配置ssh互信

配置ssh互信

配置基于密钥认证的免密登录

用到的命令：

• ssh-keygen:创建公钥和密钥,会生成id_rsa和id_rsa.pub两个文件
  生成ssh密钥后，密钥将默认存储在家目录下的.ssh/目录中。私钥和公钥的权限就分别为600和644。.ssh目录权限必须是700。
• ssh-copy-id:把本地的公钥复制到远程主机的authorized_keys文件(不会覆盖文件，是追加到文件末尾)，并且会设置远程主机用户目录的.ssh和.ssh/authorized_keys权限
  权限为:
  chmod 700 ~/.ssh
  chmod 600 ~/.ssh/authorized_keys

1.在客户端生成公钥和私钥

客户端的ip是192.168.32.125，服务端是192.168.32.130

[root@clien ~]# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:SAkbr/cL3EvxhkDVc6Z69uLvgcU+3OX7cBCD2f08W5c root@clien
The key's randomart image is:
+---[RSA 2048]----+
|    o   ..       |
|     = o  o o+ . |
|    . =    =o + .|
|     + .  ..   +o|
|    . + S.  o .E*|
|     o +.+o= . +=|
|      o =o+.= o.o|
|       o +. .o o.|
|        o..+o  .o|
+----[SHA256]-----+

[root@clien ~]# ls .ssh/
id_rsa  id_rsa.pub

ssh-keygen	-t [rsa|dsa]

三次回车，第一个是指定路径，后两个是密码，都用默认

生成ssh密钥后，密钥将默认存储在家目录下的.ssh/目录中。私钥和公钥的权限就分别为600和644。.ssh目录权限必须是700。

2.把公钥发送到服务端

通过ssh-copy-id将密钥复制到另一系统时，它默认复制~/.ssh/id_rsa.pub文件

[root@clien ~]# ssh-copy-id root@192.168.32.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.32.130 (192.168.32.130)' can't be established.
ECDSA key fingerprint is SHA256:mxRfnjvv98dVsD4gCq/koRMg7r05Sh43473F7Y7PoMw.
ECDSA key fingerprint is MD5:22:f7:ba:1e:0a:4c:a7:1b:17:98:2d:dd:f0:f5:70:10.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.32.130's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.32.130'"
and check to make sure that only the key(s) you wanted were added.

也可以使用scp等工具，把id_rsa.pub上传另一台服务器**~/.ssh/下，然后改名为authorized_keys**

例如

[root@clien ~]# scp .ssh/id_rsa.pub root@192.168.32.130:/root/.ssh/authorized_keys
root@192.168.32.130's password: 
id_rsa.pub                                        100%  392   677.6KB/s   00:00    

[root@clien ~]# ssh 192.168.32.130
Last login: Sun Apr 26 02:44:59 2020 from 192.168.32.125
[root@server ~]# 

//scp命令常用选项
    -r      //递归复制
    -p      //保持权限
    -P      //端口
    -q      //静默模式
    -a      //全部复制

3.验证

[root@clien ~]# ssh 192.168.32.130
Last login: Sun Apr 26 01:38:58 2020 from 192.168.32.1
[root@server ~]#