在当前服务器生成密钥对 ssh-keygen –t rsa –P ”
ssh-keygen –t rsa –P ''
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
59:17:be:64:5e:23:d3:76:eb:8f:87:5a:e8:8f:d9:b5
root@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
......
确认一路回车,命令默认会在用户家目录下生成.ssh目录,有两密钥对文件
[root@Centos6 ~]# cd .ssh/
[root@Centos6 .ssh]# ll
total 16
-rw-r--r--. 1 root root 416 Nov 7 08:09 authorized_keys
-rw-------. 1 root root 1671 Nov 7 08:06 id_rsa
-rw-r--r--. 1 root root 416 Nov 7 08:06 id_rsa.pub
-rw-r--r--. 1 root root 784 Nov 7 08:21 known_hosts
[root@Centos6 .ssh]#
//id_rsa是私钥,id_rsa.pub是公钥
接着在master节点上做如下配置,把id_rsa.pub追加到授权的key里面去。
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
[root@Centos6 ~]# 非root用户则需要授权
服务器改SSH配置文件”vim sshd_config”修改如下内容(去掉前面的注释)
RSAAuthentication yes # 启用 RSA 认证
PubkeyAuthentication yes # 启用公钥私钥配对认证方式
AuthorizedKeysFile .ssh/authorized_keys # 公钥文件路径同上
# 有了证书登录了,就把密码登录禁用,安全要紧
PasswordAuthentication no
最后重启ssh服务
systemctl restart sshd.service
测试登录
ssh localhost
[root@Centos6 ~]# ssh localhost
Last login: Mon Nov 7 08:34:38 2016 from localhost
[root@Centos6 ~]#
第一次要确认输入yes,以后就不用。
因为无法确认host主机的真实性,只知道它的公钥指纹,问你还想不想继续
继续,会将localhost加入known hosts中,后面就不会再出现这种情况了。
Centos7 配置用于节点鉴别权限的SSH密钥
功能同上面的一样,只是这种方法我在ansible上用就记下来了。怕忘
root@localhost ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
da:7a:b6:8c:e3:05:da:d4:04:0a:a4:43:58:f0:e1:33 root@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
|o== . |
|o+ o . . |
|o E . . |
| . o o |
| o S |
| + + |
| . o o |
| .=o |
| .++o. |
+-----------------+
[root@localhost ~]#
使用ssh-copy-id命令来复制Ansible公钥到每个节点中。
[root@localhost ~]# ssh-copy-id -i root@10.1.252.205
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.1.252.205's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@10.1.252.205'"
and check to make sure that only the key(s) you wanted were added.
[root@localhost ~]#
还有很多都可以复制到节点上的
scp、ansible all -m copy -a (copy是ansible命令里的一个模块)
生成一个文件
ansible all -m copy -a "src=/root/.ssh/id_rsa.pub dest=/tmp/id_rsa.pub" --ask-pass -c paramiko
再拷贝到远程服务器上
ansible all -m shell -a "cat /tmp/id_rsa.pub >> /root/.ssh/authorized_keys" --ask-pass -c paramiko 原创文章,作者:51eA,如若转载,请注明出处:http://www.178linux.com/58401
