linux配置免密登录
假设要通过跳板机免密登录目标服务器(比如10.30.3.232),下面是详细的配置过程,以供参考:
第1步,登录跳板机,su切换到指定账户,确认是否已存在公私钥文件(id_rsa、id_rsa.pub),若已存在则可以跳过第2步。
[it_support@localhost ~]# sudo su - root
[root@localhost ~]# ls -lha ~/.ssh/
-rw------- 1 root root 0 Jun 23 2021 authorized_keys
-rw-r--r-- 1 root root 4.5K Nov 16 16:19 known_hosts
| 文件 | 功能 | 备注 |
|---|---|---|
| authorized_keys | 存放远程免密登录的公钥 | 通过此文件记录多台机器的公钥(如没有,可 touch 创建) |
| id_rsa | 生成的私钥文件 | - |
| id_rsa.pub | 生成的公钥文件 | - |
| know_hosts | 已知的主机公钥清单 | 默认没有,上传公钥后自动生成 |
第2步,若堡垒机 ~/.ssh 目录不存在公私钥文件(id_rsa、id_rsa.pub),可使用 ssh-keygen -t rsa 生成ssh免密登录公私钥(一路回车即可)
[root@localhost ~]# cat ~/.ssh/id_rsa.pub | grep ssh-rsa || ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qHM7NtbA7XbnJryNEXxOJQ/YnxXEB7yWy+BhV0YLJpE root@localhost
The key's randomart image is:
+---[RSA 2048]----+
| oo++=.|
| Eo o.*|
| . + .*o|
| . . +*=o |
| ...S ooo*+. |
| .o . =. o |
| o .+ .. . |
| o=.+ ++o |
| o.+ .o*o |
+----[SHA256]-----+
完成后,会在 ~/.ssh 目录下生成公私钥文件(id_rsa、id_rsa.pub)
[root@localhost ~]# ls -lha ~/.ssh/
-rw------- 1 root root 0 Jun 23 2021 authorized_keys
-rw------- 1 root root 1.7K Jan 9 17:19 id_rsa
-rw-r--r-- 1 root root 400 Jan 9 17:19 id_rsa.pub
-rw-r--r-- 1 root root 4.5K Nov 16 16:19 known_hosts
第3步,将跳板机的公钥上传到目标服务器,实现免密登录。即:将 ~/.ssh/id_rsa.pub 内容粘贴到目标服务器的 ~/.ssh/authorized_keys 文件中(没有就创建一个)
ssh-copy-id -p 1618 root@10.30.3.232
完成后,会在 ~/.ssh 目录下生成一个 know_hosts 文件,并保存了目标服务器的公钥信息
[root@localhost ~]# cat ~/.ssh/known_hosts | grep "10.30.3.232"
[10.30.3.232]:1618 ecdsa-sha2-nistp256 ******
第4步,测试一下
ssh -p 1618 root@10.30.3.232
遇到的问题
场景1:配置免密之后登录报错 Permission denied
- 症状:配置免密之后,登录服务报错 Permission denied
[root@localhost ~]# ssh -p 1618 root@10.30.3.232
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:fbwp9nIMYhEvzvy+Om9fh35D64Er1puKMdbVjQFZVdA.
Please contact your system administrator.
Add correct host key in /home/root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/root/.ssh/known_hosts:170
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
- 解决:查看
~/.ssh/known_hosts删掉该ip的记录,再次执行ssh-copy-id -p 1618 root@10.30.3.232
cat ~/.ssh/known_hosts | grep "10.30.3.232"