快连VPN:速度和安全性最佳的VPN服务
1. 做ssh互信的目的
1、在做集羣的時候是需要ssh互信,它有利於在另一節點方便操作。
2、當使用scp遠程拷貝操作時,需要輸入目標服務器的用戶名和密碼,這個時候可以做linux服務器之間ssh互信配置, 這樣在多個linux服務器之間做操作時就可以免密登陸。
2. ssh互信配置的原理
簡而言之,服務器存儲目標主機的證書,以便自動完成認證,無需輸入密碼。
3. ssh互信配置步驟
1、各節點生成自己的公鑰和私鑰對。
2、將自己的公鑰文件發送給對方。
3、驗證互信配置是否成功。
4. 配置ssh互信
這裏以MYDB01和MYDB02兩臺LINUX主機爲例:
4.1生成公鑰私鑰對
在兩臺主機上分別生成,提示輸入信息時直接回車:
# MYDB01主機:
[root@MYDB01 ~]# ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:SHA256:lQex2+SbdmGGNBvU8vjaTKVCbfAmk8Eva+C6BPJ49G0 root@MYDB01The key's randomart image is:+---[RSA 2048]----+|oo.. || == .||+ *@ || ..BB=B .||. o S..o=O+o || = o .. +=+. ||. o o.E.+*.|| . ... ...o||.. |+----[SHA256]-----+[root@MYDB01 ~]#登錄後複製
# MYDB02主機:
[root@MYDB02 ~]# ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'.Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:SHA256:8DGfMHFZDrEOOYhcpFGXI8tndQXTE4FampR6cTowAo4 root@MYDB02The key's randomart image is:+---[RSA 2048]----+|o++ o.+=+=+o || + =oo=+*+=.o||E =.o+OB.X.. ||oo+XB. || oS.+. || || || || |+----[SHA256]-----+[root@MYDB02 ~]#登錄後複製
這樣,就創建了公鑰和密鑰,會生成**id_rsa和id_rsa.pub**兩個文件。
生成ssh密鑰後,密鑰將默認存儲在家目錄下的**.ssh/目錄**中。
私鑰和公鑰的權限分別爲**600和644**。
.ssh目錄權限必須是700
選項:
-t rsa|dsa默認是rsa格式。
接着可以查看生成的公鑰和私鑰文件:
[root@MYDB01 ~]# cd /root/.ssh[root@MYDB01 .ssh]# pwd/root/.ssh[root@MYDB01 .ssh]# ll -sh總用量 12K4.0K -rw-------1 root root 1.7K 2月14 16:17 id_rsa4.0K -rw-r--r--1 root root393 2月14 16:17 id_rsa.pub[root@MYDB01 .ssh]#登錄後複製
4.2將自己的公鑰文件發送給對方
# 命令格式:
ssh-copy-id [-i [identity_file]] [user@]machine登錄後複製
這個命令的作用是:將id_rsa.pub文件內容傳輸至對方的 .ssh目錄中,生成文件名爲authorized_keys 文件,並且會設置遠程主機用戶目錄的**.ssh和.ssh/authorized_keys**權限。
# 在MYDB01上執行以下操作:
[root@MYDB01 .ssh]# ssh-copy-id 192.168.250.194/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysroot@192.168.250.194's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh '192.168.250.194'"and check to make sure that only the key(s) you wanted were added.[root@MYDB01 .ssh]#登錄後複製
這裏在MYDB02主機上查看:
[root@MYDB02 ~]# cd /root/.ssh[root@MYDB02 .ssh]# ll總用量 12-rw------- 1 root root393 2月14 16:41 authorized_keys-rw------- 1 root root 1679 2月14 16:20 id_rsa-rw-r--r-- 1 root root393 2月14 16:20 id_rsa.pub[root@MYDB02 .ssh]# cat authorized_keysssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtQ+pBp1T9fHAkrifEShaOAfBJFT+HdljR8mBxl7wZ1a91g3Zuzu35gJKsUjD+NqP9JcdyKapE309SHPvosvsJjLfccF4PaEZAgqHryu+S3cBn8zqA6fm62hsx/qI4I80PV0btcqfwphsD+5+vgkDJWAsUGQtqZdmMClAIy5gs0He0K2jpciKHvxWWClB3+dTJ0e9yIuIkV7lM+jqVIqYFJD0bRyy0zgNsY5/cLYFllM42TQDos93hVdqGXOHREpWo01KX2Jd8MKj4yNeiqgnj2mDtiNFWOUSkAbHpcKInuUOErJMqkV7MP0er5UKY/NemDzuORr2RxYqSTWaz/T7N root@MYDB01[root@MYDB02 .ssh]#登錄後複製
上面的操作只是單方面信任,主機MYDB01登錄主機MYDB02不需輸入密碼,反過來不行,所以還需下面操作:
# 在主機MYDB02上將其鑰複製到主機MYDB01上:
[root@MYDB02 .ssh]# ssh-copy-id 192.168.250.193/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"The authenticity of host '192.168.250.193 (192.168.250.193)' can't be established.ECDSA key fingerprint is SHA256:vThEoRhUOECeD5jhE+m8TZA2+6OoElIoNOQ3XqtopZw.ECDSA key fingerprint is MD5:97:40:b2:35:6e:07:5a:61:1f:73:f1:b2:6e:54:5b:7d.Are you sure you want to continue connecting (yes/no)? yPlease type 'yes' or 'no': yes/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysroot@192.168.250.193's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh '192.168.250.193'"and check to make sure that only the key(s) you wanted were added.[root@MYDB02 .ssh]#登錄後複製
4.3驗證互信
分別在MYDB01主機和MYDB02主機上通過SSH登錄,看是否需要輸入密碼:
在MYDB01主機上登錄MYDB02主機:
[root@MYDB01 .ssh]# ssh 192.168.250.194Last login: Tue Jan 9 15:41:56 2023 from 192.168.250.193[root@MYDB02 ~]#登錄後複製
無密登錄成功。
同樣,在MYDB02主機上登錄MYDB01主機:
[root@MYDB02 .ssh]# ssh 192.168.250.193Last failed login: Tue Feb 14 16:48:54 CST 2023 from 192.168.250.194 on ssh:nottyThere was 1 failed login attempt since the last successful login.Last login: Tue Jan 9 15:41:34 2024 from 192.168.250.194[root@MYDB01 ~]#登錄後複製
以上就是Linux SSH登錄互信配置的詳細內容,更多請關注本站其它相關文章!
