Linux系统互信ssh的配置方法

千家信息网最后更新 2024年11月23日Linux系统互信ssh的配置方法一、ssh互信的介绍 ssh互信是两台机器（terminal-1和terminal-2）经过预先设置好认证的key文件，双方互相访问时，进行自动认证，无需再次输入密码，从而实现互信。 实现原理： 1.在要配置互信的机器（terminal-1和terminal-2）上生成各自经过认证的key文件。 2.将所有的key文件汇总到一个总的认证文件夹中。 3.将打包的key发给想要进行互信的机器（terminal-1和terminal-2） 4.互信验证
二、实验 1. 两台机器检查（sam 172.16.211.129 suzzy 172.16.211.130） terminal-1:

1. [root@sam ~]# hostname
   
2. sam
   
3. terminal-2:
   
4. [root@suzzy ~]# hostname
   
5. suzzy

2. sam机器ssh到suzzy机器（需要输入正确密码才可以登录） 密码正确：

1. [root@sam ~]# ssh suzzy
   
2. The authenticity of host 'suzzy (172.16.211.130)' can't be established.
   
3. RSA key fingerprint is e0:4b:15:f3:fe:6c:2d:11:f7:ad:7e:a6:d6:65:0e:0d.
   
4. Are you sure you want to continue connecting (yes/no)? yes
   
5. Warning: Permanently added 'suzzy,172.16.211.130' (RSA) to the list of known hosts.
   
6. root@suzzy's password:
   
7. Last login: Fri Oct 30 15:27:15 2015 from 172.16.211.1
   
8. [root@suzzy ~]#

密码错误：

1. [root@sam ~]# ssh suzzy
   
2. root@suzzy's password:
   
3. Permission denied, please try again.
   
4. root@suzzy's password:
   
5. Permission denied, please try again.
   
6. root@suzzy

3. 创建互信所用到的目录并修改权限（如果没有的话），如果你用过ssh登录过对方机器，该目录会自动创建，即便登录不成功。

1. [root@sam ~]# rm -rf .ssh
   
2. [root@sam ~]# mkdir .ssh
   
3. [root@sam ~]# chmod 755 .ssh
   
4. [root@sam ~]# ls -la
   
5. total 376
   
6. dr-xr-x---. 31 root root 4096 Oct 30 16:05 .
   
7. dr-xr-xr-x. 28 root root 4096 Aug 31 15:28 ..
   
8. drwxr-xr-x. 2 root root 4096 Nov 27 2014 .abrt
   
9. … ...
   
10. drwxr-xr-x 2 root root 4096 Oct 30 16:05 .ssh

4. 创建密钥（默认回车） sam机器：

1. [root@sam ~]# /usr/bin/ssh-keygen -t rsa
   
2. Generating public/private rsa key pair.
   
3. Enter file in which to save the key (/root/.ssh/id_rsa):
   
4. Enter passphrase (empty for no passphrase):
   
5. Enter same passphrase again:
   
6. Your identification has been saved in /root/.ssh/id_rsa.
   
7. Your public key has been saved in /root/.ssh/id_rsa.pub.
   
8. The key fingerprint is:
   
9. 70:d2:c8:c6:01:6d:1c:2b:2e:8c:89:c0:ae:fc:14:2d root@sam
   
10. The key's randomart image is:
    
11. +--[ RSA 2048]----+
    
12. | .+o. |
    
13. |. o+= |
    
14. |.. ..O o |
    
15. |++ ..o + |
    
16. |+.oE.. S |
    
17. |o .o |
    
18. |.. . |
    
19. | o |
    
20. | . |
    
21. +-----------------+
    
22. [root@sam .ssh]# ll
    
23. total 8
    
24. -rw------- 1 root root 1675 Oct 30 17:42 id_rsa
    
25. -rw-r--r-- 1 root root 390 Oct 30 17:42 id_rsa.pub
    
26. 
    
27. [root@sam .ssh]# /usr/bin/ssh-keygen -t dsa
    
28. Generating public/private dsa key pair.
    
29. Enter file in which to save the key (/root/.ssh/id_dsa):
    
30. Enter passphrase (empty for no passphrase):
    
31. Enter same passphrase again:
    
32. Your identification has been saved in /root/.ssh/id_dsa.
    
33. Your public key has been saved in /root/.ssh/id_dsa.pub.
    
34. The key fingerprint is:
    
35. 9e:12:19:4e:6a:d5:46:64:47:3d:f9:2a:11:e0:49:ad root@sam
    
36. The key's randomart image is:
    
37. +--[ DSA 1024]----+
    
38. | .*+o. . |
    
39. | * oo + |
    
40. | + =. . o |
    
41. | = +E . . |
    
42. | o + S . . |
    
43. | . o .. . |
    
44. | . o . |
    
45. | . |
    
46. | |
    
47. +-----------------+
    
48. [root@sam .ssh]# ll
    
49. total 16
    
50. -rw------- 1 root root 672 Oct 30 17:49 id_dsa
    
51. -rw-r--r-- 1 root root 598 Oct 30 17:49 id_dsa.pub
    
52. -rw------- 1 root root 1675 Oct 30 17:42 id_rsa
    
53. -rw-r

注：suzzy机器同上

1. [root@suzzy ~]# ssh-keygen -t rsa
   
2. Generating public/private rsa key pair.
   
3. Enter file in which to save the key (/root/.ssh/id_rsa):
   
4. Enter passphrase (empty for no passphrase):
   
5. Enter same passphrase again:
   
6. Your identification has been saved in /root/.ssh/id_rsa.
   
7. Your public key has been saved in /root/.ssh/id_rsa.pub.
   
8. The key fingerprint is:
   
9. d9:d1:27:75:5b:85:a2:af:77:75:83:74:d1:2a:02:35 root@suzzy
   
10. The key's randomart image is:
    
11. +--[ RSA 2048]----+
    
12. | .E ..*|
    
13. | . o...o+|
    
14. | ...o..o.|
    
15. | oo..+.. |
    
16. | S .o..o |
    
17. | .. .o|
    
18. | . .o|
    
19. | . . . |
    
20. | . . |
    
21. +-----------------+
    
22. [root@suzzy ~]# ssh-keygen -t dsa
    
23. Generating public/private dsa key pair.
    
24. Enter file in which to save the key (/root/.ssh/id_dsa):
    
25. Enter passphrase (empty for no passphrase):
    
26. Enter same passphrase again:
    
27. Your identification has been saved in /root/.ssh/id_dsa.
    
28. Your public key has been saved in /root/.ssh/id_dsa.pub.
    
29. The key fingerprint is:
    
30. c4:94:b1:87:9a:34:1d:35:cb:51:03:12:f1:86:b7:fe root@suzzy
    
31. The key's randomart image is:
    
32. +--[ DSA 1024]----+
    
33. | B*=oo |
    
34. | +.O + . |
    
35. | o B B |
    
36. | . = + . |
    
37. | o S . |
    
38. | . |
    
39. | . |
    
40. | . |
    
41. | E |
    
42. +

5. 将每个主机上的公共密钥文件id_rsa.pub和id_dsa.pub的内容复制到~/.ssh/authorized_keys文件中。并把这个文件分别放到所有机器中。注意，当您第一次使用ssh访问远程主机时，其RSA密钥是未知的，所以提示确认一下，确认完毕后SSH将记录远程主机的RSA密钥，以后连接该主机就不用密码了。

1. [root@sam .ssh]# cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
   
2. [root@sam .ssh]# cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
   
3. [root@sam .ssh]# ssh root@suzzy cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
   
4. The authenticity of host 'suzzy (172.16.211.130)' can't be established.
   
5. RSA key fingerprint is e0:4b:15:f3:fe:6c:2d:11:f7:ad:7e:a6:d6:65:0e:0d.
   
6. Are you sure you want to continue connecting (yes/no)? yes
   
7. Warning: Permanently added 'suzzy,172.16.211.130' (RSA) to the list of known hosts.
   
8. root@suzzy's password:
   
9. [root@sam .ssh]# ssh root@suzzy cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
   
10. root@suzzy

6. 检查总密钥文件

1. [root@sam .ssh]# ls -l authorized_keys
   
2. -rw-r--r-- 1 root root 1980 Oct 30 18:19 authorized_keys
   
3. [root@sam .ssh]# cat authorized_keys
   
4. ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzxsnq3tyb50Z+uRGp0tFpMOSTqZpvOvcyrB0S2vbL0YdUl4oJg2xnwo6duteS5EHzoVKzRjSdfrDM5owKRVsWJnufAA/o6z0kiiYje6Cvfd5hlw/jgJtU1TVuzZsj+bwnCzWuSKfkkM/uhBvWk9UQe0GuTClUn4bxuXuFNGwWuDi020pwwNLdUbEtH93rhWFGskUrj9s2RLd3eDquT18TQzNGwwG0PrbedxyT57aVdbqKyLnxMDx/eOHKW4dWZQMIaUe/n73rjuGG43F6oRFk3R52bMSdOqYqljUSI5FmtBAAO1AyTALldg09rdg6PqTlYyQvLt1T9JVok6BLm9nHQ== root@sam
   
5. ssh-dss AAAAB3NzaC1kc3MAAACBAPR47OE9s4nnzVEpoH6/rPgJexROcNSwMPJeF9QSXpuIcbUNmLocrab8xQ33rfFkjUOAaf5PG9AJa3T0FReobaEA8uRui4NjJJ74/Bjs+Rm6Lg9FAeboIwBAuEyIG4VcoFXCf7bpplg6+hiRd4oNkuDA+GJdVMyBqWvborAIhuPJAAAAFQCnj9Ft5BQs5tzP6uoV0pBvx7lEAQAAAIEA15+u2GTGGiEMeeCCOwu4kQNjKUGHrZsMBepbOmaBImBeYJP3Q76dpSxjJpPjQ/bk61oVHnKjceuXwpmiND08BvjrGAtw15q2wodKdr0EnRjFQ/8MIWsfSgkBx1ngWDvAD+YqZI1V9imnUUEU+Xlq84PDxDKn45tZ2sauSkYWrhwAAACBAK3I2fkbaLwd/3gWcXkMoA7jm2euYB48DXm2NMYe0WddI/lN+LocRKEf9ZEwts48tw7G/lwcD+eP6jWPYNnSBr8xavjt3ZtVlGnuUlU4yuzUFvtBC8AnG7nyihEFM7lM+V2N0Tx/83K6gRXFGDoOpT4/xfEFxlVFsLdfuuodHhh4 root@sam
   
6. ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1H5kArvHN1jagQEUIwTHBEQXI0CHNgMJMZrnIlgNY2ssSFKfJdCdA8bfBtoIesfBSLfyQHFFqwh6CZqfXTlhL6JLlVL0anUnpEHX9v5B1vrNIfsQTXhfjXpyJOJNd1pWFweOQLq/fSvuoWvxQQESBloN8rUFs+eXvxMYi4y5rfQ+9MkJ6y+6HA1JB2KlHadzoA0vbZ4JxS/gcifhAzCv0goEw6ulNwHxdgx4Sp3EG+i8QxlSjV3BJ16FknaMRV8eMy8+pRibY6dWB+FW7sV5rQoT9/2PaqgUf0rMvCPzDE4aNpPYPXiU53dX+691iarmQo1Km26YHu7gDPsGbxa+lw== root@suzzy
   
7. ssh-dss AAAAB3NzaC1kc3MAAACBAI4e0Ul5sHev0cAc0uwTgIU9x7oNTQq0YYSdBySfJ1iqpeKM5B1nf4y8C6o+m8IOh6C6BH7Jx3oLyW0oBetlfGroU3WHVSC2D/lAY9CywvRqmLB96OFICJG7NMU48vfFTyYj7m4ARo/gFnhF6svY65tUkrZgf7vxX8F+PNH66YDdAAAAFQCVKW/d0cQ6HBwIZheTbZ+mwkDEYwAAAIAEG0tEw2CKvysYNglifESkHmNw8DqgFvZ0azXTkr8OVxfNKB/h9lzV7U+IyIMMcsSfZaukGVntTtg0RVFPTMq/5rhUrupUWfRNgm0vgTGS2v5JPc5xYdoqZXQS8EIFvndkDyqGU233aievALTITY6bCyt4Nks95obUrSDl4T5ZnAAAAIAv5IVdJ8l2XKNdWMCSJXPhzepDtuzXbx5hKMRoNtoi+Qz8s/uAn3wEJC4qB7zjTnZQcfOdoV0R0JegvI46GO1D3sQhtUy76I2DlwXr0HjrOd/+UXQzfXf3rY3/B4rCTuGjwbbuAZeJVS+joV+MkeaiFrXoXisXjFDOoUiAIX1amw== root@suzzy

7. 将总密钥文件传到其他机器对应目录

1. [root@sam .ssh]# scp authorized_keys root@suzzy:~/.ssh/
   
2. root@suzzy

8. 测试连接（首次还是需要YES下，第二次便可以不需要）

1. [root@sam ~]# ssh suzzy
   
2. Last login: Fri Oct 30 18:25:38 2015 from sam
   
3. [root@suzzy ~]# ssh sam
   
4. Last login: Fri Oct 30 18:26:34 2015 from suzzy
   
5. [root@sam ~]#

9. 将authorized_keys文件权限变更为600，以便安全，每台都需要更改

1. [root@sam ~]# cd .ssh
   
2. [root@sam .ssh]# ls -l authorized_keys
   
3. -rw-r--r-- 1 root root 1980 Oct 30 18:19 authorized_keys
   
4. [root@sam .ssh]# chmod 600 authorized_keys
   
5. [root@sam .ssh]# ls -l authorized_keys
   
6. -rw

三、总结 这个互信操作在Oracle 10g配置RAC（real application cluster）前是需要手工来操作的，从11G安装开始，可以在图形界面按钮式配置，相当容易，但我们还是应该掌握该技巧，在需要免密登录时还是要通过手工配置。看家的本领可不能丢。