serverA
服务器的
usera
用户免密码登录
serverB
服务器的
userb
用户。
-
先使用usera 登录 serverA 服务器
[root@serverA ~]# su - usera
[usera@serverA ~]$ pwd
/home/usera
在serverA上生成密钥对
[root@node4 java]#
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:4uEer73KAuBqZkwEZ5yqSZIInOCqBoIZJZXc1EPvt5c root@node4
The key's randomart image is:
+---[RSA 2048]----+
|=++=.o. |
|+=B . o. |
|=* .. |
|O= . |
|%o o S . |
|*o. o o . . . |
|=. . + . E |
|o= .o + . |
|+ .=o+. |
+----[SHA256]-----+
此时会在/home/usera/.ssh目录下生成密钥对
[root@node4 java]# cd ~/.ssh
[root@node4 .ssh]# ll
总用量
16
-rw-------. 1 root root 2859 4月 7 00:49 authorized_keys
-rw-------. 1 root root 1679 4
月
7 23:45
id_rsa
-rw-r--r--. 1 root root 392 4
月
7 23:45
id_rsa.pub
-rw-r--r--. 1 root root 528 4月 7 23:49 known_hosts
将公钥上传到serverB 服务器,并以userb用户登录
方式一:用ssh-copy-id命令
[root@node4 .ssh]
ssh-copy-id root@192.168.60.155
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.
The authenticity of host '192.168.60.155 (192.168.60.155)' can't be established.
ECDSA key fingerprint is SHA256:Ls45fTLhlQFrtJUyfjJE5715h+859dFz8Vp6wzm2eMQ.
ECDSA key fingerprint is MD5:1f:09:16:01:67:63:57:12:68:79:0a:e6:07:e2:5c:5d.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter oat are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompteis to install the new keys
root@192.168.60.155's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.60.155'"
and check to make sure that only the key(s) you wanted were added.
这个时候
usera
的公钥文件内容会追加写入到
userb
的
.ssh/authorized_keys
文件中
[root@node4 .ssh]# cd ~/
[root@node4 ~]#
cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuD/JnHW0dBPrPFxmx5aYPGDwmRNx6lkGjU623XWuCdTc5X1U2H8YfApoArUIe3RlwQl4ajOeXrdbWHcMB1Q/rprkgr9IxHpWYRnRTgBZUCMS1XLiWzxW2pgJUmWCOCv/llNeD9kPL3+F9oYob1acQHCuC4d/iThxwR+bk2Q081hZFe6qnR37jTNUKgj+kFh+LlLnki3YGqvBtLEcJ5VR+EORzdCWR8frB5pgr7GRQ537A1Rp3SqzOa7uE7l1yXC0/gMJAtvsQGDf9clhIzxV8Id/HDW6svYsiGkcGPb2730uyNdssFr/ZdO5Mr48DFrjiXDZFlfT+ekbbGnsYteHb root@node4
查看
serverB
服务器
userb
用户下的
~/.ssh/authorized_keys
文件,内容是一样的。
[root@node1 ~]# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuD/JnHW0dBPrPFxmx5aYPGDwmRNx6lkGjU623XWuCdTc5X1U2H8YfApoArUIe3RlwQl4ajOeXrdbWHcMB1Q/rprkgr9IxHpWYRnRTgBZUCMS1XLiWzxW2pgJUmWCOCv/llNeD9kPL3+F9oYob1acQHCuC4d/iThxwR+bk2Q081hZFe6qnR37jTNUKgj+kFh+LlLnki3YGqvBtLEcJ5VR+EORzdCWR8frB5pgr7GRQ537A1Rp3SqzOa7uE7l1yXC0/gMJAtvsQGDf9clhIzxV8Id/HDW6svYsiGkcGPb2730uyNdssFr/ZdO5Mr48DFrjiXDZFlfT+ekbbGnsYteHb root@node4
方式二:用scp命令
1,将公钥id_rsa.pub上传到服务器(192.168.60.155)端
scp ~/.ssh/id_rsa.pub
user@192.168.60.155:~/
2,将公钥追加到~/.ssh/authorized_keys文件中
cat id_rsa.pub >> authorized_keys
3.将公钥文件authorized_keys scp传回到client端serverA上.
scp ~/.ssh/authorized_keys root@192.168.60.158:~/.ssh
ssh目录和.ssh/authorized_keys文件赋权限
如果希望ssh公钥生效需满足至少下面两个条件:
1) .ssh目录的权限必须是700
2) .ssh/authorized_keys文件权限必须是600
[root@node1 ~]# cd .ssh
[root@node1 .ssh]# ll
总用量
4
-rw-------. 1 root root 392 4月 8 07:49 authorized_keys
权限不够,分配权限,777为最大权限
[root@node1 .ssh]#
chmod 777 authorized_keys
[root@node1 .ssh]# ll
总用量
4
-rwxrwxrwx. 1 root root 392 4月 8 07:49 authorized_keys
这样就可以免密码登录了:
[root@node4 ~]#
ssh 192.168.60.156
登录
Last login: Sun Apr 8 18:25:12 2018 from 192.168.60.154
[root@node2 ~]# exit
退出
登出
Connection to 192.168.60.156 closed.
[root@node4 ~]#
注意:
另外,将公钥拷贝到服务器的~/.ssh/authorized_keys文件中方法有如下几种:
1、将公钥通过scp拷贝到服务器上(scp ~/.ssh/id_rsa.pub user@host:~/),然后cat id_rsa.pub >> authorized_keys追加到~/.ssh/authorized_keys文件中,再将公钥文件传回到client端(scp ~/.ssh/authorized_keys root@192.168.60.158:~/.ssh),然后再赋权限即可免密码登录。
2、通过ssh-copy-id程序,执行命令ssh-copy-id user@host即可(在centos7上生效)
3
、可以通过
cat ~/.ssh/id_rsa.pub | ssh -p 22 user@host
‘
cat >> ~/.ssh/authorized_keys
’,这个也是比较常用的方法,因为可以更改端口号。