一、双方机器都是root用户登陆方法
A为本地主机(即用于控制其他主机的机器) ;
B为远程主机(即被控制的机器Server), 假如ip为192.168.60.110;
A和B的系统都是Linux
在A上运行命令:
# ssh-keygen -t rsa (连续三次回车,即在本地生成了私钥(id_rsa) 与公钥 (id_rsa.pub),不设置密码)
# ssh root@10.9.192.44 "mkdir .ssh" (需要输入密码)
# scp ~/.ssh/id_rsa.pub root@192.168.60.110:.ssh/id_rsa.pub (需要输入密码)
在B上的命令:
# touch /root/.ssh/authorized_keys (如果已经存在这个文件, 跳过这条)
# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys (将id_rsa.pub的内容追加到authorized_keys 中)
回到A机器:
# ssh root@192.168.60.110 (不需要密码, 登录成功)
二、远程主机不是root用户(比如普通用户test)登陆方法
A为本地主机(即用于控制其他主机的机器) ;
B为远程主机(即被控制的机器Server), 假如ip为192.168.60.110;
A和B的系统都是Linux
在A上运行命令:
# ssh-keygen -t rsa (连续三次回车,即在本地生成了公钥和私钥,不设置密码)
# ssh test@192.168.60.110 "mkdir .ssh" (需要输入密码)
# scp ~/.ssh/id_rsa.pub test@192.168.60.110:.ssh/id_rsa.pub (需要输入密码)
在B上的命令:
# touch /home/test/.ssh/authorized_keys (如果已经存在这个文件, 跳过这条)
# cat /home/test/.ssh/id_rsa.pub >> /home/test/.ssh/authorized_keys (将id_rsa.pub的内容追加到authorized_keys 中)
修改test/.ssh和authorized_keys的权限
#chmod 700 test
#chmod 700 .ssh
#chmod 600 authorized_keys
回到A机器:
# ssh test@192.168.60.110 (不需要密码, 登录成功)
三、ssh免密另一版本。
1.环境准备
[root@CentOS 7 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@CentOS 7 ~]# uname -r
3.10.0-327.el7.x86_64
[root@CentOS 7 ~]# getenforce
Disabled
[root@CentOS 7 ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
2.查看SSH端口
[root@CentOS 7 ~]# netstat -lntup | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1518sshd
tcp6 0 0 :::22 :::* LISTEN 1518sshd
3.密钥认证
3.1创建密钥对
[root@CentOS 7 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ----密钥对保存路径
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): ----为密钥对创建密码
Enter same passphrase again: ----确认密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
7d:dc:8c:89:80:5d:79:97:6b:e4:2d:53:89:ba:d6:13 root@CentOS 7
The key's randomart image is:
+--[ RSA 2048]----+ ----加密的位数为20048
| .. ...|
| o .. ..+..|
| . o ..+ + |
| o + E* .|
| S o B.+o |
| + o |
| . . |
| |
| |
+-----------------+
3.2分发公钥
[root@CentOS 7 .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.1.63
(ssh-copy-id -i /root/.ssh/id_rsa.pub IPADDR(将公钥放到本机和其他被远程主机))
The authenticity of host '172.16.1.63 (172.16.1.63)' can't be established.
ECDSA key fingerprint is 0b:bf:14:a7:9e:87:69:5d:7c:a5:25:b9:65:22:35:08.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.63's password: ----第一次分发公钥,需要输入密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@172.16.1.63'"
and check to make sure that only the key(s) you wanted were added.
3.3测试
[root@CentOS 7 ~]# ssh 172.16.1.63
Last login: Fri Mar 30 17:11:08 2018 from 10.0.0.1
4.认证代理
4.1管理主机创建密钥对(以上步骤)
4.2分发公钥(以上步骤)
4.3管理主机启动认证代理
[root@CentOS 7 ~]# eval `ssh-agent -s`
Agent pid 2994
4.4管理主机向agent代理服务器注册本地服务器私钥信息
[root@CentOS 7 ~]# ssh-add
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
4.5管理主机将凭证信息通过远程登陆方式给被代理主机
[root@CentOS 7 ~]# ssh -A 172.16.1.63
Last login: Fri Mar 30 20:03:21 2018 from 172.16.1.21
4.6测试
[root@gitlab ~]# ssh 172.16.1.21
Last login: Fri Mar 30 20:08:27 2018 from 172.16.1.63
5.自动创建密钥对,分发公钥(Shell脚本)
#!/bin/bash
##############################################################
# File Name: ssh_fenfa.sh
# Version: V7.4
# Author: feng yu
# Organization: http://blog.51cto.com/13520761
# Created Time : 2018-03-30 20:13:36
# Description:
##############################################################
fil=/root/.ssh/id_rsa*
if [ $(ls $fil|wc -l) > 0 ];then
rm -rf $fil
ssh-keygent -t rsa -f /root/.ssh/id_rsa -P "" >> /dev/null 2>&1
else
ssh-keygent -t rsa -f /root/.ssh/id_rsa -P "" >> /dev/null 2>&1
fi
if [ $(rpm -qa sshpass|wc -l) -lt 1 ];then
yum install -y sshpass &>/dev/null
fi
for ip in 21 63
do
sshpass -p123456 ssh-copy-id -i /root/.ssh/id_rsa.pub "172.16.1.$ip -o StrictHostKeyChecking=no"
done
参考链接:http://blog.51cto.com/13520761/2095798