SSH密钥登录/免密码登录

最新推荐文章于 2024-08-14 11:00:00 发布

OneLpc

最新推荐文章于 2024-08-14 11:00:00 发布

阅读量250

点赞数

分类专栏：综合架构

本文链接：https://blog.csdn.net/isa_ii/article/details/90607422

版权

综合架构专栏收录该内容

9 篇文章 0 订阅

订阅专栏

服务器部署说明

m01服务器：172.16.1.61 (作为管理主机)

web01服务器：172.16.1.7

nfs01服务器：172.16.1.31

backup服务器： 172.16.1.41

被管理主机root密码都为123456

基于root用户做Linux之间的秘钥认证

一、实现基于密钥的远程连接(秒免密登录)部署

管理主机上部署ssh服务：yum install -y sshd*
使管理主机(m01服务器)免密码登陆web01服务器

第一个历程：创建公钥

[root@m01 ~]# ssh-keygen -t dsa 			-->生成密钥
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): 	  -->密钥存放位置
Enter passphrase (empty for no passphrase): 				  -->为密钥文件设置密码
Enter same passphrase again: 								 -->确认密码
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:RCgF4vYTVR3agkpIqIcjoc+CFmYNgLj6AzOWGPjwwls root@m01
The key's randomart image is:
+---[DSA 1024]----+
|=.o .oooo...     |
|=+ o...o o.      |
|++* o.. + .      |
|@=.+ o . .       |
|OXo +   S        |
|X==E .           |
|oBo              |
| .o              |
|   .             |
+----[SHA256]-----+

第二个历程：分发公钥

[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_dsa.pub root@10.0.0.7
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
The authenticity of host '10.0.0.7 (10.0.0.7)' can't be established.
ECDSA key fingerprint is SHA256:g9d8tbVlBdzoCjaHbiludE75FB7pez5gyt3/0QHHWK8.
ECDSA key fingerprint is MD5:3d:31:f7:31:5e:1b:e7:f3:5c:9c:14:be:80:06:18:8a.
Are you sure you want to continue connecting (yes/no)? yes
-->您确定要继续连接(yes/no)吗?
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.0.0.7's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@10.0.0.7'"
and check to make sure that only the key(s) you wanted were added.

默认第一次连接到一台服务器时，需要确定一次连接
默认第一个分发公钥,需要基于口令方式建立连接

第三个历程：测试是否成功

1.第一次免密登录

[root@m01 ~]# ssh root@172.16.1.7
The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established.
ECDSA key fingerprint is SHA256:g9d8tbVlBdzoCjaHbiludE75FB7pez5gyt3/0QHHWK8.
ECDSA key fingerprint is MD5:3d:31:f7:31:5e:1b:e7:f3:5c:9c:14:be:80:06:18:8a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.
Last login: Mon May 27 16:41:53 2019 from 172.16.1.61

部署成功、但是第一次免密连接需要yes确认一下。

2.第二次测试

[root@m01 ~]# ssh root@172.16.1.7   hostname -I
10.0.0.7 172.16.1.7

在web01服务器上免密执行一条命令、执行成功。

第四个历程：依次将公钥分发给各个服务器

这个方法只适合来管理少量服务器，如果有多台服务器。此方法还是很麻烦

二、利用脚本批量分发密钥

1.编写批量执行脚本

[root@m01 ~]# vim /server/scripts/fenfa.sh 
#!/bin/bash

source /etc/init.d/functions

for ip in `cat /server/scripts/ip_list.txt`
do
   echo "================ fenfa to $ip =================="
   sshpass -p123456 ssh-copy-id -i ~/.ssh/id_dsa.pub root@$ip -o StrictHostKeyChecking=no &>/dev/null
   if [ $? -ne 0 ]
   then
      action "host $ip fenfa fail !" /bin/false
   else
      action "host $ip fenfa success !" /bin/true
   fi
     echo "================  end fenfa by LPC   =================="
     echo ""
done