一、免密登录需求
平时在工作中,可能需要从一台服务器上将文件分发到其他多台服务器,如果每次都需要输入密码就显得太麻烦了,这种情况就可以通过免密登录来实现。如ansible,kubernetes等服务在部署时都有这样的需求。
二、配置SSH免密登录概述
1、ssh免密登录原理
SSH(Secure Shell)是一种加密的网络协议,用于在不安全的网络上安全地进行远程登录和其他安全网络服务。免密认证的核心思想是利用公钥和私钥进行认证,而不是每次都输入密码。只要在客户端和服务器之间正确配置了公钥和私钥,用户可以直接登录而无需输入密码。
2、相关的文件
在每台服务的~/.ssh目录下会有以下四个文件: authorized_keys: 存放远程免密登录的公钥,主要通过这个文件记录多台机器的公钥。 id_rsa: 私钥文件 id_rsa.pub: 公钥文件 known_hosts: 已知的主机公钥清单
如果将我们生成的公钥放到相应主机的对应用户的authorized_keys文件下,就可以实现免密登录。
在生成密钥时,默认会在~/.ssh目录下生成密钥(id_rsa和id_rsa.pub),如果.ssh目录不存在,则会自动创建。
三、实现免密操作
1、生成密钥
ssh-keygen -t rsa (三次回车,不输入其他信息)
-t 选项指定要使用的加密算法,“rsa”表示使用RSA算法
默认会在~/.ssh目录下生成密钥(id_rsa和id_rsa.pub),如果.ssh目录不存在,则会自动创建。
[root@oracle ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): # 密钥放置的路径
Enter passphrase (empty for no passphrase): # 配置密码保护密钥,回车为不配置
Enter same passphrase again: # 确认第二步的密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:A/kj+6qYV5HySoKheAo6Kx93VW1VYLN2J/wmBHn0XFw root@oracle
The key's randomart image is:
+---[RSA 2048]----+
| .o*+E|
| . ..=.=o|
| o. . o.* =|
|. . oo . . o +.|
|oo o..S . o|
|= o . o+ o o |
|oo.o.oo |
|= =o. . |
|o++...... |
+----[SHA256]-----+
2、复制本机公钥到其它机器
[root@oracle ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@10.21.22.35
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.21.22.35 (10.21.22.35)' can't be established.
ECDSA key fingerprint is SHA256:BpTKrxztroqHQiyBmIcn7Y9R/rKyNgtyqvBp3TZiToU.
ECDSA key fingerprint is MD5:08:6c:1d:13:4c:a7:6f:7c:09:86:47:ea:07:a2:55:e0.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.21.22.35's password: # 输入服务器密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@10.21.22.35'"
and check to make sure that only the key(s) you wanted were added.
注意:有些服务器可能没有ssh-copy-id这个命令,需要安装一下
# 先查找一下ssh-copy-id命令属于哪个软件包
[root@oracle ~]# yum provides ssh-copy-id
....
openssh-clients-7.4p1-21.el7.x86_64 : An open source SSH client applications
...
# 下载软件包
[root@oracle ~]# yum install -y openssh-clients-7.4p1-21.el7.x86_64
3、登录测试
[root@oracle ~]# ssh root@10.21.22.35
Last login: Mon Aug 19 10:55:15 2024 from 10.21.28.19
# 上述可见无需输入密码即可登录
四、脚本快速实现免密登录
以上
#!/bin/bash
#---------------配置免密登录---------------#
# 远程主机IP
HOST_IP=xxxx
# 远程主机服务器密码
HOST_PASS=xxxxx
#安装expect软件包
yum install expect -y
expect << EOF
set timeout 5
spawn ssh-keygen -t rsa
expect "id_rsa):"
send "\r"
expect "passphrase):"
send "\r"
expect "again:"
send "\r"
expect eof
EOF
expect << EOF
set timeout 5
spawn ssh-copy-id root@$HOST_IP
expect "(yes/no)?"
send "yes\r"
expect "password:"
send "$HOST_PASS\r"
expect eof
EOF