL3JnaKe0guEZv/G6DU6GZLyZ1q0nfx1Ya6Es1FlE59UgR+yobg0spNL/xb2A+cZ+TEdwcRRDD6TOyVEdPNAsdk= 执行完ssh-copy-id命令之后 就可以免密登录192.168.100.202的osmgr用户,但是登录192.168.100.202的root用户 仍然需要密码 [root@Base01 .ssh]# ssh 192.168.100.202 root@192.168.100.212's password: [root@Base01 .ssh]# ssh osmgr@192.168.100.202 Last login: Mon Dec 14 11:38:58 2020 from 10.36.17.53 [osmgr@git01 ~]$ 主机C: 主机C的变化 就是被动新建了一个/home/osmgr/.ssh/目录 并生成了一个authorized_keys文件 里面是主机A的公钥 [root@git01 .ssh]# pwd /home/osmgr/.ssh [root@git01 .ssh]# ll total 4 -rw------- 1 osmgr osmgr 393 Dec 14 13:23 authorized_keys [root@git01 .ssh]# cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01
-
为什么将主机A的公钥拷贝到主机B和主机C上 就可以实现免密登录了呢?
通过密码登录
通过密钥验证登录