ssh是记录你密码信息的, 没有登录过root (或是没有执行过ssh-keygen命令),是没有.ssh 文件夹的
需求:当你需要访问一台linux服务器或两台服务器互相免密访问时,ssh keys这时需要,创建办法是当前主机上执行命令:
ssh-keygen 或 ssh-keygen -t rsa 或 ssh-keygen -t dsa
AB机器,如果A访问B免密,就把A的公钥给B,反之亦然
执行后会在当前用户登录目录下生成.ssh目录和两个文件
使用ssh-keygen生成私钥和公钥
命令如下:
ssh-keygen -t rsa
参数 -t rsa 表示使用rsa算法进行加密,执行后,会在/root当前用户/.ssh目录下找到id_rsa(私钥)和id_rsa.pub(公钥)
也可以使用 dsa 加密算法进行加密,命令如下:
ssh-keygen -t dsa
id_rsa.pub里是公钥,如果需要登录到远程主机,需要到远程主机/root/root/.ssh目录下,新建authorized_keys文件,并将id_rsa.pub里的内容复制进去:
# touch /root/.ssh/authorized_keys
这个操作看要不要登录到远程的机器上,如果需要,就添加,不需要,可以不建。
注意:新建后,需要更改authorized_keys文件的用户权限,不然文件无法生效,ssh公钥生效需满足至少下面两个条件: 1、 .ssh目录的权限必须是700 2 、.ssh/authorized_keys文件权限必须是600
执行下面命令
chmod 600 ~/.ssh/authorized_keys
远程免密登录
常用以下几种方法:
3台rhel7.4
HOSTNAME | IP | ROLE |
---|---|---|
server1 | 192.168.2.3 | Master |
server2 | 192.168.2.5 | Slave1 |
server3 | 192.168.2.10 | Slave2 |
2.1 通过ssh-copy-id的方式:
命令: ssh-copy-id -i ~/.ssh/id_rsa.pub <romte_ip>
举例:
root用户登录远程root用户(第一次需要密码登录) [root@linuxidc ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.2.5 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.2.5's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '192.168.2.2'" and check to make sure that only the key(s) you wanted were added. [root@linuxidc ~]# [root@linuxidc ~]# ssh root@192.168.2.5 Last login: Thu Nov 15 16:23:42 2018 from 192.168.2.3 [root@D ~]# 常见错误: [root@test ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.2.5 -bash: ssh-copy-id: command not found //提示命令不存在 解决办法:yum -y install openssh-clients root用户远程非root用户(普通用户),第一次需要密码登录 [root@linuxidcjustyumserver ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub test@192.168.2.2 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys test@192.168.2.2's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'Oracle@192.168.2.2'" and check to make sure that only the key(s) you wanted were added.
2.2、通过scp将内容写到对方的文件中
命令:scp -p ~/.ssh/id_rsa.pub root@<remote_ip>:/root/.ssh/authorized_keys
举例:
# scp -p ~/.ssh/id_rsa.pub root@192.168.2.5:/root/.ssh/authorized_keys #root@10.40.34.183's password: id_rsa.pub # ssh root@192.168.2.5 Last login: Thu Nov 15 16:54:59 2018 from 192.168.2.3
也可以分为两步操作:
# scp ~/.ssh/id_rsa.pub root@<remote_ip>:pub_key //将文件拷贝至远程服务器 # cat ~/pub_key >>~/.ssh/authorized_keys //将内容追加到authorized_keys文件中, 不过要登录远程服务器来执行这条命令
2.3、每台服务器下都输入命令 ssh-keygen -t rsa,生成 key,一律不输入密码,直接回车,/root 就会生成 .ssh 文件夹。
在 Master 服务器下,合并公钥到 authorized_keys 文件,进入 /root/.ssh 目录,通过 SSH 命令合并:
[root@linuxidc ~]# cd /root/.ssh/ [root@linuxidc .ssh]# cat id_rsa.pub >> authorized_keys [root@linuxidc .ssh]# ssh root@192.168.2.10 cat ~/.ssh/id_rsa.pub>> authorized_keys 这里的id_rsa.pub是slave服务器的,合并到Mastere服务器的文件中
把 Master 服务器的 authorized_keys复制到 Slave 服务器的 `/root/.ssh 目录
[root@linuxidc.ssh]# scp authorized_keys root@192.168.2.10:/root/.ssh/
完成,ssh root@192.168.2.10 就不需要输入密码登录了