先让root能ssh登录一台机器:
update_ini('/etc/ssh/sshd_config', 'PermitRootLogin', 'yes')
update_ini('/etc/ssh/sshd_config', 'PasswordAuthentication', pwauth)
update_ini('/etc/ssh/sshd_config', 'ChallengeResponseAuthentication', 'no')
就是修改/etc/ssh/sshd_config 中的3个值.
关于不用密码从一台linux机器登录另外一台机器:
1:用ssh-keygen 生成一个用户的RSA key
一路默认,这样可以得到两个文件 id_ras 和id_ras.pub
和一个像是这样的fingerprints
e9:37:e4:48:1f:96:f3:3a:1a:ac:57:cc:85:39:bb:6f mac@ngmp-master
[mac@ngmp-master .ssh]$ ll
total 16
-rw------- 1 mac mac 1675 May 24 10:33 id_rsa
-rw-r--r-- 1 mac mac 397 May 24 10:33 id_rsa.pub
[mac@ngmp-master .ssh]$ pwd
/home/mac/.ssh
2: 用ssh-copy-id user@host 把你刚刚创建的SSH公钥传到host机器上
或者, 自己拷贝 id_ras.pub 文件内容到目标机器的 .ssh/authorized_keys2 文件中就好了
3:从A机器ssh去B机器,A机器上你的帐号下~/.ssh/known_hosts文件中多了一行,关于B机器的记录,看起来像是:
10.36.126.32 ssh-rsa AAAAB3NzaC1yc2EAAAQEAqB1PcXHO7....yDZGvKqYJIYluKQ==
不是密钥,是B机器的fingerpringts, (应该是base64编码过的)
如果B机器重新安装了,要从A的known_hosts文件中把B的记录删除掉
多台相互信任机器的SSH设置:
1: 在其中一台机器上的root下用 ssh-keygen生成key
2: 把文件id_rsa 和 id_ras.pub 拷贝到各台信任的机器上 /root/.ssh/
3: 在authorized_keys2文件中加入一行:
from="server1, server2, server3, ...." ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtSVYgX8z5WiHpaKpb9eYQ+Ubytap34tcKbhTW7Pw69I9OVFcGtrPhc35o4OO4aPb47MKBlnq/bVOMzKginDOGnw== root@master.server
格式是 from="server, .... server list" ssh-ras ASSDFA(公用的pub秘钥)aASDFASDFAf <user>@<server>
用于做这件事情的ruby script:
#!/usr/bin/ruby
IMHT_ROOT = "/opt/trend/imht"
require 'central_config'
require 'tempfile'
def update_ini(fn, kw, value)
f = Tempfile.new(File.basename(fn))
f.close
system("awk \"BEGIN {i=0} {if (/^#?#{kw}[ \t]+.*/) {if(i == 0) print \\\"#{kw} #{value}\\\"; i++} else print}\" #{fn} > #{f.path}")
system("cp -f #{f.path} #{fn}")
f.unlink
end
# Push our hosts's public key to the master
cfg = CentralConfig.new
myhost = cfg.get_my_host()
master = cfg.get_hosts_by_role_dc_pod('slack-master', myhost.dc, myhost.pod)[0]
key = IO.read('/etc/ssh/ssh_host_rsa_key.pub')
myentry = "#{myhost.host},#{myhost.host}.#{cfg.get_domain_by_datacenter_pod(myhost.dc, myhost.pod)},#{cfg.get_host_ip(myhost)} #{key}"
f = Tempfile.new('known_hosts')
f.write(myentry)
f.close
system("rsync #{f.path} #{master.host}::imht/ssh-config/#{myhost.host}.pub")
f.unlink
# Install the known-hosts file
system("cp -f #{IMHT_ROOT}/setup/ssh-config/ssh_known_hosts /etc/ssh")
# Install roots's ssh key pair
system("mkdir -p /root/.ssh")
system("cp -f #{IMHT_ROOT}/setup/ssh-config/id_rsa /root/.ssh")
system("chmod 600 /root/.ssh/id_rsa")
system("cp -f #{IMHT_ROOT}/setup/ssh-config/id_rsa.pub /root/.ssh")
system("chmod 644 /root/.ssh/id_rsa.pub")
system("cp -f #{IMHT_ROOT}/setup/ssh-config/id_rsa.pub /root/.ssh")
# Allow root acceess only from nodes within the pod
hosts = cfg.get_hosts_by_datacenter_pod(myhost.dc, myhost.pod)
domain = cfg.get_domain_by_datacenter_pod(myhost.dc, myhost.pod)
from = 'from="'
hosts.each do |h|
from << "#{h.host}.#{domain},"
end
extra = cfg.get_pod_parameter(myhost.dc, myhost.pod, 'ssh.authkeys.extra_ips')
if extra
from << extra.split(/ *, */).join(',') + ','
end
from[from.length-1] = '" '
f = Tempfile.new('auth_keys_from')
f.write(from)
f.close
system("cat /root/.ssh/id_rsa.pub >> #{f.path}")
system("cat #{f.path} >> /root/.ssh/authorized_keys2") if !File.exist?('/root/.ssh/authorized_keys2') || !system("grep -q -f #{f.path} /root/.ssh/authorized_keys2")
system("chmod 644 /root/.ssh/authorized_keys2")
f.unlink
# Check if PasswordAuthentication is allowed
autodeploy = cfg.get_my_parameter('autodeploy')
autodeploy_opts = autodeploy ? autodeploy.split(/ *, */) : []
pwauth = (autodeploy_opts.include?('+sshdpwauth')) ? 'yes' : 'no'
# Enable root login. Disable password authentication
update_ini('/etc/ssh/sshd_config', 'PermitRootLogin', 'yes')
update_ini('/etc/ssh/sshd_config', 'PasswordAuthentication', pwauth)
update_ini('/etc/ssh/sshd_config', 'ChallengeResponseAuthentication', 'no')
# Restart sshd
if cfg.get_host_os(myhost) == 'ubuntu'
system("/etc/init.d/ssh restart")
else
system("/etc/init.d/sshd restart")
end