使用下例中ssky-keygen和ssh-copy-id,仅需通过3个步骤的简单设置而无需输入密码就能登录远程Linux主机。
ssh-keygen 创建公钥和密钥。
ssh-copy-id 把本地主机的公钥复制到远程主机的authorized_keys文件上。
ssh-copy-id 也会给远程主机的用户主目录(home)和~/.ssh, 和~/.ssh/authorized_keys设置合适的权限
步骤1: 用 ssh-key-gen 在本地主机上创建公钥和密钥
ligh@local-host$ ssh-keygen -t rsa
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):[Enter key]
Enter passphrase (empty for no passphrase): [Press enter key]
Enter same passphrase again: [Pess enter key]
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
The key fingerprint is: 33:b3:fe:af:95:95:18:11:31:d5:de:96:2f:f2:35:f9
ligh@local-host
步骤2: 用 ssh-copy-id 把公钥复制到远程主机上
ligh@local-host$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.0.3
ligh@remote-host‘s password:
Now try logging into the machine, with ―ssh ?remote-host‘‖, and check in:
.ssh/authorized_keys to make sure we haven‘t added extra keys that you weren‘t expecting.
[注: ssh-copy-id 把密钥追加到远程主机的 .ssh/authorized_key 上.]
步骤3: 直接登录远程主机
ligh@local-host$ ssh remote-host
Last login: Sun Nov 16 17:22:33 2008 from 192.168.1.2
[注: SSH 不会询问密码.]
ligh@remote-host$
[注: 你现在已经登录到了远程主机上]
引自: http://blog.163.com/lgh_2002/blog/static/44017526201011333227161/
二、
对于做运维的同学来说,给两台UNIX/Linux机器建立ssh信任关系是再经常不过的事情了。
不知道大家之前建立信任关系是采用什么方法,反正我是纯手工创建。
如果需要“machineA机器的nameA账号”建立到“machineB机器的nameB账号”的ssh信任关系,达到无需输密码即可登陆的目的,那么我一般是这样做的:
1 将machineA机器的/home/nameA/.ssh/id_rsa.pub文件的内容拷贝出来 2 登陆到machineB机器的/home/nameB/.ssh中,如果不存在则创建authorized_keys文件, 将第1步中的内容追加到文件尾部。 3 检查authorized_keys文件的权限,确保其group/other位没有w权限 4 登陆到machineA机器,测试ssh信任关系是否建好
其实上面的添加机器信任关系的方法很不友好,需要全手工操作,而且要两台机器之间来来回回切换,且操作正确性完全由人保证,很容易出现问题和错误。
现在,隆重推出“SSH信任关系自动化建立工具”:ssh-copy-id。(这是一个划时代的时刻,让我学会了使用工具^_^)
【五分钟学会ssh-copy-id】
在不建立ssh信任关系的情况下,从machineA机器的nameA登陆到machineB机器的nameB,可以看出是需要输入密码的:
[nameA@machineA]$ ssh nameB@machineB -p 22000 nameB@machineB's password:
我们现在就用新学到的命令建立信任关系,但是却提示“没有找到标识”,这是因为我们的nameA账号还没有自己的公钥私钥:
[nameA@machineA]$ ssh-copy-id nameB@machineB /usr/bin/ssh-copy-id: ERROR: No identities found
我们需要现为nameA账号建立自己的公钥私钥,建立好之后,会在/home/nameA/.ssh里多出id_rsa(私钥)和id_rsa.pub(公钥)两个文件:
[nameA@machineA]$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/nameA/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/nameA/.ssh/id_rsa. Your public key has been saved in /home/nameA/.ssh/id_rsa.pub. The key fingerprint is: bb:3b:14:be:5d:45:ab:72:27:ec:93:21:c6:a3:7d:77 nameA@machineA The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | . . | | .X. o . | | .o. + | | .*+.o | | +++C+o E | | . +C++ . | +-----------------+
好了,准备工作就绪,我们开始建立信任关系:
[nameA@machineA]$ ssh-copy-id nameB@machineB ssh: connect to host machineB port 22: Connection refused
悲剧,新的错误提示又来了,原来我们的B机器的sshd的服务端口不是22,而是22000,但是ssh-copy-id命令却不知道这个信息。这可如何是好。
我们试试加个-p参数设置下端口:
[nameA@machineA]$ ssh-copy-id nameB@machineB -p 22000 ssh: connect to host machineB port 22: Connection refused
还是不好使,-p参数完全没有被ssh-copy-id命令识别。
如果你man ssh-copy-id就可以看到它根本就没有这个选项的。
好吧,不卖关子了,其实解决办法一点也不复杂,只是用了一个小技巧,那就是:
[nameA@machineA]ssh-copy-id "-p 22000 nameB@machineB" nameB@machineB's password: [nameB@machineB]
大功告成,终于可以无密码登陆了:
[nameA@machineA]$ ssh nameB@machineB -p 22000 [nameB@machineB]$
其实ssh-copy-id是一个普普通通的脚本文件:
[nameA@machineA]$ which ssh-copy-id /usr/bin/ssh-copy-id [nameA@machineA]$ file /usr/bin/ssh-copy-id /usr/bin/ssh-copy-id: POSIX shell script text executable
如果你有兴趣,可以读一读这个脚本,只有短短50行,不过里面却有不少shell编程技巧可以学习。
备注:在这之前有的系统可能需要安装tcl8.5
Introduction to Tcl
The Tcl package contains the Tool Command Language, a robust general-purpose scripting language.
This package is known to build and work properly using an LFS-7.0 platform.
Package Information
-
Download (HTTP):
-
Download (FTP):
-
Download MD5 sum: a08eaf8467c0631937067c1948dd326b
-
Download size: 4.3 MB
-
Estimated disk space required: 47 MB (includes documentation installation)
-
Estimated build time: 0.4 SBU
Additional Downloads
User Notes:
Installation of Tcl
This package is also installed in LFS during the bootstrap phase. As it is not installed during Chapter 6 of LFS, installation instructions are included here in BLFS.
If you downloaded the optional documentation, unpack the tarball by issuing the following command:
tar -xf ../tcl8.5.10-html.tar.gz --strip-components=1
Install Tcl by running the following commands:
cd unix && ./configure --prefix=/usr \ --enable-threads \ --mandir=/usr/share/man && make && sed -i \ -e "s@^\(TCL_SRC_DIR='\).*@\1/usr/include'@" \ -e "/TCL_B/s@='\(-L\)\?.*unix@='\1/usr/lib@" \ tclConfig.sh
To test the results, issue: make test.
Now, as the root user:
make install && make install-private-headers && ln -v -sf tclsh8.5 /usr/bin/tclsh && chmod -v 755 /usr/lib/libtcl8.5.so
If you downloaded the optional documentation, install it by issuing the following commands as the root user:
install -v -m755 -d /usr/share/doc/tcl-8.5.10 && cp -v -R ../html/* /usr/share/doc/tcl-8.5.10
Command Explanations
--enable-threads: This switch forces the package to build with thread support.
make install-private-headers: This command is used to install the Tcl library interface headers used by other packages if they link to the Tcl library.
ln -v -sf tclsh8.5 /usr/bin/tclsh: This command is used to create a compatibility symbolic link to the tclsh8.5 file as many packages expect a file named tclsh.
sed -i -e ... tclConfig.sh: The Tcl package expects that its source tree is preserved so that packages depending on it for their compilation can utilize it. This sedremoves the references to the build directory and replaces them with saner system-wide locations.
Contents
Installed Programs:tclsh and tclsh8.5
Installed Libraries:libtcl8.5.so and libtclstub8.5.a
Installed Directories:/usr/lib/tcl8, /usr/lib/tcl8.5, /usr/share/man/mann, and optionally, /usr/share/doc/8.5.10
Short Descriptions
|
tclsh
|
is a symlink to the tclsh8.5 program.
|
|
tclsh8.5
|
is a simple shell containing the Tcl interpreter.
|
|
libtcl.so
|
contains the API functions required by Tcl.
|
|
|
阅读(2208) | 评论(0) | 转发(0) |
