ansible >> ssh

场景：主机A (ubuntu) 主机B (centos)

主机 A 安装ssh

root@ubuntz(主机A):/home/ubuntu# apt-get install openssh-server

Reading package lists... Done

Building dependency tree

Reading state information... Done

The following packages were automatically installed and are no longer required:

linux-headers-3.13.0-32 linux-headers-3.13.0-32-generic

linux-image-3.13.0-32-generic linux-image-extra-3.13.0-32-generic

Use 'apt-get autoremove' to remove them.

Suggested packages:

rssh molly-guard monkeysphere

The following NEW packages will be installed:

openssh-server

0 upgraded, 1 newly installed, 0 to remove and 9 not upgraded.

Need to get 322 kB of archives.

After this operation, 955 kB of additional disk space will be used.

Get:1 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main openssh-server amd64 ...

Fetched 322 kB in 4s (69.5 kB/s)

Preconfiguring packages ...

Selecting previously unselected package openssh-server.

(Reading database ... 260939 files and directories currently installed.)

Preparing to unpack .../openssh-server_1%3a6.6p1-2ubuntu2.8_amd64.deb ...

Unpacking openssh-server (1:6.6p1-2ubuntu2.8) ...

Processing triggers for ufw (0.34~rc-0ubuntu2) ...

Processing triggers for ureadahead (0.100.0-16) ...

ureadahead will be reprofiled on next reboot

Processing triggers for man-db (2.6.7.1-1ubuntu1) ...

Setting up openssh-server (1:6.6p1-2ubuntu2.8) ...

主机 A 启动ssh

root@ubuntu:/home/ubuntu# /etc/init.d/ssh start

ssh start/running, process 3623

主机 B 安装ssh

root@centos(主机B)# yum install openssh*

主机 B 启动ssh服务

root@centos# service sshd start

Failed to get D-Bus connection: Operation not permitted

Generating SSH2 RSA host key: [ OK ]

Generating SSH2 ECDSA host key: [ OK ]

Generating SSH2 ED25519 host key: [ OK ]

Starting sshd: [ OK ]

（若无service 命令需要安装initscripts）

root@centos# yum install initscripts

主机 A 配置主机列表

root@ubuntu:/home/ubuntu# vim /etc/hosts

添加主机172.17.0.2 hostname

主机 A 生成秘钥

root@ubuntu:/home/ubuntu# ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

d2:ff:5b:30:60:e2:9e:61:c8:69:a2:06:93:a7:85:65 root@ubuntu

The key's randomart image is:

+--[ RSA 2048]----+

| |

| E . o |

| = . = o . |

|= o . * S o |

| * . o + + o |

|. o o . . |

| . . . |

| o. |

+-----------------+

从主机 A 拷贝公钥到主机 B

root@ubuntu:/home/ubuntu# ssh-copy-id root@hostname

The authenticity of host 'hostname (172.17.0.2)' can't be established.

ECDSA key fingerprint is 16:dc:5b:7b:df:8d:96:36:76:6c:63:5e:2a:eb:56:67.

Are you sure you want to continue connecting (yes/no)? yes

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

root@hostname's password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'root@hostname'"

and check to make sure that only the key(s) you wanted were added.

主机 A 将主机 B 的秘钥写入known_hosts 文件 (大家要是复制这个文件的话，记得改变其权限，只能为700)

root@ubuntu:/home/ubuntu# ssh-keyscan hostname >> ~/.ssh/known_hosts

# hostname SSH-2.0-OpenSSH_7.4

此时，从主机 A 登录主机 B 可通过秘钥登录

root@ubuntu:~/.ssh# ssh hostname

Warning: Permanently added the ECDSA host key for IP address '172.17.0.2' to the list of known hosts.

Last login: Tue Dec 26 11:22:34 2017 from gateway

[root@centos ~]#

原理

      1）公钥：用于加密，存在于服务器
      2）私钥：用于解密，存在于客户机

流程

      1）客户端向服务器发出连接请求
      2）服务器查看客户端公钥（~/.ssh/authorized_keys）该客户机（客户机标志：用户@Host）对应的公钥
      3）服务器验证公钥合法，则产生一条随机数（challenge），用公钥加密发送给客户端
      4）客户端用私钥解密回传服务器端
      5）随机数一致，认证通过