NO IMAGE

從機器machineA登陸到機器machineB,需要免密碼。只要在A機器上生成祕鑰對,將公鑰追加到B機器上的授權檔案authorized_keys上即可,分兩步:

1.建立祕鑰對

進入machineA的資料夾/root/.ssh/,用rsa生成祕鑰
[[email protected] .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
#輸入祕鑰生成的檔名稱,可以直接叫id_rsa
Enter file in which to save the key (/root/.ssh/id_rsa): id_rsa
#輸入訪問id_rsa的密碼,不要輸入,直接回車,不然免密碼登陸時還要輸入(Enter passphrase for key '/root/.ssh/id_rsa')
Enter passphrase (empty for no passphrase): 
#回車
Enter same passphrase again: 
#完成,ll -rt檢視已生成檔案id_rsa和id_rsa.pub
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
6b:80:9b:a1:d6:0d:0b:dc:f3:0d:ad:a7:fe:da:d8:cf [email protected]
The key's randomart image is:
--[ RSA 2048]---- 
|                 |
|                 |
|                 |
| . . . .         |
|  o * o S        |
|     X = .       |
|  o =   =        |
| .     B .       |
|     .=o .E      |
----------------- 
[[email protected] .ssh]# ll -rt
total 12
-rw-r--r-- 1 root root  781 Feb 15 15:54 known_hosts
-rw-r--r-- 1 root root  393 Feb 15 15:59 id_rsa.pub
-rw------- 1 root root 1743 Feb 15 15:59 id_rsa

2.將公鑰追加到machineB機器的~/.ssh/authorized_keys檔案中

#把金鑰追加到遠端主機的 .ssh/authorized_key 上,這樣從本機訪問遠端主機172.18.0.21就免密碼了(即從本機ssh 172.18.0.21或主機名Salve3)
[[email protected] .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
#輸入登陸機器B的密碼
[email protected]'s password: 
Now try logging into the machine, with "ssh '[email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[[email protected] ~]# ssh machineB
Last login: Wed Feb 15 16:31:22 2017 from 172.18.0.150
[[email protected] ~]# 

3.在機器B上檢視authorized_keys檔案內容,祕鑰已經追加上去

[[email protected] .ssh]# pwd
/root/.ssh
[[email protected] .ssh]# cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvMbc9fsAGLvXyJQo2xS540FWi8tMJvtMHNTlsSb4Oh14Vjk6iQZxumkEUDbbbrxemlMgxIyRzDuUjrE 1T1N3fxJJTZw94LvogzAXDvcVloBFiHc3/BNszguhs6zTb56hTZJ21tJlr8PVqKSoFtSdECr FO4tg4QLFEiqseWuGaou1d0WY8yAfMrDXu 10 pYMibI8EswpGOfef1heg04sMJe4/lep1LshHLx2HgzrNW5wpWU0CH65HCjqVs1mWu1Q9dcXhG0RPXYv0IKDGQt/cl74FssIRhIWaYyxw/lKtjA9eFz92KXDJI58l96 wn/z1kh13ZgvZA 3Lo4o85qw== [email protected]
[[email protected] .ssh]# 

4.從機器A登陸機器B測試

[[email protected] ~]# ssh machineB
Last login: Wed Feb 15 16:31:22 2017 from 172.18.0.150
[[email protected] ~]# 

5.其他使用者免密碼登入

提醒:免密碼登入只對操作的使用者賬號生效,其他登入賬號並不起作用。
ssh不希望home目錄(非root使用者所在目錄經常是在/home下)和~/.ssh目錄對組有寫許可權。
所以可能會遇到非root使用者做免密碼登入配置時,經常遇到配置完成但是不生效,可以檢視ssh登入過程中的系統安全日誌,例如當前使用者是HByw_root:

sudo cat /var/log/secure
...
Apr 16 14:19:02 nn1 sshd[10379]: Authentication refused: bad ownership or modes for directory /home/HByw_root
Apr 16 14:19:03 nn1 sshd[10380]: Connection closed by 172.16.0.222
Apr 16 14:19:39 nn1 sudo:     root : TTY=pts/1 ; PWD=/home/HByw_root ; USER=root ; COMMAND=/bin/cat /var/log/secure
Apr 16 13:55:50 db1 sshd[9736]: Authentication refused: bad ownership or modes for file /home/HByw_root/.ssh/authorized_keys
Apr 16 13:55:52 db1 sshd[9737]: Connection closed by ::1
Apr 16 13:55:54 db1 sudo:     root : TTY=pts/28 ; PWD=/home/HByw_root/.ssh ; USER=root ; COMMAND=/bin/cat /var/log/secure
...

日誌顯示的資料夾和檔案所屬組或許可權不對,可以對照下面提示檢查:

1.資料夾和檔案許可權
sshd為了安全,對屬主的目錄和檔案許可權有所要求。
如果許可權不對,則ssh的免密碼登陸不生效,所以不能一律採取chmod 777的錯誤做法。
使用者目錄許可權為755或者700,不能是77x。
.ssh目錄許可權一般為755或者700。
id_rsa.pub 及authorized_keys許可權一般為644
id_rsa許可權必須為600
例如當前登入使用者是root使用者組但非root使用者
#檢視當前使用者
[[email protected] .ssh]# cat  /etc/passwd
HByw_root:x:0:0::/home/HByw_root:/bin/bash
[[email protected] .ssh]# groups HByw_root
HByw_root : root
#重新指定許可權
#使用者目錄
[[email protected] ~]# cd /home/
[[email protected] home]# chmod 700 HByw_root/
[[email protected] home]# ll
total 24
drwx------ 5 root   root    4096 Apr 16 13:54 HByw_root
#.ssh目錄
[[email protected] ~]# cd /home/HByw_root/
[[email protected] ~]# chmod 700 .ssh/
[[email protected] ~]# ll -a
drwx------  2 root root 4096 Apr 16 14:52 .ssh
#進入預設生成目錄/root下檢視id_rsa和id_rsa.pub檔案
[[email protected] .ssh]# cd /root/.ssh/
[[email protected] .ssh]# chmod 600 id_rsa
[[email protected] .ssh]# chmod 644 id_rsa.pub 
[[email protected] .ssh]# ll
-rw------- 1 root root 1675 Apr 16 14:16 id_rsa
-rw-r--r-- 1 root root  396 Apr 16 14:16 id_rsa.pub
#重啟ssh服務
sudo service sshd restart
#也可以先對本機做免密碼登入測試
即將把金鑰追加到本機的 ~/.ssh/authorized_key
測試免密碼登入,成功!
[[email protected] home]# ssh [email protected]
Last login: Mon Apr 16 14:56:24 2018 from 172.16.0.166
[[email protected] ~]# 
#接下來就可以將公鑰追加到目的機器了
[[email protected] ~]#ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
[[email protected] ~]# ssh [email protected]
Last login: Mon Apr 16 15:39:24 2018 from 172.16.0.211
[[email protected] ~]# 

以上!