實現SSH免密登入
阿新 • • 發佈:2020-12-14
實現兩臺機器之間的免密登入
為了運維的效率 有時會設定一臺機器 可以免密登入其他部分主機。
實驗環境:
主機A 192.168.100.200 使用者root
主機B 192.168.100.201 使用者root
主機C 192.168.100.202 使用者osmgr
目的:為了讓主機A的root使用者 可以免密登入主機B的root使用者和主機C的osmgr使用者
操作步驟:
- 在主機A上 root使用者下 生成公鑰和私鑰
預設下/root/下沒有.ssh這個資料夾
ssh-keygen -t rsa/dsa 這個命令會建立/root/.ssh/目錄,並在該目錄下建立兩個檔案id_rsa,id_rsa.pub
id_rsa 金鑰檔案
id_rsa.pub 公鑰檔案
[root@Base01]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. [root@Base01 .ssh]# ll -rw------- 1 root root 1679 Dec 14 11:26 id_rsa -rw-r--r-- 1 root root 393 Dec 14 11:26 id_rsa.pub [root@Base01 .ssh]# cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01
-
將主機A的公鑰拷貝到主機B的root使用者下和主機C的root使用者和osmgr使用者下
可以使用兩種方法:
a.由於公鑰檔案id_rsa.pub是明文的 所以可以直接copy檔案內容至對應使用者家目錄下
主機A: [root@Base01 .ssh]# pwd /root/.ssh [root@Base01 .ssh]# ls id_rsa id_rsa.pub known_hosts [root@Base01 .ssh]# cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01 主機B: 在主機/root/下 新建.ssh目錄 如果存在這一步則跳過 然後新建authorized_keys檔案 將主機A的公鑰拷貝過來 要注意.ssh目錄和authorized_keys檔案的許可權,前者是700,後者是600 [root@docker01 ~]# cd /root/.ssh/ [root@docker01 ~]# touch authorized_keys [root@docker01 .ssh]# ll total 4 -rw------- 1 root root 393 Dec 14 14:06 authorized_keys [root@docker01 .ssh]# cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01
b.使用ssh-copy-id命令
針對主機C 使用ssh-copy-id命令 在主機A上執行 ssh-copy-id [email protected]命令 主機A: [root@Base01 .ssh]# ssh-copy-id [email protected] //將root使用者的公鑰內容拷貝到192.168.100.202上osmgr家目錄下的.ssh資料夾下的authorized_keys檔案中. /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host '192.168.100.202 (192.168.100.202)' can't be established. ECDSA key fingerprint is SHA256:CmTnWB7CXjAc288vV5bv1SZO1KNkgSh46l3EMBUqIHk. ECDSA key fingerprint is MD5:f0:a7:55:a1:17:f6:83:c4:69:24:04:14:c1:70:3d:0c. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password: Permission denied, please try again. [email protected]'s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '[email protected]'" and check to make sure that only the key(s) you wanted were added. [root@Base01 .ssh]# ll //執行ssh-copy-id命令 還會將ssh目標主機ECDSA金鑰指紋新增到主機的/root/.ssh/known_hosts中.下次再ssh連線目標主機的時候 就會校驗ECDSA金鑰指紋是否一致 不一致的話 就發出警告。 total 12 -rw------- 1 root root 1679 Dec 14 11:26 id_rsa -rw-r--r-- 1 root root 393 Dec 14 11:26 id_rsa.pub -rw-r--r-- 1 root root 177 Dec 14 11:34 known_hosts [root@Base01 .ssh]# cat known_hosts 192.168.100.212 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL3JnaKe0guEZv/G6DU6GZLyZ1q0nfx1Ya6Es1FlE59UgR+yobg0spNL/xb2A+cZ+TEdwcRRDD6TOyVEdPNAsdk= 執行完ssh-copy-id命令之後 就可以免密登入192.168.100.202的osmgr使用者,但是登入192.168.100.202的root使用者 仍然需要密碼 [root@Base01 .ssh]# ssh 192.168.100.202 [email protected]'s password: [root@Base01 .ssh]# ssh [email protected] Last login: Mon Dec 14 11:38:58 2020 from 10.36.17.53 [osmgr@git01 ~]$ 主機C: 主機C的變化 就是被動新建了一個/home/osmgr/.ssh/目錄 並生成了一個authorized_keys檔案 裡面是主機A的公鑰 [root@git01 .ssh]# pwd /home/osmgr/.ssh [root@git01 .ssh]# ll total 4 -rw------- 1 osmgr osmgr 393 Dec 14 13:23 authorized_keys [root@git01 .ssh]# cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01
-
為什麼將主機A的公鑰拷貝到主機B和主機C上 就可以實現免密登入了呢?
通過密碼登入
通過金鑰驗證登入