服务器部署说明
m01服务器 :172.16.1.61 (作为管理主机)
web01服务器 :172.16.1.7
nfs01服务器 :172.16.1.31
backup服务器: 172.16.1.41
被管理主机root密码都为123456
基于root用户做Linux之间的秘钥认证
一、实现基于密钥的远程连接(秒免密登录)部署
管理主机上部署ssh服务:
yum install -y sshd*
使管理主机(m01服务器)免密码登陆web01服务器
第一个历程:创建公钥
[root@m01 ~]# ssh-keygen -t dsa -->生成密钥
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): -->密钥存放位置
Enter passphrase (empty for no passphrase): -->为密钥文件设置密码
Enter same passphrase again: -->确认密码
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:RCgF4vYTVR3agkpIqIcjoc+CFmYNgLj6AzOWGPjwwls root@m01
The key's randomart image is:
+---[DSA 1024]----+
|=.o .oooo... |
|=+ o...o o. |
|++* o.. + . |
|@=.+ o . . |
|OXo + S |
|X==E . |
|oBo |
| .o |
| . |
+----[SHA256]-----+
第二个历程:分发公钥
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_dsa.pub root@10.0.0.7
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
The authenticity of host '10.0.0.7 (10.0.0.7)' can't be established.
ECDSA key fingerprint is SHA256:g9d8tbVlBdzoCjaHbiludE75FB7pez5gyt3/0QHHWK8.
ECDSA key fingerprint is MD5:3d:31:f7:31:5e:1b:e7:f3:5c:9c:14:be:80:06:18:8a.
Are you sure you want to continue connecting (yes/no)? yes
-->您确定要继续连接(yes/no)吗?
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.0.0.7's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@10.0.0.7'"
and check to make sure that only the key(s) you wanted were added.
默认第一次连接到一台服务器时,需要确定一次连接
默认第一个分发公钥,需要基于口令方式建立连接
第三个历程:测试是否成功
1.第一次免密登录
[root@m01 ~]# ssh root@172.16.1.7
The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established.
ECDSA key fingerprint is SHA256:g9d8tbVlBdzoCjaHbiludE75FB7pez5gyt3/0QHHWK8.
ECDSA key fingerprint is MD5:3d:31:f7:31:5e:1b:e7:f3:5c:9c:14:be:80:06:18:8a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.
Last login: Mon May 27 16:41:53 2019 from 172.16.1.61
部署成功、但是第一次免密连接需要yes确认一下。
2.第二次测试
[root@m01 ~]# ssh root@172.16.1.7 hostname -I
10.0.0.7 172.16.1.7
在web01服务器上免密执行一条命令、执行成功。
第四个历程:依次将公钥分发给各个服务器
这个方法只适合来管理少量服务器,如果有多台服务器。此方法还是很麻烦
二、利用脚本批量分发密钥
1.编写批量执行脚本
[root@m01 ~]# vim /server/scripts/fenfa.sh
#!/bin/bash
source /etc/init.d/functions
for ip in `cat /server/scripts/ip_list.txt`
do
echo "================ fenfa to $ip =================="
sshpass -p123456 ssh-copy-id -i ~/.ssh/id_dsa.pub root@$ip -o StrictHostKeyChecking=no &>/dev/null
if [ $? -ne 0 ]
then
action "host $ip fenfa fail !" /bin/false
else
action "host $ip fenfa success !" /bin/true
fi
echo "================ end fenfa by LPC =================="
echo ""
done
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
