目录
服务器hosts
- 192.168.122.129 centos01
- 192.168.122.130 centos02
- 192.168.122.131 centos03
原理
- 当client向server发起ssh请求时,同时发送自己的公钥给server,用于验证server的authorized_keys是否有client的公钥。
- server收到请求后,进入自己的authorized_keys文件中验证client提供的公钥是否存在,如果存在,则产生一段随机的字符串,用client的公钥加密。
- server将加密后的信息发送给client。
- 收到server发送过来的加密字符串,用自己的私钥解密,并将解密后的字符串发送回server。
- server收到client发送的字符串后,与自己在步骤3中生成的字符串进行对比,如果相同,则允许client免密登录。
具体操作配置
配置:
1、生成私钥与公钥文件,可以连续输入三个空格(centos01操作)
ssh-keygen -t rsa
2、同步centos01的公钥文件内容到centos02的~/.ssh/authorized_keys
(1)复制centos01的公钥内容到entos02的~/.ssh/authorized_keys(centos02操作)
vim ~/.ssh/authorized_keys
复制公钥内容
(2)使用ssh-copy-id命令同步,但此方法需要centos02对应用户的密码(centos01操作)
ssh-copy-id lm@centos02
输入密码
3、验证(centos01操作)
ssh lm@centos02
失败排错
如验证时,服务器提示需要使用密码。即免密登录失败,需要根据下面的步骤进行排错。
(1)查看ssh日志(需要root)
tail /var/log/secure -n 20
Sep 4 12:25:22 centos01 sshd[3825]: Received disconnect from 192.168.122.130: 11: disconnected by user
Sep 4 12:25:22 centos01 sshd[3819]: pam_unix(sshd:session): session closed for user lm
Sep 4 12:25:32 centos01 sshd[3847]: Authentication refused: bad ownership or modes for file /home/lm/.ssh/authorized_keys
Sep 4 12:25:33 centos01 sshd[3847]: Connection closed by 192.168.122.130 [preauth]
Sep 4 12:25:38 centos01 sshd[3849]: Authentication refused: bad ownership or modes for file /home/lm/.ssh/authorized_keys
Sep 4 12:25:40 centos01 sshd[3849]: Connection closed by 192.168.122.130 [preauth]
(2)设置~/.ssh文件夹权限,与~/.ssh/authorized_keys文件的权限
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
(3)检查ssh服务配置
grep -vE '#|^$' /etc/ssh/sshd_config
检查下面两项配置是否正确
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
如若修改了配置,则需要重启ssh服务
sudo systemctl reload sshd
(4)检查网络连接
ping {server_ip} -c 1
(5)检查用户账户问题
cat /etc/passwd | grep {user_name}
扩展
当有多台服务器需要配置相互免密时,可以使用相同的私钥文件和authorized_keys文件,已到达快速配置的需求。
(1)其中一台机器生成私钥与公钥文件
centos01
ssh-keygen -t rsa
(2)下载刚刚成私钥与公钥文件
sz ~/.ssh/id_rsa ~/.ssh/id_rsa.pub
(3)复制公钥的内容到authorized_keys文件。每一行的末尾根据实际用户与主机名替换。
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcB/IYLNmepoPrtHyhTCHl0rJSPCIzXzCiAhOrE3SvQ+gVc0zdkAvFT5DJfUsx+kHFTtgp7AwDmfUFNMxtZFqnRrC5CUWNR0Dcx4MRNJBFEBZiCbfKR7khKoeFCi/C1ABKND4mtRcXLKJpjFfmcYo1VR11n1yMdSSlBJ7HZUPrDjBVlsmXXHHgPCIy/ltPxvgo0AqDPlbz18SvdiznZUNR5QHQXhmmjTrO4P72LgvG4Dq3W0IpV1yWdoOFOBH8kyxnh717Eo5lCGT0NyrDVerLFdGbUW1Sc4MFRlw6pwno0+PNQE3VzRO9oz5PuaMNY8kIqeXqfIc1cmm95RltsNhJ lm@centos01
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcB/IYLNmepoPrtHyhTCHl0rJSPCIzXzCiAhOrE3SvQ+gVc0zdkAvFT5DJfUsx+kHFTtgp7AwDmfUFNMxtZFqnRrC5CUWNR0Dcx4MRNJBFEBZiCbfKR7khKoeFCi/C1ABKND4mtRcXLKJpjFfmcYo1VR11n1yMdSSlBJ7HZUPrDjBVlsmXXHHgPCIy/ltPxvgo0AqDPlbz18SvdiznZUNR5QHQXhmmjTrO4P72LgvG4Dq3W0IpV1yWdoOFOBH8kyxnh717Eo5lCGT0NyrDVerLFdGbUW1Sc4MFRlw6pwno0+PNQE3VzRO9oz5PuaMNY8kIqeXqfIc1cmm95RltsNhJ lm@centos02
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcB/IYLNmepoPrtHyhTCHl0rJSPCIzXzCiAhOrE3SvQ+gVc0zdkAvFT5DJfUsx+kHFTtgp7AwDmfUFNMxtZFqnRrC5CUWNR0Dcx4MRNJBFEBZiCbfKR7khKoeFCi/C1ABKND4mtRcXLKJpjFfmcYo1VR11n1yMdSSlBJ7HZUPrDjBVlsmXXHHgPCIy/ltPxvgo0AqDPlbz18SvdiznZUNR5QHQXhmmjTrO4P72LgvG4Dq3W0IpV1yWdoOFOBH8kyxnh717Eo5lCGT0NyrDVerLFdGbUW1Sc4MFRlw6pwno0+PNQE3VzRO9oz5PuaMNY8kIqeXqfIc1cmm95RltsNhJ lm@centos03
(4)将私钥文件和新生成的authorized_keys上传到每台机器的~/.ssh/
(5)验证
ssh lm@centos02