机器:node1(147.150),node2(147.151)
一、免密登录
1.在node1上 生成密钥对
# 回车三次,使用默认配置
ssh-keygen -t rsa
[root@node1 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): (回车)
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): (回车)
Enter same passphrase again: (回车)
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:SbLDcxpywRHs1W2QT+O+kaNyMqYO3p515TrPWCohNGo root@node1
The key's randomart image is:
+---[RSA 2048]----+
| .o. ..+ |
| .... o = |
| .+.. = . |
| .+= . o |
| .oB.S ... |
| Eo.*. o= |
| .. ......o+ |
| . o o*.+*. |
| .o*o *+oo |
+----[SHA256]-----+
2.拷贝node1公钥信息到node2的authorized_keys里面
[root@node1 ~]# cat /root/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDB953fdo+TtkMZtCFjLOtcCnvOeJWh53fLwX5vmqX2cE5QQnuDLgFQ/BR2Lni7bkwLbfif0DYNUBFV3XiWOD37503Vxbdi4BDlgd/WRr/xy08aBAl4TYnYkx5MmwY0D20Dq+Wk3tTynArH15buE3G/nSAY6um+1OMOMkt+jum3jiPBj12cabmFrfq8b89hd1cs+nXk4E0Czgk+wYVGSqtClp4HdCsM8lpEKIIvLBkvuSSO9/eoQw7swIepn6zf3cDkudPmW+eSqfa1h+T8LKppDrP6P3KXYXOkJFYKWJDgI3e0MvEXbK76NeIj5BPG9TQYVlySGT20u/2ij3l2x+nD root@node1
查看node2(147.151)上面/root/.ssh/下有没有authorized_keys,没有则创建
touch authorized_keys & chmod 600 authorized_keys
拷贝方式1-手动复制(注意不要拷贝少了)
即直接粘贴node1公钥的内容到node2的
/root/.ssh/authorized_keys里面,如果有其他公钥,最好换行操作
拷贝方式2-scp复制,重定向输入
# 在node1(147.150)上面执行
scp -p /root/.ssh/id_rsa.pub node2:/root/.ssh/node1_id_rsa.pub
# 在node2(147.151)上面执行 重定向>>追加文件内容
cat /root/.ssh/node1_id_rsa.pub >> authorized_keys
拷贝方式3-使用ssh-copy-id(推荐)
参考:https://www.ssh.com/academy/ssh/copy-id
ssh-copy-id [-i [identity_file]] [user@]machine
# 拷贝node1的公钥到node2
# 自动将公钥复制到147.151的authorized-keys里面
# 提示输入147.151的密码(首次为了建立known_hosts)
#在node1上面执行(node1的/etc/hosts需要有node2的映射)
ssh-copy-id -i /root/.ssh/id_rsa.pub node2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host 'node2 (192.168.147.151)' can't be established.
ECDSA key fingerprint is SHA256:8N8xvQk00nt2TTJusNx24LpeZRek6g558ox1fyryJVs.
ECDSA key fingerprint is MD5:44:e8:4c:ac:10:b9:42:2b:37:be:02:26:f2:f5:8f:04.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
# 输入node2的密码,node1
root@node2's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@node2'"
and check to make sure that only the key(s) you wanted were added.
# node1的known_hosts中已经记录了node2
[root@node1 ~]# cat /root/.ssh/known_hosts
node2 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKInrjlbl/aLPtvSazY4QyhIeWV6EcfEYOJzd2FKFq/mPCz/QPlg1COGGliqJgnVG3Qen1w1+L8U85XAtdwVueY=
# 在node2中查看结果
[root@node2 .ssh]# cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDB953fdo+TtkMZtCFjLOtcCnvOeJWh53fLwX5vmqX2cE5QQnuDLgFQ/BR2Lni7bkwLbfif0DYNUBFV3XiWOD37503Vxbdi4BDlgd/WRr/xy08aBAl4TYnYkx5MmwY0D20Dq+Wk3tTynArH15buE3G/nSAY6um+1OMOMkt+jum3jiPBj12cabmFrfq8b89hd1cs+nXk4E0Czgk+wYVGSqtClp4HdCsM8lpEKIIvLBkvuSSO9/eoQw7swIepn6zf3cDkudPmW+eSqfa1h+T8LKppDrP6P3KXYXOkJFYKWJDgI3e0MvEXbK76NeIj5BPG9TQYVlySGT20u/2ij3l2x+nD root@node1
# 此时在node1上就可以免密登录node2了
ssh node2
3.上面只是建立了node1可以免密访问node2,但是node2还不可以免密访问node1,只需要按照上面步骤将node2的密钥给到node1就可以实现双向免密登录
总结:
- 机器A要想可以免密访问机器B,机器B的/root/.ssh/authorized_keys中需要有机器A的公钥信息
- 机器A首次访问机器B时会提示输入机器B的密码,认证通过后,机器A会在/root/.ssh/known_hosts文件中记录机器B
- 想免密访问谁,谁就需要有你的公钥信息
二、SCP命令
1.命令格式
scp [参数] [原路径] [目标路径]
scp -p /root/.ssh/id_rsa.pub root@192.168.147.151:/root/.ssh/authorized_keys
2.参数说明
-1 强制scp命令使用协议ssh1
-2 强制scp命令使用协议ssh2
-4 强制scp命令只使用IPv4寻址
-6 强制scp命令只使用IPv6寻址
-B 使用批处理模式(传输过程中不询问传输口令或短语)
-C 允许压缩。(将-C标志传递给ssh,从而打开压缩功能)
-p 保留原文件的修改时间,访问时间和访问权限。
-q 不显示传输进度条。
-r 递归复制整个目录。
-v 详细方式显示输出。scp和ssh(1)会显示出整个过程的调试信息。这些信息用于调试连接,验证和配置问题。
-c cipher 以cipher将数据传输进行加密,这个选项将直接传递给ssh。
-F ssh_config 指定一个替代的ssh配置文件,此参数直接传递给ssh。
-i identity_file 从指定文件中读取传输时使用的密钥文件,此参数直接传递给ssh。
-l limit 限定用户所能使用的带宽,以Kbit/s为单位。
-o ssh_option 如果习惯于使用ssh_config(5)中的参数传递方式。
-P port 注意是大写的P, port是指定数据传输用到的端口号。
-S program 指定加密传输时所使用的程序。此程序必须能够理解ssh(1)的选项。