分类: SOLARIS
2014-11-24 17:14:36
原文地址:SSH用户建立信任关系方法全解读 作者:wanglp2000
介绍SSH用户之间建立信任关系,相互登录无需口令方法的文章网上很多,但都是语焉不详,照做不成功,本文比较详细介绍了此方法。
亦可参考我的豆丁文档:
二、 建立信任关系的方法
其实用户使用SSH登录的时候,带有对方SSHD的秘钥,如果该秘钥匹配,则无需口令就可以安全登录,实现其所谓的passwordless登录。而登录时带的秘钥存放在用户home目录的 .ssh目录下的authorized_keys文件里面。
如果有n台主机都需要实现用户相互的passwordless的登录,那么authorized_keys文件里将记录所有主机该用户的登录秘钥,由此可见,该文件内容是至关重要的,实现方法也就比较简单了。只需要将各个主机自己生成的dsa public key集中起来,然后生成一个authorized_keys文件,然后将该文件放置到每台主机该用户的home目录.ssh目录下即可。
以下以两台主机实现test用户的信任关系为例,cluster1和cluster2为两台主机的主机名,用户为test,其home目录为/export/home/test,步骤中的(cluster1)表示该操作在cluster1上进行,其他类似:
1.生成cluster1的public key(cluster1)
$ /usr/bin/ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/export/home/test/.ssh/id_dsa):
Created directory '/export/home/test/.ssh'.
Enter passphrase (empty for no passphrase): (此处直接回车即可)
Enter same passphrase again: (此处直接回车即可)
Your identification has been saved in /export/home/test/.ssh/id_dsa.
Your public key has been saved in /export/home/test/.ssh/id_dsa.pub.
The key fingerprint is:
40:3f:17:bd:e6:2c:32:54:0d:04:3b:30:29:b5:db:5e test@cluster1
2.生成cluster2的public key(cluster2)
$/usr/bin/ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/export/home/test/.ssh/id_dsa):
Created directory '/export/home/test/.ssh'.
Enter passphrase (empty for no passphrase): (此处直接回车即可)
Enter same passphrase again: (此处直接回车即可)
Your identification has been saved in /export/home/test/.ssh/id_dsa.
Your public key has been saved in /export/home/test/.ssh/id_dsa.pub.
The key fingerprint is:
83:2f:bb:0e:f8:91:be:6b:15:5c:83:a5:48:6f:ed:cd test@cluster2
3.将生成的public key拷贝到cluster2机(cluster1)
$scp id_dsa.pub cluster2:/export/home/test/.ssh/id_dsa1.pub
Password: 此时输入用户的口令
id_dsa.pub 100% |*****************************| 603 00:00
4.将生成的cluster2的public key拷贝到cluster1机(cluster2)
$scp cluster2:/export/home/test/.ssh/id_dsa.pub id_dsa2.pub
Password: 此时输入用户的口令
id_dsa.pub 100% |*****************************| 603 00:00
$ls:有以下几个文件
id_dsa id_dsa.pub id_dsa2.pub known_hosts
5.在cluster1机上合并public key文件到authorized_keys文件(cluster1)
$cat /export/home/test/.ssh/*pub >>/export/home/test/.ssh/authorized_keys
6.在cluster2机上合并public key文件到authorized_keys文件(cluster2)
ls显示以下几个文件:
id_dsa id_dsa.pub id_dsa1.pub
$ cat /export/home/test/.ssh/*pub >>/export/home/test/.ssh/authorized_keys
7.使用ssh登录各个机器,需要回到yes后,即可以无口令方式登录了