一、如何实现免密登录
ssh 支持基于 RSA 的认证. 这种方案依托于公开密钥算法: 密码系统的加密和解密通过不同的密钥完成, 无法通过加密密钥推导出解密密钥. RSA 就是这种密码系统. 每个用户创建一对公开/私密钥匙用于认证. 服务器知道用户的公钥,只有用户知道他自己的私钥. $HOME/.ssh/authorized_keys 文件列出允许登录的(用户的)公钥. 当用户开始登录, ssh程序告诉服务器它准备使用哪对钥匙(公钥)做认证. 服务器检查这只密钥(公钥)是否获得许可, 如果许可, 服务器向用户 (实际上是用户面前运行的ssh 程序) 发出测试, 用用户的公钥加密一个随机数. 这个随机数只能用正确的私钥解密. 随后用户的客户程序用私钥解出测试数字,即可证明他/她掌握私钥, 而又无需(把私钥)暴露给服务器. _______ man ssh
二、.ssh目录下的文件
- known_hosts
存放访问过的主机信息,当对某个主机第一次访问时,需要手动输入yes,从而初始化know_hosts文件。 #文件权限信息 -rw-r--r--. 1 stu stu 185 4月 21 11:43 known_hosts
- id_rsa
RSA加密算法生成的私钥文件,通过ssh-keygen -t rsa 指令自动生成。 #文件权限信息 -rw-------. 1 stu stu 1679 4月 21 11:42 id_rsa
- id_rsa.pub
RSA加密算法生成的公钥文件,通过ssh-keygen -t rsa 指令自动生成。 #文件权限信息 -rw-r--r--. 1 stu stu 394 4月 21 11:42 id_rsa.pub
- authorzied_keys
存放免密登录主机的公钥信息。 #文件权限信息 -rw-------. 1 stu stu 394 4月 21 11:55 authorized_keys
三、ssh免密登录配置
-
环境准备
#1.准备3台虚拟机 #2.假设三台虚拟IP地址如下 192.168.65.151 192.168.65.152 192.168.65.153
-
hostname配置
#修改/etc/hostname #192.168.65.151 node-101 #192.168.65.152 node-102 #192.168.65.153 node-103
-
hosts配置
#修改/etc/hosts 192.168.65.151 node-101 192.168.65.152 node-102 192.168.65.153 node-103
-
创建测试用户stu
#创建组 groupadd stu #创建用户 useradd -g stu stu #设置密码 passwd stu
-
ssh-keygen初始化RSA秘钥
#初始化node-101 ssh-keygen -t rsa #初始化node-102 ssh-keygen -t rsa #初始化node-103 ssh-keygen -t rsa ###node-101效果图### [stu@node-101 /]$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/stu/.ssh/id_rsa): Created directory '/home/stu/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/stu/.ssh/id_rsa. Your public key has been saved in /home/stu/.ssh/id_rsa.pub. The key fingerprint is: SHA256:4cmZCd8gftw6dLwd8l6PM2HHTxkJjM0BgU3uipmjnRc stu@node-101 The key's randomart image is: +---[RSA 2048]----+ | ++B.. | | ..o = | | o o . . .| | . B @. o | | . S *.. .o| | o+E.= .o.+| | =o.o o..+.| | o oo . .oo.| | . o. . .o.| +----[SHA256]-----+ ###各节点.ssh目录下文件### -rw-------. 1 stu stu 1679 4月 21 13:55 id_rsa -rw-r--r--. 1 stu stu 394 4月 21 13:55 id_rsa.pub
-
ssh-copy-id初始化authorized_keys
###1-> node-102向node-101发送公钥文件### [stu@node-102 .ssh]$ ssh-copy-id -i id_rsa.pub stu@node-101 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub" The authenticity of host 'node-101 (192.168.65.151)' can't be established. ECDSA key fingerprint is SHA256:qmuisMebanSir4vDj4GXpJl60ufOGGU3j8pSW1mRmGM. ECDSA key fingerprint is MD5:60:77:a1:69:f5:0b:4b:d9:a6:d2:74:2a:34:c2:35:7b. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys stu@node-101's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'stu@node-101'" and check to make sure that only the key(s) you wanted were added. #1.1执行完ssh-copy-id指令后查看node-102目录结构(多了个know_hosts文件) [stu@node-102 .ssh]$ ll -a -rw-------. 1 stu stu 1679 4月 21 14:00 id_rsa -rw-r--r--. 1 stu stu 394 4月 21 14:00 id_rsa.pub -rw-r--r--. 1 stu stu 185 4月 21 14:04 known_hosts #1.2查看know_hosts文件内容(记录了node-101的信息) [stu@node-102 .ssh]$ cat known_hosts node-101,192.168.65.151 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE08N5iUXVb1mArg18dL6pttWWciBoLTWE2yvHlMZ4tBxz5ZXzCO8IL0Dxzgc8EZazFtMHByyDYuARdFuh3nOtY= #1.3查看node-101目录结构(多了authorized_keys文件) [stu@node-101 .ssh]$ ll -a -rw-------. 1 stu stu 394 4月 21 14:04 authorized_keys -rw-------. 1 stu stu 1679 4月 21 13:55 id_rsa -rw-r--r--. 1 stu stu 394 4月 21 13:55 id_rsa.pub #1.4查看node-101 authorized_keys文件内容(存放了node-102的公钥) [stu@node-101 .ssh]$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8bcfUc2vEoAR78DMlPfKPId31F+Julxl4DbuKszutkUIGroikMeRmYResiU7DkkhzYwph838ujRv7nmMOw+bZXTvoqdbGBskQH7NUzLXK11cltq3vtwUfhW2DdRYxmpcdMuWquLbk3dyYgMQF3w3BNf0Z6fgUz4/6yPp7TzAhXuP+zbtZ9GUFqPf5t7DVpHQKIt6OKTvU7+6UGXZAZYYLknwg6wJCBSQeMIvyerTf8wSgBaVE2Xfm3dfevyppFeUYk0xbn+OlM4nGqEXew/tMFHofEDivJONZek1wfaAKfWj8O/XsP2M4CbtXllFxLeLoQ7DiujVoYOYeFvw23tb1 stu@node-102 ###2-> node-103向node-101发送公钥文件### [stu@node-103 .ssh]$ ssh-copy-id -i id_rsa.pub stu@node-101 The authenticity of host 'node-101 (192.168.65.151)' can't be established. ECDSA key fingerprint is SHA256:qmuisMebanSir4vDj4GXpJl60ufOGGU3j8pSW1mRmGM. ECDSA key fingerprint is MD5:60:77:a1:69:f5:0b:4b:d9:a6:d2:74:2a:34:c2:35:7b. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys stu@node-101's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'stu@node-101'" and check to make sure that only the key(s) you wanted were added. #2.1查看node-101 authorized_keys文件内容(多了node-103的公钥) [stu@node-101 .ssh]$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8bcfUc2vEoAR78DMlPfKPId31F+Julxl4DbuKszutkUIGroikMeRmYResiU7DkkhzYwph838ujRv7nmMOw+bZXTvoqdbGBskQH7NUzLXK11cltq3vtwUfhW2DdRYxmpcdMuWquLbk3dyYgMQF3w3BNf0Z6fgUz4/6yPp7TzAhXuP+zbtZ9GUFqPf5t7DVpHQKIt6OKTvU7+6UGXZAZYYLknwg6wJCBSQeMIvyerTf8wSgBaVE2Xfm3dfevyppFeUYk0xbn+OlM4nGqEXew/tMFHofEDivJONZek1wfaAKfWj8O/XsP2M4CbtXllFxLeLoQ7DiujVoYOYeFvw23tb1 stu@node-102 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt3FeuZMmviZDI2C8HLbirGdQ/6FgwCWf29SjVQW+qWu0C6Me9zgvXZpXflLkJPOAGJ3tZ9tUmIB7uTIHi9fhoQHOSSSSY/onxwHlSDoyi5uXvyepOKuzspKjOodrxY8/S5AdsMNMS8YscnlgUJxts4aptWGPR6+XWK2ujJB6Pn8VO6jI7gfYjHJrHFUZna2MDxeMFEHeF3JsKMb5WnxpElHdNDkvHKk9g1cY/CrlvQmdrGdO5+1bzS5ad6mJKqlI20fCH3GlarkPLVVEVXQyN0dK0dUvifAosGOfQ3TKXsPrd98SILMBS14kl/PrxODkiJ176bdAESqOIy53+6bal stu@node-103 ###3-> node-101将自己公钥信息追加到authorized_keys中 cat id_rsa.pub >> authorized_keys #3.1查看node-101 authorized_keys文件内容(多了node-101的公钥) [stu@node-101 .ssh]$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8bcfUc2vEoAR78DMlPfKPId31F+Julxl4DbuKszutkUIGroikMeRmYResiU7DkkhzYwph838ujRv7nmMOw+bZXTvoqdbGBskQH7NUzLXK11cltq3vtwUfhW2DdRYxmpcdMuWquLbk3dyYgMQF3w3BNf0Z6fgUz4/6yPp7TzAhXuP+zbtZ9GUFqPf5t7DVpHQKIt6OKTvU7+6UGXZAZYYLknwg6wJCBSQeMIvyerTf8wSgBaVE2Xfm3dfevyppFeUYk0xbn+OlM4nGqEXew/tMFHofEDivJONZek1wfaAKfWj8O/XsP2M4CbtXllFxLeLoQ7DiujVoYOYeFvw23tb1 stu@node-102 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt3FeuZMmviZDI2C8HLbirGdQ/6FgwCWf29SjVQW+qWu0C6Me9zgvXZpXflLkJPOAGJ3tZ9tUmIB7uTIHi9fhoQHOSSSSY/onxwHlSDoyi5uXvyepOKuzspKjOodrxY8/S5AdsMNMS8YscnlgUJxts4aptWGPR6+XWK2ujJB6Pn8VO6jI7gfYjHJrHFUZna2MDxeMFEHeF3JsKMb5WnxpElHdNDkvHKk9g1cY/CrlvQmdrGdO5+1bzS5ad6mJKqlI20fCH3GlarkPLVVEVXQyN0dK0dUvifAosGOfQ3TKXsPrd98SILMBS14kl/PrxODkiJ176bdAESqOIy53+6bal stu@node-103 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsNw10MdjCx/iywqxf2rP5RZSLt7zult/QrX6RR9Hyjc06a4XoXBqrYl7prJtWBeAW7uis4pnGlf22I4ACpfNA+wMtKJPqBiKs38jM6EB/da0Wrn++t+PZgVVoSIiy8nR7RJEdVDEdR/6L9WUGIn7Rua6hLy2jOGLDnzATImGN6MTSDj1Vh40VHm5S9SrP+6nQzKaRakRvSR8knSnHSgxdNjXUtEt/IuM3nTU9RxbTtxlRcE9iHGdFOE8Tp5EeI8604X2oVZxfzL2sow0XpipfbmUqsgISx0cATX2nRW5kG5qmLMYnhjtR16nB58THuLOLeZuM10Vh0LpFVXZCNmjF stu@node-101
-
scp 分发authorized_keys文件
#node-101分发到node-102 [stu@node-101 .ssh]$ scp authorized_keys stu@node-102:/home/stu/.ssh The authenticity of host 'node-102 (192.168.65.152)' can't be established. ECDSA key fingerprint is SHA256:qmuisMebanSir4vDj4GXpJl60ufOGGU3j8pSW1mRmGM. ECDSA key fingerprint is MD5:60:77:a1:69:f5:0b:4b:d9:a6:d2:74:2a:34:c2:35:7b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'node-102,192.168.65.152' (ECDSA) to the list of known hosts. stu@node-102's password: authorized_keys 100% 1182 1.8MB/s 00:00 #node-101分发到node-103 [stu@node-101 .ssh]$ scp authorized_keys stu@node-103:/home/stu/.ssh The authenticity of host 'node-103 (192.168.65.153)' can't be established. ECDSA key fingerprint is SHA256:qmuisMebanSir4vDj4GXpJl60ufOGGU3j8pSW1mRmGM. ECDSA key fingerprint is MD5:60:77:a1:69:f5:0b:4b:d9:a6:d2:74:2a:34:c2:35:7b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'node-103,192.168.65.153' (ECDSA) to the list of known hosts. stu@node-103's password: authorized_keys 100% 1182 2.2MB/s 00:00
-
检查 authorized_keys权限600(-rw-r–r–)
#node-101 [stu@node-101 .ssh]$ ll -a -rw-------. 1 stu stu 1182 4月 21 14:25 authorized_keys -rw-------. 1 stu stu 1679 4月 21 13:55 id_rsa -rw-r--r--. 1 stu stu 394 4月 21 13:55 id_rsa.pub -rw-r--r--. 1 stu stu 370 4月 21 14:39 known_hosts #node-102 [stu@node-102 .ssh]$ ll -a -rw-------. 1 stu stu 1182 4月 21 14:36 authorized_keys -rw-------. 1 stu stu 1679 4月 21 14:00 id_rsa -rw-r--r--. 1 stu stu 394 4月 21 14:00 id_rsa.pub -rw-r--r--. 1 stu stu 185 4月 21 14:04 known_hosts #node-103 [stu@node-103 .ssh]$ ll -a -rw-------. 1 stu stu 1182 4月 21 14:39 authorized_keys -rw-------. 1 stu stu 1679 4月 21 14:17 id_rsa -rw-r--r--. 1 stu stu 394 4月 21 14:17 id_rsa.pub -rw-r--r--. 1 stu stu 185 4月 21 14:17 known_hosts
四、免密登录测试
#node101 登录 node-102
[stu@node-101 .ssh]$ ssh node-102
Last login: Thu Apr 21 11:30:04 2022 from node-102
[stu@node-102 ~]$
#node101 登录 node-103
[stu@node-101 .ssh]$ ssh node-103
Last login: Thu Apr 21 11:27:03 2022 from node-101
[stu@node-103 ~]$
#node102 登录 node-101
[stu@node-102 .ssh]$ ssh node-101
Last login: Thu Apr 21 11:28:50 2022 from node-102
[stu@node-101 ~]$
#node102 登录 node-103
[stu@node-102 .ssh]$ ssh node-103
Last login: Thu Apr 21 14:46:03 2022 from node-102
[stu@node-103 ~]$
#node103 登录 node-101
[stu@node-103 .ssh]$ ssh node-101
Last login: Thu Apr 21 14:45:22 2022 from node-102
[stu@node-101 ~]$
#node103 登录 node-102
[stu@node-103 .ssh]$ ssh node-102
Last login: Thu Apr 21 14:47:37 2022 from node-103
[stu@node-102 ~]$
五、FAQ
- hostname文件修改完,需重启虚拟机(reboot)
- ssh配置完毕,若出现无法免密登录,可以尝试重启sshd服务(systemctl restart sshd)
- ssh配置完毕,若出现无法免密登录,查看authorzied_keys文件权限是否是600(chmod 600 authorzied_keys)