實現兩臺機器之間的免密登入

為了運維的效率 有時會設定一臺機器 可以免密登入其他部分主機。

實驗環境：

主機A 192.168.100.200 使用者root

主機B 192.168.100.201 使用者root

主機C 192.168.100.202 使用者osmgr

目的:為了讓主機A的root使用者 可以免密登入主機B的root使用者和主機C的osmgr使用者

操作步驟:

1. 在主機A上 root使用者下 生成公鑰和私鑰

預設下/root/下沒有.ssh這個資料夾

ssh-keygen -t rsa/dsa 這個命令會建立/root/.ssh/目錄,並在該目錄下建立兩個檔案id_rsa,id_rsa.pub

id_rsa 金鑰檔案

id_rsa.pub 公鑰檔案

[root@Base01]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
[root@Base01 .ssh]# ll
-rw------- 1 root root  1679 Dec 14 11:26 id_rsa
-rw-r--r-- 1 root root   393 Dec 14 11:26 id_rsa.pub
[root@Base01 .ssh]# cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01

 

2. 將主機A的公鑰拷貝到主機B的root使用者下和主機C的root使用者和osmgr使用者下

   可以使用兩種方法:

   a.由於公鑰檔案id_rsa.pub是明文的 所以可以直接copy檔案內容至對應使用者家目錄下

   主機A:
   [root@Base01 .ssh]# pwd
   /root/.ssh
   [root@Base01 .ssh]# ls
   id_rsa  id_rsa.pub  known_hosts
   [root@Base01 .ssh]# cat id_rsa.pub 
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01
   
   主機B: 
   在主機/root/下 新建.ssh目錄 如果存在這一步則跳過
   然後新建authorized_keys檔案 將主機A的公鑰拷貝過來
   要注意.ssh目錄和authorized_keys檔案的許可權，前者是700，後者是600
   [root@docker01 ~]# cd /root/.ssh/
   [root@docker01 ~]# touch authorized_keys
   [root@docker01 .ssh]# ll
   total 4
   -rw------- 1 root root 393 Dec 14 14:06 authorized_keys
   [root@docker01 .ssh]# cat authorized_keys 
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01
    
   

   b.使用ssh-copy-id命令

   針對主機C 使用ssh-copy-id命令
   在主機A上執行 ssh-copy-id [email protected]命令
   主機A:
   [root@Base01 .ssh]# ssh-copy-id [email protected]  //將root使用者的公鑰內容拷貝到192.168.100.202上osmgr家目錄下的.ssh資料夾下的authorized_keys檔案中.
   /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
   The authenticity of host '192.168.100.202 (192.168.100.202)' can't be established.
   ECDSA key fingerprint is SHA256:CmTnWB7CXjAc288vV5bv1SZO1KNkgSh46l3EMBUqIHk.
   ECDSA key fingerprint is MD5:f0:a7:55:a1:17:f6:83:c4:69:24:04:14:c1:70:3d:0c.
   Are you sure you want to continue connecting (yes/no)? yes
   /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
   /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
   [email protected]'s password: 
   Permission denied, please try again.
   [email protected]'s password: 
   Number of key(s) added: 1
   Now try logging into the machine, with:   "ssh '[email protected]'"
   and check to make sure that only the key(s) you wanted were added.
   
   [root@Base01 .ssh]# ll //執行ssh-copy-id命令 還會將ssh目標主機ECDSA金鑰指紋新增到主機的/root/.ssh/known_hosts中.下次再ssh連線目標主機的時候 就會校驗ECDSA金鑰指紋是否一致 不一致的話 就發出警告。
   total 12
   -rw------- 1 root root 1679 Dec 14 11:26 id_rsa
   -rw-r--r-- 1 root root  393 Dec 14 11:26 id_rsa.pub
   -rw-r--r-- 1 root root  177 Dec 14 11:34 known_hosts
   [root@Base01 .ssh]# cat known_hosts 
   192.168.100.212 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL3JnaKe0guEZv/G6DU6GZLyZ1q0nfx1Ya6Es1FlE59UgR+yobg0spNL/xb2A+cZ+TEdwcRRDD6TOyVEdPNAsdk=
   
   執行完ssh-copy-id命令之後 就可以免密登入192.168.100.202的osmgr使用者,但是登入192.168.100.202的root使用者 仍然需要密碼
   [root@Base01 .ssh]# ssh 192.168.100.202
   [email protected]'s password: 
   [root@Base01 .ssh]# ssh [email protected]
   Last login: Mon Dec 14 11:38:58 2020 from 10.36.17.53
   [osmgr@git01 ~]$ 
   
   主機C: 
   主機C的變化 就是被動新建了一個/home/osmgr/.ssh/目錄 並生成了一個authorized_keys檔案 裡面是主機A的公鑰
   [root@git01 .ssh]# pwd
   /home/osmgr/.ssh
   [root@git01 .ssh]# ll
   total 4
   -rw------- 1 osmgr osmgr 393 Dec 14 13:23 authorized_keys
   [root@git01 .ssh]# cat authorized_keys 
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUZyOIhydUU42tT7JoUh8x8N4ftzd2NVIp/uIk+vxOYag7w0NC0dRX9evsiaF5Gnt8UHIwUuPilcwG5lZIqSqn2zmENrMpCRr4vh4bhroPkMiznKg3Kr6wA3mnIgjnmc/dCHo3eGuX8tyZZXVRrtjjeATNlAhQociUjhlc48LQFhqGNHv73th7IKKkcXDZMk+OSr2jtNfSy5q/meBMYD4OnTIZVGt0TYnKZVL4chaXoEjYqVU/SzHIGx+JJkkN/IW7Z7AeivIMv7JNiPeseWch4//+G0VXVoEabfHeU7qhWIDEkFB9/6p1j5y4mvxhWIkx3YgCbguJFWSDvDKsmxJB root@Base01
   

3. 為什麼將主機A的公鑰拷貝到主機B和主機C上 就可以實現免密登入了呢？
   通過密碼登入
   
   通過金鑰驗證登入