在Centos7上配置ssh免密码登录

avatar 2019年10月18日14:17:20 评论 2,301 次浏览

一、实验环境

服务名称 系统版本 IP地址
server01 centos07 10.211.55.13
Client centos07 10.211.55.7

二、实验要求

实现两台服务器之间免密码可以相互登录

三、实验部署

1、创建秘钥

首先,在server01上创建一个wolf用户,并设置密码,然后创建秘钥

[root@server01 ~]# useradd wolf
[root@server01 ~]# passwd wolf
Changing password for user wolf.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
Sorry, passwords do not match.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@server01 ~]#
[root@server01 ~]# su wolf
[wolf@server01 ~]$ ssh-keygen -t rsa -C "wolf27h@163.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wolf/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/wolf/.ssh/id_rsa.
Your public key has been saved in /home/wolf/.ssh/id_rsa.pub.
The key fingerprint is:
f7:83:93:4b:da:30:dc:7b:7f:eb:d9:7e:dd:1d:75:69 wolf27h@163.com
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|                .|
|               Eo|
|        S .   . o|
|       . o +   . |
|        + * o   =|
|         * +..  O|
|        . +. .o*=|
+-----------------+
[wolf@server01 ~]$ cd ~/.ssh/
[wolf@server01 .ssh]$ ls
id_rsa  id_rsa.pub

在server01上已经创建完成,并且生成了秘钥,下面创建客户端Client。为了区分用户,我们在生成Client秘钥的时候建议添加一个邮箱,这样比较容易区分。 server01生成的秘钥邮箱后缀是wolf27h@163.com,Client改成wolf27w@163.com,这样该的好处后面有用户,继续:

[root@Client ~]# su wolf
[wolf@Client root]$ cd ~/.ssh/
[wolf@Client .ssh]$ ls
[wolf@Client .ssh]$ ssh-keygen -t rsa -C "wolf27w@163.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wolf/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/wolf/.ssh/id_rsa.
Your public key has been saved in /home/wolf/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:jKEz+55drjW2mSqHtdpFual8mUijKCAtFWFLyPskP9w wolf27w@163.com
The key's randomart image is:
+---[RSA 2048]----+
|..+.             |
|.+..             |
|  o.  .          |
| o.. . +   .     |
| o* = . S o      |
|+ .= E  +. o     |
|.o  o. = +Oo     |
|  . ..+=+B+=     |
|   . .=+B+=      |
+----[SHA256]-----+
[wolf@Client .ssh]$ ls
id_rsa  id_rsa.pub

这样server01和Client的秘钥已经创建完成,如果实现从Client免密码登录到server01还需要把Client的公钥拷贝到server01服务器的wolf用户下。

2、使用公钥登录

拷贝的方式有三种,分别是: 1、ssh-copy-id的方式 2、scp 3、Ansible实现批量免密

第一种,ssh-copy-id方式测试

[wolf@Client .ssh]$ ssh-copy-id -i /home/wolf/.ssh/id_rsa.pub wolf@10.211.55.13
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/wolf/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
wolf@10.211.55.13's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'wolf@10.211.55.13'"
and check to make sure that only the key(s) you wanted were added.

[wolf@Client .ssh]$ ssh wolf@10.211.55.13
Last login: Fri Feb 22 18:23:37 2019 from client.shared
[wolf@server01 ~]$ 
ssh-copy-id拷贝之后成功会有一个提示:
Now try logging into the machine, with:   "ssh 'wolf@10.211.55.13'"
意思就是“现在尝试登录到机器,使用 ssh wolf@10.211.55.13”。 直接登录可以不需要密码了,这个时候我们看一下server01的秘钥目录下是不是多了一个文件。
[wolf@server01 ~]$ cd ~/.ssh/
[wolf@server01 .ssh]$ ls
authorized_keys  id_rsa  id_rsa.pub
authorizedkeys的文件内容就是Client秘钥文件中的idrsa.pub,下面说一下秘钥生成的文件说明。
authorized_keys:存放远程免密登录的公钥,主要通过这个文件记录多台机器的公钥
id_rsa : 生成的私钥文件
id_rsa.pub : 生成的公钥文件
know_hosts : 已知的主机公钥清单
使用普通用户没有创建密码,直接拷贝报错如下:
[wolf@Client .ssh]$ ssh-copy-id -i /home/wolf/.ssh/id_rsa.pub 10.211.55.13
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/wolf/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.
                (if you think this is a mistake, you may want to use -f option)
如果没有ssh-copy-id命令,需要安装:yum -y install openssh-clients

第二种,通过scp方式为了测试一台服务器可以被多台客户端免密码登录,我就在Client服务器的另外一个用户wolf27w登录到server01上:

[wolf27w@Client .ssh]$ scp -p ~/.ssh/id_rsa.pub wolf@10.211.55.13:/home/wolf/.ssh/authorized_keys
The authenticity of host '10.211.55.13 (10.211.55.13)' can't be established.
ECDSA key fingerprint is SHA256:i/fAI6xt+FKBgbBHA4RuQdXS//FlNThzo6RHlDX/PGk.
ECDSA key fingerprint is MD5:a9:ca:4d:ec:49:9f:4d:86:c2:67:ef:77:05:24:23:2a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.211.55.13' (ECDSA) to the list of known hosts.
wolf@10.211.55.13's password: 
id_rsa.pub                                                                                                                          100%  397     1.2MB/s   00:00    
[wolf27w@Client .ssh]$ ssh wolf@10.211.55.13
Last login: Fri Feb 22 18:24:43 2019 from client.shared
[wolf@server01 ~]$ exit

这种登录到server01服务器之后,会把原来的wolf用户的公钥覆盖掉,但是如果实现两个用户都可以使用秘钥登录,就需要把两个秘钥共存,可以追加或者直接复制过去。 复制完成之后,测试如下:

[root@Client ~]# su wolf
[wolf@Client root]$ ssh wolf@10.211.55.13
Last login: Fri Feb 22 18:52:08 2019
[wolf@server01 ~]$ exit
logout
Connection to 10.211.55.13 closed.
[wolf@Client root]$ su root
Password: 
[root@Client ~]# su wolf27w
[wolf27w@Client root]$ ssh wolf@10.211.55.13
Last login: Fri Feb 22 18:52:47 2019 from client.shared
[wolf@server01 ~]$

第三种方式需要安装Ansible 命令如下:

ansible <groupname> -m authorized_key -a "user=root key='{{ lookup('file','/root/.ssh/id_rsa.pub') }}'" -k

因为没有安装ansible所以,暂时不测试,、

avatar

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: