本文转载自:https://www.cnblogs.com/hobinly/p/6039844.html
环境示例
Centos7 192.168.1.101 master
Centos7 192.168.1.102 slave
已安装openssl
1、检查机器名和连通性[root用户下操作]
master 查看文件“/etc/hostname" 是否配置成”master",文件内容为空,需要添加“master",添加后如:
master
ping slave,无法ping通,查看文件”/etc/hosts" ,是否添加对slave的解析,如:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.101 master
192.168.1.102 slave
相应slave也同样检查网络名称“slave”和master地址解析
确保在master机器上ping slave成功,在slave机器上ping master成功
2、修改ssh config配置[root用户下操作]
查看/etc/ssh/sshd_config文件[vi /etc/ssh/sshd_config],开启ssh证书登录,即找到注释配置[#RSAAuthentication yes,#PubkeyAuthentication yes],把前面的“#"号去掉,如:
RSAAuthentication yes
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
另外在该文件中显示,AuthorizedKeysFile .ssh/authorized_keys,keys存储路径在”.ssh“的文件夹的authorized_keys文件里。
3、在机器master、slave上建立相同的用户,以下以test用户为例
[root@slave ~]# useradd test -p test
[root@slave ~]# echo test | passwd --stdin test
Changing password for user test.
passwd: all authentication tokens updated successfully.
4、生成ssh证书文件
使用test登录master,创建文件夹”.ssh"[mkdir .ssh],cd到.ssh文件夹,输入命令“ssh-keygen -t rsa",回车到底,如:
[test@master .ssh]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hadoop/.ssh/id_rsa):[回车]
Enter passphrase (empty for no passphrase):[回车]
Enter same passphrase again:[回车]
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is:
e4:37:20:54:19:26:d0:39:34:b3:79:cb:00:6b:c9:e5 test@master
The key's randomart image is:
+--[ RSA 2048]----+
| o+Bo+o |
| . B+B. |
| = E.+ |
| . B o |
| S o |
| . . |
| |
| |
| |
+-----------------+
[test@master .ssh]$
查看”.ssh“文件夹下文件,产生master的文件私钥id_rsa和公钥id_rsa.pub:
[test@master .ssh]$ ls
id_rsa id_rsa.pub
使用test登录slave,相同操作,产生产生slave的文件私钥id_rsa和公钥id_rsa.pub
5、合并id_rsa.pub,追加到authorized_key文件中
test登录master, 在“.ssh”文件夹下,输入命令“scp id_rsa.pub test@slave:~/.ssh/authorized_keys”,拷贝master的公钥id_rsa.pub到slave的.ssh/authorized_keys。
[test@master .ssh]$ scp id_rsa.pub test@slave:~/.ssh/authorized_keys
The authenticity of host 'slave (192.168.1.102)' can't be established.
ECDSA key fingerprint is b5:9e:ca:16:64:66:08:3b:9b:f4:be:5b:9f:f2:fc:a7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'slave,192.168.1.102' (ECDSA) to the list of known hosts.
test@slave's password:
id_rsa.pub 100% 395 0.4KB/s 00:00
[test@master .ssh]$
test登录slave,在“.ssh”文件夹下,输入命令“cat id_rsa.pub >> authorized.keys”,把slave的公钥id_rsa.pub追加到slave的authorized_keys文件。检查文件“authorized_keys”,内容如下:
ssh-rsa ******OfQi3v6lxMGIv/VWgcK5EaYRilz4/XPAmbjxGpFV8nD/JbTrK36v1zsx6TmyckIEfoHU9FvuQoJapxhH/bBSsXix2EWv8UsOCyp test@master
ssh-rsa ******knrMMPON0FrTnjhv3hS5ZAPCEad36ah5lyeOtix2Sr2ug0YP6Ai0iT6Jd04hcUAKF21PBMybvlBYxzAfEr5vBxNBp2Ijwlvp1zP test@slave1
注:因文件太长省略,用“******”代替
在slave的“.ssh”文件夹下,复制authorized_keys到master的test,命令“scp authorized_keys test@master:~/.ssh/",此时,master “.ssh”文件夹下,已经存在与slave相同的authorized_keys文件
6、测试登录
在master,test用户登录的情况下,输入“ssh slave”
在slave,test用户登录的情况下,输入“ssh master”
如在每次ssh登入时需要输入密码,跟没有配置免密登陆时一样情况,需要需改.ssh文件夹访问权限,分配权限为登陆用户
假设无法登陆master,则需要在master上做以下操作
[root@master ~]# chown test: /home/test/.ssh
[root@master ~]# chown test: /home/test/.ssh/*
[root@master ~]# chmod 700 /home/test/.ssh
[root@master ~]# chmod 600 /home/test/.ssh/*