linux配置免密登录

假设要通过跳板机免密登录目标服务器(比如10.30.3.232),下面是详细的配置过程,以供参考:

第1步,登录跳板机,su切换到指定账户,确认是否已存在公私钥文件(id_rsa、id_rsa.pub),若已存在则可以跳过第2步

[it_support@localhost ~]# sudo su - root

[root@localhost ~]# ls -lha ~/.ssh/
-rw-------  1 root root    0 Jun 23  2021 authorized_keys
-rw-r--r--  1 root root 4.5K Nov 16 16:19 known_hosts
文件 功能 备注
authorized_keys 存放远程免密登录的公钥 通过此文件记录多台机器的公钥(如没有,可 touch 创建)
id_rsa 生成的私钥文件 -
id_rsa.pub 生成的公钥文件 -
know_hosts 已知的主机公钥清单 默认没有,上传公钥后自动生成

第2步,若堡垒机 ~/.ssh 目录不存在公私钥文件(id_rsa、id_rsa.pub),可使用 ssh-keygen -t rsa 生成ssh免密登录公私钥(一路回车即可)

[root@localhost ~]# cat ~/.ssh/id_rsa.pub | grep ssh-rsa || ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qHM7NtbA7XbnJryNEXxOJQ/YnxXEB7yWy+BhV0YLJpE root@localhost
The key's randomart image is:
+---[RSA 2048]----+
|           oo++=.|
|           Eo o.*|
|          . + .*o|
|       . .  +*=o |
|     ...S ooo*+. |
|     .o .  =. o  |
|    o .+ .. .    |
|     o=.+ ++o    |
|     o.+ .o*o    |
+----[SHA256]-----+

完成后,会在 ~/.ssh 目录下生成公私钥文件(id_rsa、id_rsa.pub)

[root@localhost ~]# ls -lha ~/.ssh/  
-rw-------  1 root root    0 Jun 23  2021 authorized_keys
-rw-------  1 root root 1.7K Jan  9 17:19 id_rsa
-rw-r--r--  1 root root  400 Jan  9 17:19 id_rsa.pub
-rw-r--r--  1 root root 4.5K Nov 16 16:19 known_hosts

第3步,将跳板机的公钥上传到目标服务器,实现免密登录。即:将 ~/.ssh/id_rsa.pub 内容粘贴到目标服务器的 ~/.ssh/authorized_keys 文件中(没有就创建一个)

ssh-copy-id -p 1618 root@10.30.3.232

完成后,会在 ~/.ssh 目录下生成一个 know_hosts 文件,并保存了目标服务器的公钥信息

[root@localhost ~]# cat ~/.ssh/known_hosts | grep "10.30.3.232"
[10.30.3.232]:1618 ecdsa-sha2-nistp256 ******

第4步,测试一下

ssh -p 1618 root@10.30.3.232

遇到的问题

场景1:配置免密之后登录报错 Permission denied

  • 症状:配置免密之后,登录服务报错 Permission denied
[root@localhost ~]# ssh -p 1618 root@10.30.3.232
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:fbwp9nIMYhEvzvy+Om9fh35D64Er1puKMdbVjQFZVdA.
Please contact your system administrator.
Add correct host key in /home/root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/root/.ssh/known_hosts:170
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
  • 解决:查看 ~/.ssh/known_hosts 删掉该ip的记录,再次执行 ssh-copy-id -p 1618 root@10.30.3.232
cat ~/.ssh/known_hosts | grep "10.30.3.232"
Copyright © https://yan-jian.com 2023 all right reserved更新时间: 2023-12-20 17:29:46

results matching ""

    No results matching ""