linux ssh 免密互信自动化配置(摒弃繁琐一步到位)

分布式结构的使用逐渐增多之后发现以前使用的配置互信免密太繁琐了

直到遇到了“它”,我都忘了以前怎么配置ssh 免密登录了

ssh免密脚本下载

sshUserSetup.sh --oracle自动化互信工具

[root@rac2 ios]# sh sshUserSetup.sh -user root  -hosts "rac1 rac2" -advanced
The output of this script is also logged into /tmp/sshUserSetup_2023-06-27-13-32-30.log
Hosts are rac1 rac2
user is root
Platform:- Linux
Checking if the remote hosts are reachable
PING rac1 (192.168.1.79) 56(84) bytes of data.
64 bytes from rac1 (192.168.1.79): icmp_seq=1 ttl=64 time=0.224 ms
64 bytes from rac1 (192.168.1.79): icmp_seq=2 ttl=64 time=0.181 ms
64 bytes from rac1 (192.168.1.79): icmp_seq=3 ttl=64 time=0.217 ms
64 bytes from rac1 (192.168.1.79): icmp_seq=4 ttl=64 time=0.183 ms
64 bytes from rac1 (192.168.1.79): icmp_seq=5 ttl=64 time=0.263 ms

--- rac1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.181/0.213/0.263/0.034 ms
PING rac2 (192.168.1.80) 56(84) bytes of data.
64 bytes from rac2 (192.168.1.80): icmp_seq=1 ttl=64 time=0.052 ms
64 bytes from rac2 (192.168.1.80): icmp_seq=2 ttl=64 time=0.049 ms
64 bytes from rac2 (192.168.1.80): icmp_seq=3 ttl=64 time=0.058 ms
64 bytes from rac2 (192.168.1.80): icmp_seq=4 ttl=64 time=0.063 ms
64 bytes from rac2 (192.168.1.80): icmp_seq=5 ttl=64 time=0.059 ms

--- rac2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.049/0.056/0.063/0.006 ms
Remote host reachability check succeeded.
The following hosts are reachable: rac1 rac2.
The following hosts are not reachable: .
All hosts are reachable. Proceeding further...
firsthost rac1
numhosts 2
The script will setup SSH connectivity from the host rac2 to all
the remote hosts. After the script is executed, the user can use SSH to run
commands on the remote hosts or copy files between this host rac2
and the remote hosts without being prompted for passwords or confirmations.

NOTE 1:
As part of the setup procedure, this script will use ssh and scp to copy
files between the local host and the remote hosts. Since the script does not
store passwords, you may be prompted for the passwords during the execution of
the script whenever ssh or scp is invoked.

NOTE 2:
AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY
AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEDGES TO THESE
directories.

Do you want to continue and let the script make the above mentioned changes (yes/no)?
yes
The user chose yes
Please specify if you want to specify a passphrase for the private key this script will create for the local host. Passphrase is used to encrypt the private key and makes SSH much more secure. Type 'yes' or 'no' and then press enter. In case you press 'yes', you would need to enter the passphrase whenever the script executes ssh or scp.
The estimated number of times the user would be prompted for a passphrase is 4. In addition, if the private-public files are also newly created, the user would have to specify the passphrase on one additional occasion.
Enter 'yes' or 'no'.
yes

The user chose yes
The files containing the client public and private keys already exist on the local host. The current private key may or may not have a passphrase associated with it. In case you remember the passphrase and do not want to re-run ssh-keygen, press 'no' and enter. If you press 'no', the script will not attempt to create any new public/private key pairs. If you press 'yes', the script will remove the old private/public key files existing and create new ones prompting the user to enter the passphrase. If you enter 'yes', any previous SSH user setups would be reset. If you press 'change', the script will associate a new passphrase with the old keys.
Press 'yes', 'no' or 'change'
yes
The user chose yes
Creating .ssh directory on local host, if not present already
Creating authorized_keys file on local host
Changing permissions on authorized_keys to 644 on local host
Creating known_hosts file on local host
Changing permissions on known_hosts to 644 on local host
Creating config file on local host
If a config file exists already at /root/.ssh/config, it would be backed up to /root/.ssh/config.backup.
Removing old private/public keys on local host
Running SSH keygen on local host
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+vp8+7LiLphjO2lg/whKsg5Ai00pIV6+jfSpnmg3qXA root@rac2
The key's randomart image is:
+---[RSA 1024]----+
|o  .             |
|o.o.             |
|.ooo             |
|o+o = .          |
|o..o +  S        |
|. o .  .         |
|+oE+.+.          |
|==o=@..o. o      |
|=+o=+=o**oo=.    |
+----[SHA256]-----+
Creating .ssh directory and setting permissions on remote host rac1
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR root. THIS IS AN SSH REQUIREMENT.
The script would create ~root/.ssh/config file on remote host rac1. If a config file exists already at ~root/.ssh/config, it would be backed up to ~root/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host rac1.
Warning: Permanently added 'rac1,192.168.1.79' (ECDSA) to the list of known hosts.
root@rac1's password:
Done with creating .ssh directory and setting permissions on remote host rac1.
Creating .ssh directory and setting permissions on remote host rac2
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR root. THIS IS AN SSH REQUIREMENT.
The script would create ~root/.ssh/config file on remote host rac2. If a config file exists already at ~root/.ssh/config, it would be backed up to ~root/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host rac2.
Warning: Permanently added 'rac2,192.168.1.80' (ECDSA) to the list of known hosts.
root@rac2's password:
Permission denied, please try again.
root@rac2's password:
Done with creating .ssh directory and setting permissions on remote host rac2.
Copying local host public key to the remote host rac1
The user may be prompted for a password or passphrase here since the script would be using SCP for host rac1.
root@rac1's password:
Done copying local host public key to the remote host rac1
Copying local host public key to the remote host rac2
The user may be prompted for a password or passphrase here since the script would be using SCP for host rac2.
root@rac2's password:
Done copying local host public key to the remote host rac2
Creating keys on remote host rac1 if they do not exist already. This is required to setup SSH on host rac1.

Creating keys on remote host rac2 if they do not exist already. This is required to setup SSH on host rac2.

Updating authorized_keys file on remote host rac1
Updating known_hosts file on remote host rac1
The script will run SSH on the remote machine rac1. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.
Updating authorized_keys file on remote host rac2
Updating known_hosts file on remote host rac2
The script will run SSH on the remote machine rac2. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.
cat: /root/.ssh/known_hosts.tmp: No such file or directory
cat: /root/.ssh/authorized_keys.tmp: No such file or directory
SSH setup is complete.

------------------------------------------------------------------------
Verifying SSH setup
===================
The script will now run the date command on the remote nodes using ssh
to verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP,
THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FOR
PASSWORDS. If you see any output other than date or are prompted for the
password, ssh is not setup correctly and you will need to resolve the
issue and set up ssh again.
The possible causes for failure could be:
1. The server settings in /etc/ssh/sshd_config file do not allow ssh
for user root.
2. The server may have disabled public key based authentication.
3. The client public key on the server may be outdated.
4. ~root or ~root/.ssh on the remote host may not be owned by root.
5. User may not have passed -shared option for shared remote users or
may be passing the -shared option for non-shared remote users.
6. If there is output in addition to the date, but no password is asked,
it may be a security alert shown as part of company policy. Append the
additional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file.
------------------------------------------------------------------------
--rac1:--
Running /usr/bin/ssh -x -l root rac1 date to verify SSH connectivity has been setup from local host to rac1.
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
The script will run SSH on the remote machine rac1. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.
Tue Jun 27 01:35:32 EDT 2023
------------------------------------------------------------------------
--rac2:--
Running /usr/bin/ssh -x -l root rac2 date to verify SSH connectivity has been setup from local host to rac2.
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
The script will run SSH on the remote machine rac2. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.
Tue Jun 27 13:35:33 CST 2023
------------------------------------------------------------------------
------------------------------------------------------------------------
Verifying SSH connectivity has been setup from rac1 to rac1
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL.
Tue Jun 27 01:35:33 EDT 2023
------------------------------------------------------------------------
------------------------------------------------------------------------
Verifying SSH connectivity has been setup from rac1 to rac2
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL.
Tue Jun 27 13:35:34 CST 2023
------------------------------------------------------------------------
-Verification from complete-
SSH verification complete.

执行脚本后

看到yes/no 输入yes,

Enter passphrase (empty for no passphrase): 回车
Enter same passphrase again:回车

输入对应ip的对应ssh密码即可。

效果演示:

配置一些集群和分布式都能用到

重点参数介绍:            -user 用户    指定互信

                                     -hosts "ip或主机名......." 指定互信主机

                                     -advanced   不加单向互信,加上双向互信。参考:使用Oracle的sshUserSetup.sh脚本配置SSH互信_Expect-乐的博客-CSDN博客

  • 2
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值