ssh 实现免密码登录,


相互认证

将要相互认证的 ip 和 hostname 做映射,并放置在各机器中

[root@master ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.10 master
10.0.0.11 node01
10.0.0.12 node02

生成key

在master机器上为例,生成密钥,将公钥拷贝到node01 和 node02 上;如果要实现node01免秘钥登录别的机器,将node01 生成的公钥拷贝至各机器。

[root@master ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:2sVd/Xh8vuuUOkoy+PP1VHQvsf08JuzLCWBGyfOHQPA root@master
The key's randomart image is:
+---[RSA 2048]----+
|       ...       |
|        + .    . |
|         E    o +|
|        ..+... B+|
|        S+oo..+ O|
|       o+.. o  ==|
|      ...o o + *+|
|        ..+ =.O o|
|         .oo.*+=.|
+----[SHA256]-----+

拷贝公钥到目标机器

[root@master ~]#ssh-copy-id node01
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host 'node01 (10.0.0.11)' can't be established.
ECDSA key fingerprint is SHA256:0WjkfswyQXRv+zeS03AF9xLANd4uZtFo0YcY7kGiagA.
ECDSA key fingerprint is MD5:32:e0:54:7e:8c:a0:1c:59:17:7b:00:3a:71:89:e1:a4.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@node01's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'node01'"
and check to make sure that only the key(s) you wanted were added.

问题

ECDSA key fingerprint is SHA256:ib+nKTC8u2GwAMYRC1pfxVsz2Sy+K26lPbqOZ3qvOig.
ECDSA key fingerprint is MD5:4b:4b:6f:b7:a4:81:80:20:7f:60:1e:74:27:5b:a3:c0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.33.11' (ECDSA) to the list of known hosts.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

解决方法

修改/etc/sshd_config 文件中的配置,将
PermitRootLogin 置为 yes
PubkeyAuthentication 置为 yes
PasswordAuthentication 置为 yes
之后重启ssh 服务

[root@master ~]# systemctl restart sshd

相关内容