1.生成密钥
命令ssh-keygen -t rsa,然后四个回车默认保存。
[root@localhost .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
35:e0:70:2d:c7:e7:2a:a4:e2:de:fb:57:15:97:4a:04 root@master
The key's randomart image is:
+--[ RSA 2048]----+
| . oo Eo. .|
| +..+ .....|
| .ooo. .o |
| .. .... |
| oS . . |
| . . . . . |
| . . . . |
| .. . |
| .. oo.. |
+-----------------+
[root@localhost .ssh]# ll
总用量 12
-rw------- 1 root root 1679 10月 2 14:03 id_rsa
-rw-r--r-- 1 root root 393 10月 2 14:03 id_rsa.pub
-rw-r--r-- 1 root root 184 10月 2 12:00 known_hosts
密钥保存的路径是.ssh文件夹下面,id_rsa是私钥,id_rsa.pub是公钥。
authorized_keys:存放远程免密登录的公钥,主要通过这个文件记录多台机器的公钥
id_rsa : 生成的私钥文件
id_rsa.pub : 生成的公钥文件
know_hosts : 已知的主机公钥清单
如果希望ssh公钥生效需满足至少下面两个条件:
1) .ssh目录的权限必须是700
2) .ssh/authorized_keys文件权限必须是600
2.密钥的分发
2.1通过ssh-copy-id的方式
[root@localhost .ssh]# ssh-copy-id 192.168.206.151
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.206.151's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.206.151'"
and check to make sure that only the key(s) you wanted were added.
[root@localhost .ssh]# ssh 192.168.206.151
Last login: Tue Oct 2 11:31:18 2018 from 192.168.206.1
[root@slave1 ~]# exit
可以到192.168.206.151上,查看公钥。
备注:常见错误
-bash: ssh-copy-id: command not found //提示命令不存在
解决办法:yum -y install openssh-clients
2.2通过scp的方法
发送公钥过去,然后再用把密钥追加到authorized_keys
[root@slave1 .ssh]# scp id_rsa.pub root@192.168.206.150:/root/.ssh
The authenticity of host '192.168.206.150 (192.168.206.150)' can't be established.
ECDSA key fingerprint is 23:27:10:ec:b7:84:47:d8:74:91:f2:54:0d:e0:b9:57.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.206.150' (ECDSA) to the list of known hosts.
root@192.168.206.150's password:
id_rsa.pub 100% 393 0.4KB/s 00:00
[root@slave1 .ssh]#
切换到192.168.206.150机子上追加公钥到authorized_keys
[root@localhost .ssh]# cat id_rsa.pub >>authorized_keys
[root@localhost .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBE3lpI6g6TtnHR9pRmZIE9PqOlnaPJ+sc9XYdS19CFPui2VvfWITD3gyTHujSSzII2/ow9DQ2xhqfLF1/maxueoQI22Fi8pUU4eNRaDpwPSNAZUPbAhsD2vaJPCLhTV+DcMVB88Hxhf+aDQAxXY7XSuBwlDcCdgoyDtIOjBqTrzhMiR/NlOvu8qDnXNCeMTK0GWRzJZ5VSftPZpR9nqVycew4hhc45/1xZtJEuaNKAQNPW1ig5tBWby6RFWX5ceapB3Vcz91TPLWCsMw4MEKhV/mUelOIjhCMZT5m5U4WkK/4z4CaUAW6zsyBfTBNpSeMG+EDjoOadeXBGDyIzVYj root@master
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWHvwejJ/msGENPpYc7n6J+Q/CZEWNUyptMMOEVDeq5engvDDrAH7cVIKCpQyxbEjp6s7kf9ksnuPorKDQlyG3oE6mS3vYqip4fHxd4ooJZ8UdaOMmzi3/j+GQV/yNqRsM6cyJAUd1fm+/Pr6oru8IbNS10YMNrlFFk4pbfM+feD+P/AJgTBn2XQdBjO3DvfCbxfXH81JeBAg+ryXdLeDtfEu52Nd7zrfcm+/GOMRGP5K6uLSWbUiYwxwPT0DXy98ccThSPpN0Bprz1t6vVhsOKTlvEY1O9+6wAWuXE50DFlvxkhmZpSD2HbeBtovHfzDQe/bhZ4z14/BA4wIiNGU3 root@slave1
[root@localhost .ssh]#
3.因为ssh是标准的安全协议,所以ssh自己也要密码
给自己设置ssh授权,也是一样的操作
[root@slave1 .ssh]# ssh-copy-id slave1
The authenticity of host 'slave1 (192.168.206.151)' can't be established.
ECDSA key fingerprint is 23:27:10:ec:b7:84:47:d8:74:91:f2:54:0d:e0:b9:57.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@slave1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'slave1'"
and check to make sure that only the key(s) you wanted were added.