随笔- 79 文章- 0 评论- 2 阅读- 35622

centos之间如何实现免密ssh登陆

在公司产品中，管理平台和下面的主机很多时候都要求免密，免密的逻辑到底是怎么样的呢？今天就简单看看！

首先创建两台虚机，正常情况下ssh登陆对方是需要密码的

先通过ssh-keygen生成一对秘钥

[root@test-20 ~]# ssh-keygen 
Generating public/private rsa key pair.                        #通过RSA加密算法生成公钥/私钥密钥对
Enter file in which to save the key (/root/.ssh/id_rsa): 　　　　#保存目录
Created directory '/root/.ssh'.　　　　　　　　　　　　　　　　　　　　#生成对应目录
Enter passphrase (empty for no passphrase): 　　　　　　　　　　　　#密码短语（passphrase）是一串比常用密码要长一些的字符的排列
Enter same passphrase again: 　　　　　　　　　　　　　　　　　　　　　　#再次确认密码短语
Your identification has been saved in /root/.ssh/id_rsa.　　　　　　　#生成成功
Your public key has been saved in /root/.ssh/id_rsa.pub.　　　　　　　　#公钥保存目录
The key fingerprint is:
cc:21:36:e7:47:99:1a:19:5e:bd:f4:1d:28:52:78:e1 root@test-20
The key's randomart image is:
+--[ RSA 2048]----+
|        . ++. .  |
|       . *.=o. . |
|      + * *E.o ..|
|     . B =  . . .|
|        S .      |
|         .       |
|                 |
|                 |
|                 |
+-----------------+
[root@test-20 ~]#

进入对应目录可查看到相应文件

[root@test-20 ~]# ls -a 
.  ..  anaconda-ks.cfg  .bash_history  .bash_logout  .bash_profile  .bashrc  .cshrc  .ssh  .tcshrc
[root@test-20 ~]# cd .ssh/
[root@test-20 .ssh]# ll -a 
total 8
drwx------. 2 root root   38 Oct 18 22:05 .
dr-xr-x---. 3 root root  147 Oct 18 22:05 ..
-rw-------. 1 root root 1679 Oct 18 22:05 id_rsa                   
-rw-r--r--. 1 root root  394 Oct 18 22:05 id_rsa.pub
[root@test-20 .ssh]#

需要注意的是：如果希望ssh公钥生效需满足至少下面两个条件：
1) .ssh目录的权限必须是700
2) .ssh/authorized_keys文件权限必须是600

将生成的公钥文件拷贝至客户端虚机上

[root@test-20 .ssh]# scp id_rsa.pub root@10.0.0.21:/root/.ssh/id_rsa.10.0.0.20.pub
The authenticity of host '10.0.0.21 (10.0.0.21)' can't be established.
ECDSA key fingerprint is f3:e7:b5:d7:40:2f:e3:5f:f9:02:1d:7d:f7:59:a1:46.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.21' (ECDSA) to the list of known hosts.
root@10.0.0.21's password: 
id_rsa.pub                                                                                                              100%  394     0.4KB/s   00:00    
[root@test-20 .ssh]#

[root@test-21 .ssh]# ll
total 20
-rw-------. 1 root root 394 Oct 18 22:29 authorized_keys
-rw-------. 1 root root 1679 Oct 18 22:15 id_rsa
-rw-r--r--. 1 root root 394 Oct 18 22:24 id_rsa.10.0.0.20.pub #我是把20的公钥文件拷贝过来，然后添加到authorized_keys中，注意修改权限；

尝试发现还是不行，检查发现虚机的防火墙没有关，关闭后，正常

[root@test-21 .ssh]# ip add 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:69:12:24 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.21/24 brd 10.0.0.255 scope global ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe69:1224/64 scope link 
       valid_lft forever preferred_lft forever
[root@test-21 .ssh]# ssh 10.0.0.20
Last login: Sun Oct 18 22:37:50 2020 from 10.0.0.21
[root@test-20 ~]#

同时会在该目录下增加known_hosts文件，查看发现即是免认证的用户

[root@test-20 .ssh]# cat known_hosts 
10.0.0.21 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNu0JBtSYifFX2fTaNb1EbE7ibXxikHM594PRpt+BVXfFm6pd1QJj6/mohxM698giGPdgBrucYDO4u3wEiSxzJ0=
[root@test-20 .ssh]#