配置ssh互信
配置基于密钥认证的免密登录
用到的命令:
ssh-keygen
:创建公钥和密钥,会生成id_rsa
和id_rsa.pub
两个文件
生成ssh密钥后,密钥将默认存储在家目录下的.ssh/目录中。私钥和公钥的权限就分别为600和644。.ssh目录权限必须是700。ssh-copy-id
:把本地的公钥复制到远程主机的authorized_keys
文件(不会覆盖文件,是追加到文件末尾),并且会设置远程主机用户目录的.ssh和.ssh/authorized_keys权限
权限为:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
1.在客户端生成公钥和私钥
客户端的ip是192.168.32.125,服务端是192.168.32.130
[root@clien ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:SAkbr/cL3EvxhkDVc6Z69uLvgcU+3OX7cBCD2f08W5c root@clien
The key's randomart image is:
+---[RSA 2048]----+
| o .. |
| = o o o+ . |
| . = =o + .|
| + . .. +o|
| . + S. o .E*|
| o +.+o= . +=|
| o =o+.= o.o|
| o +. .o o.|
| o..+o .o|
+----[SHA256]-----+
[root@clien ~]# ls .ssh/
id_rsa id_rsa.pub
ssh-keygen -t [rsa|dsa]
三次回车,第一个是指定路径,后两个是密码,都用默认
生成ssh
密钥后,密钥将默认存储在家目录下的.ssh/
目录中。私钥和公钥的权限就分别为600
和644
。.ssh
目录权限必须是700
。
2.把公钥发送到服务端
通过ssh-copy-id
将密钥复制到另一系统时,它默认复制~/.ssh/id_rsa.pub
文件
[root@clien ~]# ssh-copy-id root@192.168.32.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.32.130 (192.168.32.130)' can't be established.
ECDSA key fingerprint is SHA256:mxRfnjvv98dVsD4gCq/koRMg7r05Sh43473F7Y7PoMw.
ECDSA key fingerprint is MD5:22:f7:ba:1e:0a:4c:a7:1b:17:98:2d:dd:f0:f5:70:10.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.32.130's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.32.130'"
and check to make sure that only the key(s) you wanted were added.
也可以使用scp等工具,把id_rsa.pub上传另一台服务器**~/.ssh/下,然后改名为authorized_keys**
例如
[root@clien ~]# scp .ssh/id_rsa.pub root@192.168.32.130:/root/.ssh/authorized_keys
root@192.168.32.130's password:
id_rsa.pub 100% 392 677.6KB/s 00:00
[root@clien ~]# ssh 192.168.32.130
Last login: Sun Apr 26 02:44:59 2020 from 192.168.32.125
[root@server ~]#
//scp命令常用选项
-r //递归复制
-p //保持权限
-P //端口
-q //静默模式
-a //全部复制
3.验证
[root@clien ~]# ssh 192.168.32.130
Last login: Sun Apr 26 01:38:58 2020 from 192.168.32.1
[root@server ~]#