user从服务器A首次登录服务器B,会被询问是否继续连接,这时输入yes才能继续,并把B的信息添加到A服务器user夹目录下的~/.ssh/known_hosts文件中。
即,服务器A(10.123.123.11)首次连服务器B(10.123.123.22)
[root@serverA Downloads]# ssh root@10.123.123.22
The authenticity of host '10.123.123.22 (10.123.123.22)' can't be established.
RSA key fingerprint is 78:8b:2d:20:cb:16:43:d7:b9:f5:27:c1:9c:1c:a0:66.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.123.123.22' (RSA) to the list of known hosts.
root@10.123.123.22's password:
输入密码成功连接后,A服务器的文件 ~/.ssh/known_hosts最后会新增一行 "10.123.123.22 ssh-rsa ACAAB……DWQQ=="
1.有的时候脚本中用ssh连接需要避免被询问
可以在ssh的时候带上 -o "StrictHostKeyChecking=no"参数。直接要求输入密码,连接后将Server B添加到 ~/.ssh/known_hosts
[root@serverA Downloads]# ssh -o StrictHostKeyChecking=no root@10.123.123.22
root@10.123.123.22's password:
希望登录其它服务器避免被询问也可以在/etc/ssh/ssh_config中设置 "StrictHostKeyChecking no",默认是注释掉的 "# StrictHostKeyChecking ask"。修改后不会被询问而直接要求输入密码,连接后同样会将Server B添加到 ~/.ssh/known_hosts
[root@serverA Downloads]# ssh root@10.123.123.22
Warning: Permanently added '10.123.123.22' (RSA) to the list of known hosts.
root@10.123.123.22's password:
2.如果服务器B发生变化,比如重装了,服务器A再去连接服务器B就会失败,出现如下提示,
[root@serverA ~]# scp test.zip root@10.123.123.22:/root
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
6b:f4:e5:3d:52:e3:34:a7:77:54:45:0f:de:83:4b:37.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:159
RSA host key for 10.123.123.22 has changed and you have requested strict checking.
Host key verification failed.
lost connection
[root@serverA ~]#
根据提示,host key不对,去/root/.ssh/known_hosts这个文件将Server B 旧信息的那行删除就可以了。
3.两台服务器间配置免密钥登录
方法一:
1)在服务器 A 上生成 rsa密钥。
登录服务器后,在任意路径下执行以下命令(要求输入 file in which to save the key 和 passphrase 时按回车):
# ssh-keygen -t rsa
[root@serverA Downloads]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
a1:70:76:16:d7:60:3f:72:ee:9a:38:b4:bc:22:06:e8 root@serverA
The key's randomart image is:
+--[ RSA 2048]----+
| ..oo |
| o... |
| . o + . + |
| + . . + . |
| . . S . |
| . . .. |
| . . o .. |
| E o . ++ |
| . . .=o |
+-----------------+
[root@serverA Downloads]#
生成的 id_rsa.pub 默认存放在 /root/.ssh
2)将 id_rsa.pub 重命名为serverA.pub传到服务器B,需要输入服务器B的密码
# scp id_rsa.pub root@10.123.123.22:/root/.ssh/serverA.pub
登录服务器B,把该密钥追加到authorized_keys
# cd /root/.ssh/
# cat serverA.pub >> authorized_keys
至此,服务器A可以免密钥登录服务器B
3)同理在服务器 B 上生成 rsa密钥。
# ssh-keygen -t rsa
将 id_rsa.pub 重命名为serverA.pub传到服务器A
# scp id_rsa.pub root@10.123.123.11:/root/.ssh/serverB.pub
登录服务器A,把该密钥追加到authorized_keys
# cd /root/.ssh/
# cat serverB.pub >> authorized_keys
至此,服务器A和服务器B之间可以免密钥登录
注意:例子中用的是root用户,所以密钥默认放在/root/.ssh,其它用户生成的密钥也会默认放在自己的家目录下。
例如新建一个用户test,生成rsa密钥
[test@serverA ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa):
Created directory '/home/test/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is:
dc:41:89:d6:f7:63:81:57:88:87:40:91:42:73:cf:c6 test@serverA
The key's randomart image is:
+--[ RSA 2048]----+
| .o+*= + o.|
| ++*+= = |
| . ...E+ . |
| . . o + |
| S . . . |
| |
| |
| |
| |
+-----------------+
[test@serverA ~]$
方法二:
生成rsa密钥方法与前述一样,使用ssh-copy-id命令直接将公钥写入对端的authorized_keys
node1 test@192.168.183.122
node2 root@192.168.183.123
用户test登录node1,执行ssh-keygen
[test@k8s-node1 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa):
Created directory '/home/test/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:K1I6bNS2kMKTJLJH53+lWAoUNUvgwLnZqVx1yCHhxxk test@k8s-node1
The key's randomart image is:
+---[RSA 2048]----+
| ...==Eo |
| o+ =+=. |
|o o+=o=. |
|.*o=++ |
|..*o* + S . |
| .o= B = + |
| * * + |
| . o o |
| |
+----[SHA256]-----+
[test@k8s-node1 ~]$ cd .ssh
[test@k8s-node1 .ssh]$ ls -l
total 8
-rw------- 1 test test 1675 Jul 22 19:26 id_rsa
-rw-r--r-- 1 test test 396 Jul 22 19:26 id_rsa.pub
[test@k8s-node1 .ssh]$
执行 ssh-copy-id -i id_rsa.pub <对端用户>@<对端地址>
[test@k8s-node1 .ssh]$ ssh-copy-id -i id_rsa.pub root@192.168.183.123
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.183.123's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.183.123'"
and check to make sure that only the key(s) you wanted were added.
[test@k8s-node1 .ssh]$
可以查看到 对端用户家目录/.ssh 下生成了一个authorized_keys文件,里面写入了本端id_rsa.pub的内容,至此本端能够免密连上对端
[test@k8s-node1 .ssh]$ ssh root@192.168.183.123
Last login: Fri Jul 22 19:49:13 2022 from 192.168.183.122
[root@k8s-node2 ~]#
同理,可以反方向的免密登录