需求描述:
192.168.31.10服务器的yunwei账号,想要免密登陆到192.168.31.15服务器上。
直接ssh root@192.168.31.15这样登陆,不用输入密码。
实现:
1、在10机器上,创建运维账号。
[root@docker01 ~]# id yunwei 检查yunwei账号是否存在 id: yunwei: no such user [root@docker01 ~]# useradd yunwei 创建yunwei账号 [root@docker01 ~]# su - yunwei 切换到yunwei账号 [yunwei@docker01 ~]$ pwd /home/yunwei
2、在yunwei账号下创建密钥
[yunwei@docker01 ~]$ ssh-keygen 创建密钥,一路回车 Generating public/private rsa key pair. Enter file in which to save the key (/home/yunwei/.ssh/id_rsa): Created directory '/home/yunwei/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/yunwei/.ssh/id_rsa. Your public key has been saved in /home/yunwei/.ssh/id_rsa.pub. The key fingerprint is: SHA256:kLXaRvzgGOqF62RyGWKGUekspD39l0pudQBt1MQp3NU yunwei@docker01 The key's randomart image is: +---[RSA 2048]----+ | .. +o=.o.. | | o. .+=.= E | |++ . +o=. | |oo= .o O.o | |..+.+.+ So. | | o o =o.+ . | | . Bo + . | | * + | | .. | +----[SHA256]-----+ 检查密钥是否创建成功 [yunwei@docker01 ~]$ pwd /home/yunwei [yunwei@docker01 ~]$ ll -a total 12 drwx------. 5 yunwei yunwei 103 Mar 25 23:18 . drwxr-xr-x. 16 root root 177 Mar 25 23:17 .. -rw-r--r--. 1 yunwei yunwei 18 Mar 31 2020 .bash_logout -rw-r--r--. 1 yunwei yunwei 193 Mar 31 2020 .bash_profile -rw-r--r--. 1 yunwei yunwei 231 Mar 31 2020 .bashrc drwxrwxr-x. 3 yunwei yunwei 18 Mar 25 23:17 .cache drwxrwxr-x. 3 yunwei yunwei 18 Mar 25 23:17 .config drwx------. 2 yunwei yunwei 38 Mar 25 23:18 .ssh [yunwei@docker01 ~]$ cd .ssh/ [yunwei@docker01 .ssh]$ ls id_rsa id_rsa.pub
3、复制密钥到15服务器
[yunwei@docker01 .ssh]$ ssh-copy-id root@192.168.31.15 复制密钥到15机器 /bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/yunwei/.ssh/id_rsa.pub" The authenticity of host '192.168.31.15 (192.168.31.15)' can't be established. ECDSA key fingerprint is SHA256:v3zhW/rvSt+T7QfAnIDIiHhbALRLNiLzl8Hg3TAZQCA. ECDSA key fingerprint is MD5:cf:b8:e1:f6:a5:61:60:f0:77:aa:f3:76:ab:d2:ce:9b. Are you sure you want to continue connecting (yes/no)? yes /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.31.15's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.31.15'" and check to make sure that only the key(s) you wanted were added.
4、验证免密登陆
[yunwei@docker01 .ssh]$ ssh root@192.168.31.15 Last login: Sun Mar 26 11:21:02 2023 from 192.168.31.1
补充:优化密钥创建方式,免交互创建密钥
[yunwei@docker01 .ssh]$ ssh-keygen -P '' -f id_rsa 免交互方式,创建密钥 Generating public/private rsa key pair. Your identification has been saved in id_rsa. Your public key has been saved in id_rsa.pub. The key fingerprint is: SHA256:hXuSBtV1o1D1PfIyG/+iC1IFnZh8Q3NGf5eiuQ8IExQ yunwei@docker01 The key's randomart image is: +---[RSA 2048]----+ | EoooB=+B | | .. .=o=* +o| | ... ..o+ o*| | ..+ .o + +| | oS oo + . | | .o+. . * | | ...o . . | | . .o . .| | o+ ..| +----[SHA256]-----+ [yunwei@docker01 .ssh]$ ls id_rsa id_rsa.pub known_hosts
参数说明:
-t 指定要创建的密钥类型
dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | RSA
可能的值为“dsa”、“ecdsa”、“ecdsa-sk”、“ed25519”、“ed25519-sk”或“rsa”。
当使用 RSA CA 密钥签署证书时,此标志还可用于指定所需的签名类型。可用的 RSA 签名变体是“ssh-rsa”(SHA1 签名,不推荐)、“rsa-sha2-256”和“rsa-sha2-512”(默认值)
-P 密码
提供(旧)密码。
这里的密码,是密钥的密码,不是远程主机的密码,随便设置。但是,这就失去了免密登陆的意义。因为,设置了这个后,登陆远程主机时,就必须输入密钥密码。
所以,一般这个指指定为空即可。
-f 文件名
指定密钥文件的文件名
这里的文件名,必须指定为id_rsa,不然,把密钥推送到目标机器,依然无法实现免密登陆。
总结:
就三个命令
cd 进入当前账号家目录 ssh-keygen 连续三次回车 ssh-copy-id 192.168.31.15 复制公钥到hadoop104服务器,这样,就可以免密访问hadoop104服务器
这里用户账号省略,则使用当前账号进行免密登陆
比如,当前账号是test
ssh-copy-id 192.168.31.15 等价与 ssh-copy-id test@192.168.31.15
实现的效果是,当前服务器的test账号可以免密登陆15服务器的test账号