实现原理
使用一种被称为"公私钥"认证的方式来进行ssh登录。"公私钥"认证方式简单的解释是:
首先在客户端上创建一对公私钥(公钥文件:~/.ssh/id_rsa.pub;私钥文件:~/.ssh/id_rsa),然后把公钥放到服务器上(~/.ssh/authorized_keys),自己保留好私钥。当ssh登录时,ssh程序会发送私钥去和服务器上的公钥做匹配。如果匹配成功就可以登录了。
实现环境
A机器:100.69.197.102
B机器:100.69.174.166
实现过程
1、登陆A机器,生成私钥/公钥文件
[zhangqi.dzq@v069197102 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/zhangqi.dzq/.ssh/id_rsa):
Created directory '/home/zhangqi.dzq/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/zhangqi.dzq/.ssh/id_rsa.
Your public key has been saved in /home/zhangqi.dzq/.ssh/id_rsa.pub.
The key fingerprint is:
01:df:9f:4a:f0:37:d3:c2:3a:ba:96:68:e4:d3:9c:60 zhangqi.dzq@v069197102.sqa.zmf
[zhangqi.dzq@v069197102 ~]$ ls .ssh/
id_rsa id_rsa.pub
[zhangqi.dzq@v069197102 ~]$
(要求输入内容的地方直接按回车键),可以看到生成了.ssh目录,并生成了.ssh/id_rsa、.ssh/id_rsa.pub两个文件
2、将公钥证书id_rsa.pub复制到机器B的root家目录的.ssh子目录中,同时将文件名更换为authorized_keys,此时需要输入B机的root用户密码(还未建立信任关系)。建立了客户端到服务器端的信任关系后,客户端就可以不用再输入密码,就可以从服务器端拷贝数据了。
[zhangqi.dzq@v069197102 ~/.ssh]$ scp id_rsa.pub zhangqi.dzq@100.69.174.166:/home/zhangqi.dzq/.ssh/authorized_keys
zhangqi.dzq@100.69.174.166's password:
id_rsa.pub 100% 412 0.4KB/s 00:00
[zhangqi.dzq@v069197102 ~/.ssh]$
注意:如果配置后ssh登陆还需要密码,那么是因为ssh由于权限而导致的安全问题不生效。.ssh文件夹、authorized_keys文件的权限如下
drwx------ 2 hadoop hadoop 4096 Jan 13 11:51 .ssh
-rw-r--r-- 1 hadoop hadoop 395 Jan 13 11:39 authorized_keys