Linux 配置双机SSH 信任
2013年7月31日,星期三
一、实现原理
使用一种被称为"公私钥"认证的方式来进行ssh登录。"公私钥"认证方式简单的解释是:
首先在客户端上创建一对公私钥(
公钥文件:~/.ssh/id_rsa.pub;私钥文件:~/.ssh/id_rsa),然后把公钥放到服务器上(~/.ssh/authorized_keys),自己保留好私钥。当ssh登录时,ssh程序会发送私钥去和服务器上的公钥做匹配。如果匹配成功就可以登录了。
二、实验环境
A机:vrh1/192.168.1.102
B机:vrh2/192.168.1.103
三、Linux/Unix双机建立信任
在vrh1 用户下执行ssh-keygen命令,在需要输入的地方,直接回车,生成建立安全信任关系的证书。
3.1 vrh1上执行生成证书
[root@vrh1
/]
# su - oracle
[oracle@vrh1 ~]$ ssh -keygen -t rsa
Generating public /private rsa key pair.
Enter file in which to save the key ( /home /oracle /.ssh /id_rsa) :
Created directory '/home/oracle/.ssh'.
Enter passphrase (empty for no passphrase) :
Enter same passphrase again :
Your identification has been saved in /home /oracle /.ssh /id_rsa.
Your public key has been saved in /home /oracle /.ssh /id_rsa.pub.
The key fingerprint is :
87 :0f : 5e : 55 : 8e : 7a :b6 : 47 :e7 : 34 :ad : 27 :b4 : 63 :a9 :da oracle@vrh1.oracle.com
[oracle@vrh1 ~]$ ssh -keygen -t dsa
Generating public /private dsa key pair.
Enter file in which to save the key ( /home /oracle /.ssh /id_dsa) :
Enter passphrase (empty for no passphrase) :
Enter same passphrase again :
Your identification has been saved in /home /oracle /.ssh /id_dsa.
Your public key has been saved in /home /oracle /.ssh /id_dsa.pub.
The key fingerprint is :
0d :ec : 9d : 41 :00 : 5d :cc :e7 :c2 : 8a :e8 : 6c : 30 :00 : 90 : 66 oracle@vrh1.oracle.com
[oracle@vrh1 ~]$ ssh -keygen -t rsa
Generating public /private rsa key pair.
Enter file in which to save the key ( /home /oracle /.ssh /id_rsa) :
Created directory '/home/oracle/.ssh'.
Enter passphrase (empty for no passphrase) :
Enter same passphrase again :
Your identification has been saved in /home /oracle /.ssh /id_rsa.
Your public key has been saved in /home /oracle /.ssh /id_rsa.pub.
The key fingerprint is :
87 :0f : 5e : 55 : 8e : 7a :b6 : 47 :e7 : 34 :ad : 27 :b4 : 63 :a9 :da oracle@vrh1.oracle.com
[oracle@vrh1 ~]$ ssh -keygen -t dsa
Generating public /private dsa key pair.
Enter file in which to save the key ( /home /oracle /.ssh /id_dsa) :
Enter passphrase (empty for no passphrase) :
Enter same passphrase again :
Your identification has been saved in /home /oracle /.ssh /id_dsa.
Your public key has been saved in /home /oracle /.ssh /id_dsa.pub.
The key fingerprint is :
0d :ec : 9d : 41 :00 : 5d :cc :e7 :c2 : 8a :e8 : 6c : 30 :00 : 90 : 66 oracle@vrh1.oracle.com
3.2 vrh2上执行
[root@vrh2
/]
# su - oracle
[oracle@vrh2 ~]$ ssh -keygen -t rsa
Generating public /private rsa key pair.
Enter file in which to save the key ( /home /oracle /.ssh /id_rsa) :
Created directory '/home/oracle/.ssh'.
Enter passphrase (empty for no passphrase) :
Enter same passphrase again :
Your identification has been saved in /home /oracle /.ssh /id_rsa.
Your public key has been saved in /home /oracle /.ssh /id_rsa.pub.
The key fingerprint is :
83 :a3 : 22 : 6a :aa :cf : 90 : 74 : 11 : 7e : 48 : 58 : 86 : 06 : 7b :aa oracle@vrh2.oracle.com
[oracle@vrh2 ~]$ ssh -keygen -t dsa
Generating public /private dsa key pair.
Enter file in which to save the key ( /home /oracle /.ssh /id_dsa) :
Enter passphrase (empty for no passphrase) :
Enter same passphrase again :
Your identification has been saved in /home /oracle /.ssh /id_dsa.
Your public key has been saved in /home /oracle /.ssh /id_dsa.pub.
The key fingerprint is :
29 : 3b :dc : 1b : 49 :bb :0e : 90 : 29 :a7 :d6 : 6b : 26 : 99 :de :b7 oracle@vrh2.oracle.com
[oracle@vrh2 ~]$ ssh -keygen -t rsa
Generating public /private rsa key pair.
Enter file in which to save the key ( /home /oracle /.ssh /id_rsa) :
Created directory '/home/oracle/.ssh'.
Enter passphrase (empty for no passphrase) :
Enter same passphrase again :
Your identification has been saved in /home /oracle /.ssh /id_rsa.
Your public key has been saved in /home /oracle /.ssh /id_rsa.pub.
The key fingerprint is :
83 :a3 : 22 : 6a :aa :cf : 90 : 74 : 11 : 7e : 48 : 58 : 86 : 06 : 7b :aa oracle@vrh2.oracle.com
[oracle@vrh2 ~]$ ssh -keygen -t dsa
Generating public /private dsa key pair.
Enter file in which to save the key ( /home /oracle /.ssh /id_dsa) :
Enter passphrase (empty for no passphrase) :
Enter same passphrase again :
Your identification has been saved in /home /oracle /.ssh /id_dsa.
Your public key has been saved in /home /oracle /.ssh /id_dsa.pub.
The key fingerprint is :
29 : 3b :dc : 1b : 49 :bb :0e : 90 : 29 :a7 :d6 : 6b : 26 : 99 :de :b7 oracle@vrh2.oracle.com
3.3 创建一个授权文件保存两台主机的授权信息
[oracle@vrh1 .ssh]$ touch authorized_keys
[oracle@vrh1 .ssh]$ cat id_dsa.pub >> authorized_keys #将本机vrh1上的dsa保存到授权文件中
[oracle@vrh1 .ssh]$ cat id_rsa.pub >> authorized_keys #将本机vrh1上的rsa保存到授权文件中
[oracle@vrh1 .ssh]$ ssh vrh2 cat ~ /.ssh /id_dsa.pub >> authorized_keys #将vrh2上的dsa保存到授权文件中
The authenticity of host 'vrh2 (192.168.1.103)' can 't be established. #将vrh2上的rsa保存到授权文件中
RSA key fingerprint is 92:e1:fc:a6:f8:15:37:27:7b:50:41:fa:be:4d:19:0b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vrh2, 192. 168. 1. 103 ' (RSA) to the list of known hosts.
oracle@vrh2's password :
[oracle@vrh1 .ssh]$ ssh vrh2 cat ~ /.ssh /id_rsa.pub >> authorized_keys #将授权文件拷贝到vrh2主机上
oracle@vrh2 's password:
[oracle@vrh1 .ssh]$ scp authorized_keys vrh2:~/.ssh
oracle@vrh2's password :
authorized_keys 100 % 2032 2.0KB /s 00 :00
[oracle@vrh1 .ssh]$ cat id_dsa.pub >> authorized_keys #将本机vrh1上的dsa保存到授权文件中
[oracle@vrh1 .ssh]$ cat id_rsa.pub >> authorized_keys #将本机vrh1上的rsa保存到授权文件中
[oracle@vrh1 .ssh]$ ssh vrh2 cat ~ /.ssh /id_dsa.pub >> authorized_keys #将vrh2上的dsa保存到授权文件中
The authenticity of host 'vrh2 (192.168.1.103)' can 't be established. #将vrh2上的rsa保存到授权文件中
RSA key fingerprint is 92:e1:fc:a6:f8:15:37:27:7b:50:41:fa:be:4d:19:0b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vrh2, 192. 168. 1. 103 ' (RSA) to the list of known hosts.
oracle@vrh2's password :
[oracle@vrh1 .ssh]$ ssh vrh2 cat ~ /.ssh /id_rsa.pub >> authorized_keys #将授权文件拷贝到vrh2主机上
oracle@vrh2 's password:
[oracle@vrh1 .ssh]$ scp authorized_keys vrh2:~/.ssh
oracle@vrh2's password :
authorized_keys 100 % 2032 2.0KB /s 00 :00
3.4检查vrh1上主机的时间同步情况
[oracle@vrh1 .ssh]$
date;ssh vrh2
date
Mon Jul 29 20 : 53 : 44 CST 2013
Mon Jul 29 20 : 53 : 44 CST 2013
[oracle@vrh1 .ssh]$ date;ssh vrh2 -priv date
Mon Jul 29 20 : 54 : 15 CST 2013
Mon Jul 29 20 : 54 : 15 CST 2013
[oracle@vrh1 .ssh]$ date;ssh vrh1 date
Mon Jul 29 20 : 55 : 36 CST 2013
Mon Jul 29 20 : 55 : 36 CST 2013
[oracle@vrh1 .ssh]$ date;ssh vrh1 -priv date
Mon Jul 29 20 : 55 : 45 CST 2013
Mon Jul 29 20 : 55 : 45 CST 2013
Mon Jul 29 20 : 53 : 44 CST 2013
Mon Jul 29 20 : 53 : 44 CST 2013
[oracle@vrh1 .ssh]$ date;ssh vrh2 -priv date
Mon Jul 29 20 : 54 : 15 CST 2013
Mon Jul 29 20 : 54 : 15 CST 2013
[oracle@vrh1 .ssh]$ date;ssh vrh1 date
Mon Jul 29 20 : 55 : 36 CST 2013
Mon Jul 29 20 : 55 : 36 CST 2013
[oracle@vrh1 .ssh]$ date;ssh vrh1 -priv date
Mon Jul 29 20 : 55 : 45 CST 2013
Mon Jul 29 20 : 55 : 45 CST 2013
5.5检查vrh2上主机的时间同步情况
[oracle@vrh2
~]$
date;ssh vrh1
date
Mon Jul 29 20 : 56 : 50 CST 2013
Mon Jul 29 20 : 56 : 50 CST 2013
[oracle@vrh2 ~]$ date;ssh vrh1 -priv date
Mon Jul 29 20 : 56 : 59 CST 2013
Mon Jul 29 20 : 56 : 59 CST 2013
[oracle@vrh2 ~]$ date;ssh vrh2 date
Mon Jul 29 20 : 57 : 54 CST 2013
Mon Jul 29 20 : 57 : 54 CST 2013
[oracle@vrh2 ~]$ date;ssh vrh2 -priv date
Mon Jul 29 20 : 57 : 45 CST 2013
Mon Jul 29 20 : 57 : 46 CST 2013
Mon Jul 29 20 : 56 : 50 CST 2013
Mon Jul 29 20 : 56 : 50 CST 2013
[oracle@vrh2 ~]$ date;ssh vrh1 -priv date
Mon Jul 29 20 : 56 : 59 CST 2013
Mon Jul 29 20 : 56 : 59 CST 2013
[oracle@vrh2 ~]$ date;ssh vrh2 date
Mon Jul 29 20 : 57 : 54 CST 2013
Mon Jul 29 20 : 57 : 54 CST 2013
[oracle@vrh2 ~]$ date;ssh vrh2 -priv date
Mon Jul 29 20 : 57 : 45 CST 2013
Mon Jul 29 20 : 57 : 46 CST 2013
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/15693674/viewspace-767572/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/15693674/viewspace-767572/