说明:
随着自动化运维的发展,环境部署过程中服务器之间访问越加频繁,为方便访问部署主机间免密钥登录是提高效率的一种方式还有一些自动化运维工具Ansible、应用部署工具Jenkins等都需要免密钥提供支持,因此记录一下过程。
首次生成主机SSH密钥对,这其中包含公钥和私钥;
[root@CS01 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:cqQNMf3Hn+iM10BzBprdczSvE1bT0lhWlCRJ+BJ6iHI root@CS01
The key's randomart image is:
+---[RSA 2048]----+
| o. ooo*O|
| o. o..+==|
| . o.o=oo ++|
| . E o+o*.B o|
| = S .o.B * |
| o o = |
| + o . |
| . + . |
| . |
+----[SHA256]-----+
[root@CS01 ~]# cd .ssh/
[root@CS01 .ssh]# ls
id_rsa id_rsa.pub known_hosts ##公钥文件id_rsa.pub、私钥文件id_rsa、这个known_hosts记录着与哪台机器已共享公钥
将公钥复制到远程主机上;
[root@CS01 ~]# ssh-copy-id root@172.22.22.172
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: ERROR: ssh: connect to host 172.22.22.172 port 22: Connection refused
上面出现了报错,原因是我改了sshd服务器的默认端口号;
[root@CS01 ~]# ssh-copy-id root@172.22.22.172 -p 7022
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '[172.22.22.172]:7022 ([172.22.22.172]:7022)' can't be established.
ECDSA key fingerprint is SHA256:cTXzC8ctAzPYa98TKFl3AVLirN0UHcwjt5zVZ/bIX+A.
ECDSA key fingerprint is MD5:74:47:62:ed:6f:5b:ec:b8:bb:08:0b:96:d1:3c:76:05.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.22.22.172's password: ## 需要输入一下远程主机的密码;
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '7022' 'root@172.22.22.172'"
and check to make sure that only the key(s) you wanted were added.
##或者
cp ~/.ssh/id_rsa.pub复制值远程主机的~/.ssh/目录下并将id_rsa.pub改为authorized_keys
测试访问
[root@CS01 ~]# ssh root@172.22.22.172 -p 7022
Last login: Thu Apr 11 01:48:38 2024 from 172.22.102.11
[root@CS02 ~]# cd .ssh/
[root@CS02 .ssh]# ls
authorized_keys
[root@CS02 .ssh]# more authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZVSpC1MWZKf8mqdkiHA95wW99oOHfjEhdeVHvpRGB5YrOV3i/575j1BO4rmCdqswHI6jkORNZF1B9562aD
UQeM2IFAE3rxg8IBaAURvuL4TLMihmi1vAl2j2efZzC/IPN8v7KG5aRlsoxyVNc7fdXcsva0XmRLhPPjO2AV38w9vOkLeTwf72MuPktlaivhMpNnLnbDwptsm
3upNs+uud/DmskH5UnHtf4JSUbJAhnUBuNDqyqTQnAPZsad78i1r36a6jOs9xtuh3TvfoEdt2kG4k/DrefjLIi9mYLDyFaQbE4YyJyzrVSR5vmsT2XW1l6VKZ
NRGxJFBe/Cg4KNax3 root@CS01
[root@CS02 ~]# exit
小结:
默认端口可以通过修改ssh客户端端口做匹配,同样上面的过程可以写成脚本去实现。