Linux服务器间信任关系建立
一、两台服务器环境
服务器A:192.168.40.5 远程端口:555
服务器B:192.168.40.6 远程端口:666
二、信任本机(本机免密登录)
1、生成秘钥
[root@localhost ~]# ssh-keygen #全部默认选项
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:jJMu/lXGoYpTYlqkrX/PFHij3cieRRgF97efIuRiuYM root@localhost
The key's randomart image is:
+---[RSA 2048]----+
| ..o |
| o . |
| . . . . . |
| + = = . . . |
| . = * S =. . |
| = = B O+ ..|
| o + + B+oo . ..|
| o o.E.+o . . |
| oo..=.. |
+----[SHA256]-----+
[root@localhost ~]#
2、此时root目录下存在.ssh隐藏目录
[root@localhost .ssh]# pwd
/root/.ssh
[root@localhost .ssh]# ls
id_rsa id_rsa.pub
#id_rsa是生成的私钥;id_rsa.pub是生成的公钥
3、本机.ssh路径下创建authorized_keys文件并将公钥导入
[root@localhost .ssh]# ls
id_rsa id_rsa.pub
[root@localhost .ssh]# cat id_rsa.pub >> authorized_keys #读取公钥文件并追加入authorized_keys文件中(自动创建authorized_keys文件)
[root@localhost .ssh]# ls
authorized_keys id_rsa id_rsa.pub
[root@localhost .ssh]# cat authorized_keys
ssh-rsa AAAAB3N…………ysYOvzthBARySOZ/lx5l6fGsVV root@localhost
#此时authorized_keys文件中为公钥(无需关注),最后为用户名和主机名。
4、本机测试免密登录
[root@localhost .ssh]# ssh -P 555 localhost
ssh: connect to host 555 port 22: Invalid argument
[root@localhost .ssh]#
三、服务器A——B单项信任关系
1、将A主机中生成的公钥传输到B主机中
[root@localhost .ssh]# scp -P 666 id_rsa.pub root@192.168.40.6:/root/
root@192.168.40.6's password:
id_rsa.pub 100% 396 272.7KB/s 00:00
#这里使用scp命令将公钥传输到服务器B的/root路径下。
2、服务器B中将公钥追加入authorized_keys文件中
[root@localhost ~]# ll -a
total 32
dr-xr-x---. 2 root root 153 Apr 19 23:55 .
dr-xr-xr-x. 17 root root 224 Apr 19 09:46 ..
-rw-------. 1 root root 1342 Apr 19 09:47 anaconda-ks.cfg
-rw-------. 1 root root 1361 Apr 19 22:43 .bash_history
-rw-r--r--. 1 root root 18 Dec 28 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 28 2013 .bash_profile
-rw-r--r--. 1 root root 396 Apr 19 23:55 id_rsa.pub
-rw-r--r--. 1 root root 129 Dec 28 2013 .tcshrc
[root@localhost ~]#
当服务器B用户路径下没有.ssh路径时*,使用ssh-keygen命令进行创建。
[root@localhost ~]# ssh-keygen
[root@localhost ~]# ls
anaconda-ks.cfg id_rsa.pub
[root@localhost ~]# cd .ssh/
[root@localhost .ssh]# ls
id_rsa id_rsa.pub
[root@localhost .ssh]# cat /root/id_rsa.pub >> authorized_keys
[root@localhost .ssh]# ls
authorized_keys id_rsa id_rsa.pub
3、在服务器A中测试免密登录
[root@localhost .ssh]# ssh -p 666 root@192.168.40.6
Last login: Mon Apr 19 23:33:41 2021 from localhost
#可以通过ip a 查看是否正常登录B服务器。
四、B——A免密登录(两台主机相互信任)
1、将B主机上的公钥传输到A主机中,并追加到A主机中的authorized_keys文件中
[root@localhost .ssh]# ls
authorized_keys id_rsa id_rsa.pub
[root@localhost .ssh]# cp id_rsa.pub id_rsa_6.pub #此处修改并复制了公钥文件名称
[root@localhost .ssh]# ls
authorized_keys id_rsa id_rsa_6.pub id_rsa.pub
[root@localhost .ssh]# scp -P 555 id_rsa_6.pub root@192.168.40.5:/root
The authenticity of host '[192.168.40.5]:555 ([192.168.40.5]:555)' can't be established.
ECDSA key fingerprint is SHA256:yu3oGxQ//86Faycfei5eUnPuGRQ/0aCC5DXxwFyCW5c.
ECDSA key fingerprint is MD5:5b:c4:50:af:09:93:39:1e:4e:93:f8:4d:60:d3:d7:4b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.40.5]:555' (ECDSA) to the list of known hosts.
root@192.168.40.5's password: #未建立信任之前需要输入密码
id_rsa_6.pub 100% 408 197.3KB/s 00:00
[root@localhost .ssh]#
2、在A主机上将公钥追加到authorized_keys文件中
[root@localhost ~]# cat /root/id_rsa_6.pub >> /root/.ssh/authorized_keys
若没有authorized_keys文件,需要手动添加
3、两台主机相互ssh进行测试
[root@localhost .ssh]# ssh -p 555 root@192.168.40.5
[root@localhost .ssh]# ssh -p 666 root@192.168.40.6
#此时两台主机可以ssh免密登录。