写在前面
配置ssh免密登录可以直接使用root用户,但是在生产环境中,不建议使用root账号免密登录。这样我们不得不创建一个专属用户用作两台Linux主机免密登录,比如我创建一个ncayu用户。
Linux添加用户
#创建ncayu用户
adduser ncayu
#修改ncayu用户的密码
passwd ncayu
输入密码
再次输入密码
# 赋予ncayu用户root权限
修改/etc/sudoers文件,找到下面一行,在root下面添加一行,如下所示:
#Allow root to run any commands anywhere
root ALL=(ALL) ALL
ncayu ALL=(ALL) ALL
也可以在/etc/sudoers文件最后面加上,这样的写法,使用sodo权限不需要密码验证。
ncayu ALL=(ALL) NOPASSWD: ALL
ncayu账号密码为ncayu123456
Linux配置ssh免密
首先,说明一下我们要做的是,192.168.70.160 服务器的 ncayu 用户免密码登录 192.168.70.170 服务器的 ncayu02用户。
我们先使用ncayu用户 登录 192.168.70.160 服务器。
[root@192.168.70.160 ~]# su - ncayu
[ncayu@192.168.70.160 ~]$ pwd
/home/ncayu
然后在192.168.70.160上生成密钥对
[ncayu@192.168.70.160 ~]$ ssh-keygen -t rsa #指定加密算法为rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ncayu/.ssh/id_rsa): #保存私钥的文件全路径
Created directory '/home/ncayu/.ssh'.
Enter passphrase (empty for no passphrase): #密码可以为空
Enter same passphrase again:
Your identification has been saved in /home/ncayu/.ssh/id_rsa.
Your public key has been saved in /home/ncayu/.ssh/id_rsa.pub. #生成公钥
The key fingerprint is:
39:f2:fc:70:ef:e9:bd:05:40:6e:64:b0:99:56:6e:01 ncayu@192.168.70.160
The key's randomart image is:
+--[ RSA 2048]----+
| Eo* |
| @ . |
| = * |
| o o . |
| . S . |
| + . . |
| + . .|
| + . o . |
| .o= o. |
+-----------------+
此时会在/home/ncayu/.ssh目录下生成密钥对
[ncayu@192.168.70.160 ~]$ ls -la .ssh
总用量 16
drwx------ 2 ncayu ncayu 4096 8月 24 09:22 .
drwxrwx--- 12 ncayu ncayu 4096 8月 24 09:22 ..
-rw------- 1 ncayu ncayu 1675 8月 24 09:22 id_rsa
-rw-r--r-- 1 ncayu ncayu 399 8月 24 09:22 id_rsa.pub
然后将公钥上传到192.168.70.170 服务器的,并以ncayu02用户登录
[ncayu@192.168.70.160 ~]$ ssh-copy-id ncayu02@192.168.70.170 #输入对应主机IP 192.168.70.170
The authenticity of host '192.168.70.170 (192.168.70.170)' can't be established.
RSA key fingerprint is f0:1c:05:40:d3:71:31:61:b6:ad:7c:c2:f0:85:3c:cf.
Are you sure you want to continue connecting (yes/no)? yes #提示是否继续连接,输入yes
Warning: Permanently added '192.168.70.170' (RSA) to the list of known hosts.
ncayu02@192.168.70.170's password: # 输入ncayu02的密码,也是唯一的一次
Now try logging into the machine, with "ssh 'ncayu@192.168.70.170'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
这个时候ncayu用户的公钥文件内容会追加写入到ncayu02用户的 .ssh/authorized_keys 文件中
[ncayu@192.168.70.160 ~]$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2dpxfvifkpswsbusPCUWReD/mfTWpDEErHLWAxnixGiXLvHuS9QNavepZoCvpbZWHade88KLPkr5XEv6M5RscHXxmxJ1IE5vBLrrS0NDJf8AjCLQpTDguyerpLybONRFFTqGXAc/ximMbyHeCtI0vnuJlvET0pprj7bqmMXr/2lNlhIfxkZCxgZZQHgqyBQqk/RQweuYAiuMvuiM8Ssk/rdG8hL/n0eXjh9JV8H17od4htNfKv5+zRfbKi5vfsetfFN49Q4xa7SB9o7z6sCvrHjCMW3gbzZGYUPsj0WKQDTW2uN0nH4UgQo7JfyILRVZtwIm7P6YgsI7vma/vRP0aw== ncayu@192.168.70.160
查看192.168.70.170服务器ncayu02用户下的 ~/.ssh/authorized_keys文件.
[ncayu02@192.168.70.170 ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2dpxfvifkpswsbusPCUWReD/mfTWpDEErHLWAxnixGiXLvHuS9QNavepZoCvpbZWHade88KLPkr5XEv6M5RscHXxmxJ1IE5vBLrrS0NDJf8AjCLQpTDguyerpLybONRFFTqGXAc/ximMbyHeCtI0vnuJlvET0pprj7bqmMXr/2lNlhIfxkZCxgZZQHgqyBQqk/RQweuYAiuMvuiM8Ssk/rdG8hL/n0eXjh9JV8H17od4htNfKv5+zRfbKi5vfsetfFN49Q4xa7SB9o7z6sCvrHjCMW3gbzZGYUPsj0WKQDTW2uN0nH4UgQo7JfyILRVZtwIm7P6YgsI7vma/vRP0aw== ncayu@192.168.70.160
这样做完之后我们就可以免密码登录了
[ncayu@192.168.70.160 ~]$ ssh ncayu02@192.168.70.170
其他免密登录的方法
1、将公钥通过scp拷贝到服务器上,然后追加到~/.ssh/authorized_keys文件中,这种方式比较麻烦。
scp -P 22 ~/.ssh/id_rsa.pub user@host:~/。
2、通过ssh-copy-id程序,即ssh-copyid user@host
3、可以通过cat ~/.ssh/id_rsa.pub | ssh -p 22 user@host ‘cat >> ~/.ssh/authorized_keys’,
这个也是比较常用的方法,因为可以更改端口号