LinuxSSH登录互信配置。小编来告诉你更多相关信息。
Linux
网小编为你介绍Linux的相关话题,一起来了解了解吧。
1. 做ssh互信的目的
1、在做集群的时候是需要SSH
互信,它有利于在另一节点方便操作。
2、当使用scp
远程拷贝操作时,需要输入目标服务器的用户名和密码,这个时候可以做linux
服务器之间ssh
互信配置, 这样在多个linux
服务器之间做操作时就可以免密登陆。
2. ssh互信配置的原理
简单来说,就是各自服务器存放了目标主机的证书,当执行登陆时,自动完成认证,从而不需要再输入任何密码。
3. ssh互信配置步骤
1、各节点生成自己的公钥和私钥对。
2、将自己的公钥文件发送给对方。
3、验证互信配置是否成功。
4. 配置ssh互信
这里以MYDB01
和MYDB02
两台LINUX
主机为例:
4.1生成公钥私钥对
在两台主机上分别生成,提示输入信息时直接回车:
# MYDB01
主机:
[root@MYDB01 ~]# ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:SHA256:lQex2+SbdmGGNBvU8vjaTKVCbfAmk8Eva+C6BPJ49G0 root@MYDB01The key\'s randomart image is:+---[RSA 2048]----+| oo.. || == . || + *@ || ..BB=B .|| . o S..o=O+o || = o .. +=+. || . o o.E.+*. || . ... ...o || .. |+----[SHA256]-----+[root@MYDB01 ~]#
# MYDB02
主机:
[root@MYDB02 ~]# ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/root/.ssh/id_rsa): Created directory \'/root/.ssh\'.Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:SHA256:8DGfMHFZDrEOOYhcpFGXI8tndQXTE4FampR6cTowAo4 root@MYDB02The key\'s randomart image is:+---[RSA 2048]----+| o++ o.+=+=+o || + =oo=+*+=.o || E =.o+OB.X. . || oo+XB. || oS.+. || || || || |+----[SHA256]-----+[root@MYDB02 ~]#
这样,就创建了公钥和密钥,会生成**id_rsa
和id_rsa.pub
**两个文件。
生成ssh
密钥后,密钥将默认存储在家目录下的**.ssh/目录
**中。
私钥和公钥的权限分别为**
LinuxSSH登录互信配置。小编来告诉你更多相关信息。
Linux
600和644
**。
.ssh目录权限必须是700
选项:
-t rsa|dsa
默认是rsa
格式。
接着可以查看生成的公钥和私钥文件:
[root@MYDB01 ~]# cd /root/.ssh[root@MYDB01 .ssh]# pwd/root/.ssh[root@MYDB01 .ssh]# ll -sh总用量 12K4.0K -rw------- 1 root root 1.7K 2月 14 16:17 id_rsa4.0K -rw-r--r-- 1 root root 393 2月 14 16:17 id_rsa.pub[root@MYDB01 .ssh]#
4.2将自己的公钥文件发送给对方
# 命令格式:
ssh-copy-id [-i [identity_file]] [user@]machine
这个命令的作用是:将id_rsa.pub
文件内容传输至对方的.ssh目录
中,生成文件名为authorized_keys
文件,并且会设置远程主机用户目录的**.ssh和.ssh/authorized_keys
**权限。
# 在MYDB01
上执行以下操作:
[root@MYDB01 .ssh]# ssh-copy-id 192.168.250.194/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: \"/root/.ssh/id_rsa.pub\"/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysroot@192.168.250.194\'s password: Number of key(s) added: 1Now try logging into the machine, with: \"ssh \'192.168.250.194\'\"and check to make sure that only the key(s) you wanted were added.[root@MYDB01 .ssh]#
这里在MYDB02
主机上查看:
[root@MYDB02 ~]# cd /root/.ssh[root@MYDB02 .ssh]# ll总用量 12-rw------- 1 root root 393 2月 14 16:41 authorized_keys-rw------- 1 root root 1679 2月 14 16:20 id_rsa-rw-r--r-- 1 root root 393 2月 14 16:20 id_rsa.pub[root@MYDB02 .ssh]# cat authorized_keysssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtQ+pBp1T9fHAkrifEShaOAfBJFT+HdljR8mBxl7wZ1a91g3Zuzu35gJKsUjD+NqP9JcdyKapE309SHPvosvsJjLfccF4PaEZAgqHryu+S3cBn8zqA6fm62hsx/qI4I80PV0btcqfwphsD+5+vgkDJWAsUGQtqZdmMClAIy5gs0He0K2jpciKHvxWWClB3+dTJ0e9yIuIkV7lM+jqVIqYFJD0bRyy0zgNsY5/cLYFllM42TQDos93hVdqGXOHREpWo01KX2Jd8MKj4yNeiqgnj2mDtiNFWOUSkAbHpcKInuUOErJMqkV7MP0er5UKY/NemDzuORr2RxYqSTWaz/T7N root@MYDB01[root@MYDB02 .ssh]#
上面的操作只是单方面信任,主机MYDB01
登录主机MYDB02
不需输入密码,反过来不行,所以还需下面操作:
# 在主机MYDB02
上将其钥复制到主机MYDB01
上:
[root@MYDB02 .ssh]# ssh-copy-id 192.168.250.193/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: \"/root/.ssh/id_rsa.pub\"The authenticity of host \'192.168.250.193 (192.168.250.193)\' can\'t be established.ECDSA key fingerprint is SHA256:vThEoRhUOECeD5jhE+m8TZA2+6OoElIoNOQ3XqtopZw.ECDSA key fingerprint is MD5:97:40:b2:35:6e:07:5a:61:1f:73:f1:b2:6e:54:5b:7d.Are you sure you want to continue connecting (yes/no)? yPlease type \'yes\' or \'no\': yes/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysroot@192.168.250.193\'s password: Number of key(s) added: 1Now try logging into the machine, with: \"ssh \'192.168.250.193\'\"and check to make sure that only the key(s) you wanted were added.[root@MYDB02 .ssh]#
LinuxSSH登录互信配置。小编来告诉你更多相关信息。
Linux
4.3验证互信
分别在MYDB01
主机和MYDB02
主机上通过SSH
登录,看是否需要输入密码:
在MYDB01
主机上登录MYDB02
主机:
[root@MYDB01 .ssh]# ssh 192.168.250.194Last login: Tue Jan 9 15:41:56 2023 from 192.168.250.193[root@MYDB02 ~]#
无密登录成功。
同样,在MYDB02
主机上登录MYDB01
主机:
[root@MYDB02 .ssh]# ssh 192.168.250.193Last failed login: Tue Feb 14 16:48:54 CST 2023 from 192.168.250.194 on ssh:nottyThere was 1 failed login attempt since the last successful login.Last login: Tue Jan 9 15:41:34 2024 from 192.168.250.194[root@MYDB01 ~]#
以上是网关于Linux 跟 SSH登录互信配置的详细方法介绍,大家作为一个参考建议。