一、非自动化情况下创建于分发密钥:
1、创建密钥对:
[root@manager01 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:pcoOtJKeFvq3WpkQXql87C1CT43dvkmUh6ImNxk+oOA root@manager01
The key's randomart image is:
+---[RSA 2048]----+
| |
| . |
| . o . |
| o = + . = |
|. B B + S . |
|oo.@ X = . |
|.E=.^ + o |
|...O.* . o |
| o=o... o |
+----[SHA256]-----+
[root@manager01 ~]#
密钥对创建完成后,默认存放在:/root/.ssh/目录下面
2、查看创建的密钥对:
[root@manager01 ~]# cd .ssh/
[root@manager01 ~/.ssh]# ls
id_rsa id_rsa.pub known_hosts
3、分发公钥:
[root@manager01 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@10.0.0.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.0.0.41's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@10.0.0.41'"
and check to make sure that only the key(s) you wanted were added.
4、测试链接:
[root@manager01 ~]# ssh root@10.0.0.41
Last login: Fri May 24 10:01:45 2024 from 10.0.0.61
[root@backup ~]#
[root@backup ~]#
[root@backup ~]# exit
登出
Connection to 10.0.0.41 closed.
二、自动化创建与分发密钥:
1、自动化创建密钥:
-f:用于指定私钥的位置
-P:用于指定密码,我们这里设置为空
[root@manager01 ~]# ssh-keygen -f ~/.ssh/id_rsa -P ''
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:AuxarOCjyHttS0xPQhtkJbeipiBv74LRjMqDe6i/wZs root@manager01
The key's randomart image is:
+---[RSA 2048]----+
| +.o |
| .o o . |
| o+ . |
| oo.+ |
|++ o++..S |
|*+=+o +. |
|+BB .o . |
|O++*.o |
|**E++.. |
+----[SHA256]-----+
[root@manager01 ~]#
2、自动化分发公钥:
安装sshpass工具来实现自动化分发公钥
[root@manager01 ~]# yum -y install sshpass
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
软件包 sshpass-1.06-2.el7.x86_64 已安装并且是最新版本
无须任何处理
[root@manager01 ~]#
[root@manager01 ~]# sshpass -p1 ssh-copy-id 10.0.0.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '10.0.0.41'"
and check to make sure that only the key(s) you wanted were added.
[root@manager01 ~]#
3、测试:
[root@manager01 ~]# sshpass -p1 ssh root@10.0.0.31
Last login: Fri May 24 09:52:01 2024 from 10.0.0.1
[root@nfs01 ~]#
可见成功登入nfs01主机,并且未输入密码
4、问题:
温馨提示:第一次远程操作的时候会提示:yes/no,主机密钥信息检查,输入yes后存放到~/.ssh/konwn_hosts。这样一来,我们就得手动输入yes,无法做到自动化。由于以上我们的操作均非第一次操作,所以未输入yes/no,但要想实现自动化的话?难道我们第一次操作都要先手动输入一次yes/no,之后才能进行自动化吗???
解决思路:临时取消即可,链接的时候不检查主机信息。
-o StrictHostKeyChecking=no:临时不检查主机信息
5、实验测试:
由于现在我们的/root/.ssh/目录下面已经存在密钥对和主机密钥信息检查,我们需要将其删除再进行实验,否则登陆的时候是不会出现yes/no选项,就无法实现我们的实验效果
[root@manager01 ~]# cd .ssh/
[root@manager01 ~/.ssh]# ls
id_rsa id_rsa.pub known_hosts
[root@manager01 ~/.ssh]# rm -rf ./*
[root@manager01 ~/.ssh]# ls
此时我们重新生成密钥对
[root@manager01 ~]# ssh-keygen -f ~/.ssh/id_rsa -P ''
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Y/tvtTdmVeWYcWLoYUEEDzU9MIyjPnq78tRf1qxc31A root@manager01
The key's randomart image is:
+---[RSA 2048]----+
| oBO= |
| oo=o* o|
| . +.o O.|
| . . o o|
| .S E|
| .o+ .+.|
| .o.. .+.=|
| o... ..+.B+|
| ++o.oo =.+|
+----[SHA256]-----+
接下来我们尝试不使用:-o StrictHostKeyChecking=no选项,看是不是还像以前一样需要输入yes/no
[root@manager01 ~]# ssh-copy-id root@10.0.0.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.0.0.41 (10.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:VbYqJJs4G78bfgCBQLNlMavXMDI3yxvEcZ6Gn899HE0.
ECDSA key fingerprint is MD5:4d:53:e3:10:fb:0e:0d:f4:e7:8f:5d:21:c7:16:98:96.
Are you sure you want to continue connecting (yes/no)? ^C
显然,仍需手动输入yes/no,这里我们ctrl+c强制终止一下
接下来我们尝试使用:-o StrictHostKeyChecking=no选项,看是不是还像以前一样需要输入yes/no
[root@manager01 ~]# sshpass -p1 ssh-copy-id -i ~/.ssh/id_rsa.pub -o StrictHostKeyChecking=no 10.0.0.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -o 'StrictHostKeyChecking=no' '10.0.0.41'"
and check to make sure that only the key(s) you wanted were added.
可见,公钥直接被分发出去,无需输入yes/no选项
下面我们尝试免密登录一下其他主机
[root@manager01 ~]# sshpass -p1 ssh 10.0.0.41
Last login: Fri May 24 10:34:43 2024 from 10.0.0.61
[root@backup ~]#
成功登入backup主机。至此,自动化创建密钥,自动化分发公钥完成
三、通过脚本一键创建、分发密钥
vim Distribution-keys.sh
#!/bin/bash
##用于向其他机器分发密钥##
#author qph#
#变量
pass=1
#给以下ip分发密钥对
ips="10.0.0.41 10.0.0.31 10.0.0.0"
#判断密钥对是否已经存在
if [ -f ~/.ssh/id_rsa ] ;then
echo "密钥对已经存在"
else
echo "密钥正在创建"
ssh-keygen -t rsa -f ~/.ssh/id_rsa -P '' &>/dev/null
if [ $? -eq 0 ] ;then
echo "密钥创建成功"
else
echo "密钥创建失败"
fi
fi
for i in ${ips}
do
sshpass -p${pass} ssh-copy-id -i ~/.ssh/id_rsa.pub -o StrictHostKeyChecking=no $i &>/dev/null
if [ $? -eq 0 ] ;then
echo "$i 公钥发送成功"
else
echo "$i 公钥发送失败"
fi
done
创建一个检测脚本,看是否能用ssh登录其他主机
vim check-distrikey.sh
#!/bin/bash
#变量
ips="10.0.0.31 10.0.0.41"
for i in ${ips}
do
ssh $i hostname
done
如果能打印出主机名则说明Distribution-keys.sh这个脚本没问题