ssh是記錄你密碼資訊的, 沒有登入過root (或是沒有執行過ssh-keygen指令),是沒有.ssh 檔案夾的
需求:當你需要通路一台linux伺服器或兩台伺服器互相免密通路時,ssh keys這時需要,建立辦法是目前主機上執行指令:
ssh-keygen 或 ssh-keygen -t rsa 或 ssh-keygen -t dsa 複制
A\B機器,如果A通路B免密,就把A的公鑰給B,反之亦然
執行後會在目前使用者登入目錄下生成.ssh目錄和兩個檔案
使用ssh-keygen生成私鑰和公鑰
指令如下:
ssh-keygen -t rsa 複制
參數 -t rsa 表示使用rsa算法進行加密,執行後,會在/root目前使用者/.ssh目錄下找到id_rsa(私鑰)和id_rsa.pub(公鑰)
也可以使用 dsa 加密算法進行加密,指令如下:
ssh-keygen -t dsa 複制
id_rsa.pub裡是公鑰,如果需要登入到遠端主機,需要到遠端主機/root/root/.ssh目錄下,建立authorized_keys檔案,并将id_rsa.pub裡的内容複制進去:
# touch /root/.ssh/authorized_keys 複制
這個操作看要不要登入到遠端的機器上,如果需要,就添加,不需要,可以不建。
注意:建立後,需要更改authorized_keys檔案的使用者權限,不然檔案無法生效,ssh公鑰生效需滿足至少下面兩個條件:
1、 .ssh目錄的權限必須是700
2 、.ssh/authorized_keys檔案權限必須是600 複制
執行下面指令
chmod 600 ~/.ssh/authorized_keys 複制
遠端免密登入
常用以下幾種方法:
3台rhel7.4
| HOSTNAME | IP | ROLE |
|---|---|---|
| server1 | 192.168.2.3 | Master |
| server2 | 192.168.2.5 | Slave1 |
| server3 | 192.168.2.10 | Slave2 |
2.1 通過ssh-copy-id的方式:
指令: ssh-copy-id -i ~/.ssh/id_rsa.pub <romte_ip>
舉例:
root使用者登入遠端root使用者(第一次需要密碼登入)
[root@linuxidc ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.2.5
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.2.2'"
and check to make sure that only the key(s) you wanted were added.
[root@linuxidc ~]#
[root@linuxidc ~]# ssh [email protected]
Last login: Thu Nov 15 16:23:42 2018 from 192.168.2.3
[root@D ~]#
常見錯誤:
[root@test ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.2.5
-bash: ssh-copy-id: command not found //提示指令不存在
解決辦法:yum -y install openssh-clients
root使用者遠端非root使用者(普通使用者),第一次需要密碼登入
[root@linuxidcjustyumserver ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added. 複制
2.2、通過scp将内容寫到對方的檔案中
指令:scp -p ~/.ssh/id_rsa.pub root@<remote_ip>:/root/.ssh/authorized_keys
舉例:
# scp -p ~/.ssh/id_rsa.pub [email protected]:/root/.ssh/authorized_keys
#[email protected]'s password:
id_rsa.pub
# ssh [email protected]
Last login: Thu Nov 15 16:54:59 2018 from 192.168.2.3 複制
也可以分為兩步操作:
# scp ~/.ssh/id_rsa.pub root@<remote_ip>:pub_key //将檔案拷貝至遠端伺服器
# cat ~/pub_key >>~/.ssh/authorized_keys //将内容追加到authorized_keys檔案中, 不過要登入遠端伺服器來執行這條指令 複制
2.3、每台伺服器下都輸入指令 ssh-keygen -t rsa,生成 key,一律不輸入密碼,直接回車,/root 就會生成 .ssh 檔案夾。
在 Master 伺服器下,合并公鑰到 authorized_keys 檔案,進入 /root/.ssh 目錄,通過 SSH 指令合并:
[root@linuxidc ~]# cd /root/.ssh/
[root@linuxidc .ssh]# cat id_rsa.pub >> authorized_keys
[root@linuxidc .ssh]# ssh [email protected] cat ~/.ssh/id_rsa.pub>> authorized_keys 這裡的id_rsa.pub是slave伺服器的,合并到Mastere伺服器的檔案中 複制
把 Master 伺服器的 authorized_keys複制到 Slave 伺服器的 `/root/.ssh 目錄
[[email protected]]# scp authorized_keys [email protected]:/root/.ssh/
完成,ssh [email protected] 就不需要輸入密碼登入了