花式玩转Linux集群免密登录

文章目录

    • 1.前言
    • 2.基础(两种方法前都要先ready)
    • 3.方法一(常用)
    • 4.方法二(简单)
    • 5. `.ssh`文件下的`known_hosts`文件

1.前言

  大数据集群往往需要多台机器构成一个集群,而集群内的这些机器往往需要能够互相免密登录,这里就总结下设置免密登录的常见做法;

  重点:
  1)需要集群内部的集群都有这个相同的用户;
  2)免密登录是绑定用户的,当你设置了用户hadoop的免密登录后,你切换到另一个用户rowyet,如果rowyet本身配置是没有免密登录的话,那么rowyet并不能实现集群内部的免密登录,也需要配置;
  结论:大数据集群上组件启动,最好需要用配置了免密登录账号启动较为稳妥,虽然有些组件设计容错性较高,支持内部的默认账号运行;

  这里假设你已经拿到了集群机器并且已经配置好了系统,网络及都新增好了账号hadoop(如果这些基础配置不会的,建议看一下Linux基础的博客Linux基础配置——Linux(CentOS为例)的下载和安装(一),本文以hadoop账号配置免密登录为例,假设有4台机器信息如下;

机器hostname 机器ip 账号
node1 193.168.238.35 hadoop
node2 193.168.238.36 hadoop
node3 193.168.238.37 hadoop
node4 193.168.238.38 hadoop

2.基础(两种方法前都要先ready)

  vi /etc/hosts文件,然后源文件后面追加IP和hostname,目的是既可以通过IP免密互登,也可以通过hostname免密登录;

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.238.35 node1
192.168.238.36 node2
192.168.238.37 node3
192.168.238.38 node4

  将该文件复制到其它三台机器上;

scp /etc/hosts node2:/etc/hosts
scp /etc/hosts node3:/etc/hosts
scp /etc/hosts node4:/etc/hosts

3.方法一(常用)

  重点:一定要保证authorized_keys文件的权限是600,高了也不行,系统会认为是太危险,容易被攻不破,不能实现免密登录,低了也不行,权限不够;

######################################################################
#此下面两行处代码需要在每个node上执行
su hadoop # 切换到hadoop账号
cd ~    #回到主界面
ssh-keygen -t rsa -f ~/.ssh/id_rsa    #输入此命令按三次回车,该目录下新生成私钥id_rsa,和公钥id_rsa.pub

#此处的两行只需要在node1上执行
cd /home/hadoop/.ssh    #进入.ssh folder内
cat id_rsa.pub >> authorized_keys    #将公钥id_rsa.pub另存为该folder下authorized_keys文件内

# 一定要保证authorized_keys的权限是600
# 一定要保证authorized_keys的权限是600
# 一定要保证authorized_keys的权限是600
# 高了也不行,系统会认为是太危险,容易被攻不破,不能实现免密登录,低了也不行,权限不够;
chmod 600 authorized_keys    

#####################################################################
#分别在node2,node3,node4上把密钥追加到node1的authorized_keys
 ssh-copy-id -i node1  #每一台node上执行此语句,把本地主机的公钥复制到远程主机node1的authorized_keys文件上

#在node1上
cat /home/hadoop/.ssh/authorized_keys    

#可以看到里面的内容包含了每个node的公钥,有4组,有规律的分布,如下,每个人的不一样哈,以自己实际生成额为准,我的仅供参考,当然我也是改过的,这个要保管好,别人拿到了可以很容易侵入你的系统;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUvQSLgSBtEsgWLELUntv0oD0kDkUva4oXHoGLn2ByJwITl3MOboYJ6NcJMvPQkRz5Ejms7b/pibrIUanHr6atNLHGAWDhD3+QJvCu0y6IBtuOnGpqynIlYKp4EiTvOSczjSiKwyxBCa7Y4o4MnaYJE8M4Y1rmAB4e6qRXog3bzxOLAOBfEsoNx+aNNzENQs5yzzo/Ft83qKphtpaBVNFlBOi25+DgUjGS7ahLLYsXhoqh7761GMOsCtSP+STBpRf2EqmOEynEdk7eNyXoVa5aRtQu24TeKKQYP5QfQkaQfaMiyeeQCktQyZWaBKtpYlbIp8SJDro/lqJCqzs97oOyV hadoop@node1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNYEuQzYKUcyiaLoqFiSN8z78vVf8ZpQa7Vw1EY/TmWpc2zrH6bQHlnzcAdBdFqReMBvcFSfkicRTrlNtztWiEZJHl4/h28VjI1VmPaNqqaIOq/yGKY31DMRhEmcONZVFqclBcwsJ8F1outOzVPJpflUhNympcRCrz+dIOh1TXppVw3eLEWD4+8rUNc/omDH8etOiXpya5l85v6LPZ/BDe7wElLlvJwErEwcLsO3RvyluWtTWqbCtf80HQjiDx4Dmo/yZcL8tVJ6Ec+hrj7Cp6bQZEG/nyUEuiGqMb2YaJVerAWGUskgry6amLkr4lwn5lF6iHX6Xz9Nd2Ve0R9ol3r hadoop@node2
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3SvV3S9lOKf7X3Z+05wjYrOC5bPpzztrbx+gDAjLA/CdXZpvXDiEYyxuidrrlSwBQFgVgo6jl0XcopRCQPba4F8ePqU+UBdyD23EVwqFlM9HZnPUJaFXOBY34ozdyAEVgkNlKFSbL2X5wGt8htjjOm9MCUgixQgvjY2L8uy+g7GwRXC/W5vPRgqFZCZ3oIEhE6y78YievullA12jj/IZPXooPsflXWyiHrVJOnFjCD1wgP0pDNA/9wKO9545GJSIyXvfKavtMn9EKwIalvMrVZDlYgyLPviPi75TYwaCS0dMPT83CPHO7ao+oYnuesut40AmwdvHHFrjyEITPhvuFIv hadoop@node4
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIqBjFMbhkO8V5ofvBs7AXqwm5zHQE4JR/O6dj5yLJE5bu4OA47kWtyRKfiTAkr9QnVm1+0U5y0dkgDt29MYJBAK5kvs7I/H4E87WvDlfJTm2EXL1C2Mq3BAwMzK4Il5lho4Mpos3th7Bb9ZdqdhkjmnKkO+Q0/JdvEsu6yDfbO5NqqQotRYfp+Ak9pboQxo5tiJC7+4o2rlMgjJ6ZLTLHoGnPnBAf+MGJEEUQlQtNPGpnzz/NLOiOUVd0zojgQkdnh4j0/eZGi9YcrKlQRT0yZXDFJkluiL/ENI1pBNzMMf97Oq1undfeQ+JBPkIdd7fgM9fGDeTWoorKZSj9Egocf hadoop@node3




#利用scp跨服务器把所有node的authorized_keys替换,如下
scp /home/hadoop/.ssh/authorized_keys node2:/home/hadoop/.ssh/
scp /home/hadoop/.ssh/authorized_keys node3:/home/hadoop/.ssh/
scp /home/hadoop/.ssh/authorized_keys node4:/home/hadoop/.ssh/
#测试连接,选任何一台机器
ssh node1
ssh node2
ssh node3
ssh node4
#可以发现都是免密认证就能登录

4.方法二(简单)

######################################################################
#此下面两行处代码需要在每个node上执行
su hadoop # 切换到hadoop账号
cd ~    #回到主界面
ssh-keygen -t rsa -f ~/.ssh/id_rsa    #输入此命令按三次回车,该目录下新生成私钥id_rsa,和公钥id_rsa.pub

#此处的两行只需要在node1上执行
cd /home/hadoop/.ssh    #进入.ssh folder内
cat id_rsa.pub >> authorized_keys    #将公钥id_rsa.pub另存为该folder下authorized_keys文件内

# 一定要保证authorized_keys的权限是600
# 一定要保证authorized_keys的权限是600
# 一定要保证authorized_keys的权限是600
chmod 600 authorized_keys    

# 修改一下node1的公钥id_rsa.pub的最后,让他指向一台不存在的机器 如:dev@node98098
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUvQSLgSBtEsgWLELUntv0oD0kDkUva4oXHoGLn2ByJwITl3MOboYJ6NcJMvPQkRz5Ejms7b/pibrIUanHr6atNLHGAWDhD3+QJvCu0y6IBtuOnGpqynIlYKp4EiTvOSczjSiKwyxBCa7Y4o4MnaYJE8M4Y1rmAB4e6qRXog3bzxOLAOBfEsoNx+aNNzENQs5yzzo/Ft83qKphtpaBVNFlBOi25+DgUjGS7ahLLYsXhoqh7761GMOsCtSP+STBpRf2EqmOEynEdk7eNyXoVa5aRtQu24TeKKQYP5QfQkaQfaMiyeeQCktQyZWaBKtpYlbIp8SJDro/lqJCqzs97oOyV dev@node98098

# 修改一下authorized_keys,去掉最后的指向机器
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUvQSLgSBtEsgWLELUntv0oD0kDkUva4oXHoGLn2ByJwITl3MOboYJ6NcJMvPQkRz5Ejms7b/pibrIUanHr6atNLHGAWDhD3+QJvCu0y6IBtuOnGpqynIlYKp4EiTvOSczjSiKwyxBCa7Y4o4MnaYJE8M4Y1rmAB4e6qRXog3bzxOLAOBfEsoNx+aNNzENQs5yzzo/Ft83qKphtpaBVNFlBOi25+DgUjGS7ahLLYsXhoqh7761GMOsCtSP+STBpRf2EqmOEynEdk7eNyXoVa5aRtQu24TeKKQYP5QfQkaQfaMiyeeQCktQyZWaBKtpYlbIp8SJDro/lqJCqzs97oOyV

# 将node1的整个.ssh文件复制到node2,node3,node4
scp -r 10.216.79.68:/home/hadoop/.ssh/ node2:/home/hadoop/
scp -r 10.216.79.68:/home/hadoop/.ssh/ node3:/home/hadoop/
scp -r 10.216.79.68:/home/hadoop/.ssh/ node4:/home/hadoop/

#测试连接,选任何一台机器
ssh node1
ssh node2
ssh node3
ssh node4
#可以发现都是免密认证就能登录

5. .ssh文件下的known_hosts文件

  /home/hadoop/.ssh文件下,还有一个文件known_hosts,如下;

[hadoop@node1 .ssh]$ ll
总用量 16
-rw-------. 1 hadoop hadoop 1576 419 2020 authorized_keys
-rw-------. 1 hadoop hadoop 1675 419 2020 id_rsa
-rw-r--r--. 1 hadoop hadoop  394 419 2020 id_rsa.pub
-rw-r--r--. 1 hadoop hadoop  732 419 2020 known_hosts

  看看里面有啥,如下;

[hadoop@node1 .ssh]$ cat known_hosts
node1,192.168.238.35 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAfgBBJETHLZhUQKJSZiBdTEjUKjZ/5yiNOwXFxJNRioieJCIsx1ASjrvN5CKMJTWiILwtwTY8ZDWn7GACLe1/qnV2QE=
node2,192.168.238.36 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAfgBBASTMekcqFhmRtE4KiR3/DpK5BrmrFRBU6j/r/dkxZxm1rJFydOPl6YpHyTaF88PHWgM2xZExZRAcgDpenDiyDY=
node3,192.168.238.37 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAfgBBDLR9CgJH23oGYt14LMtbB+ZaSonZm8gl9vnywqDwja47TAGH3/3FkyYDjbh5widkvvaVP9y+KaYMvnwruFpjRI=
node4,192.168.238.38 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAfgBBMotkDPTwP0QVK5W6ioZKHzSCvgAdZMLCbwOXyq/299fTej5HsbgP4NQYbUM1shMkGV43yY5BZKHkcCVV31YuA4

  node1通过ssh首次连接到node2,node2会将公钥1(host key)传递给node1,node1将公钥1存入known_hosts文件中,以后node1再连接node2时,node2依然会传递给node1一个公钥2,OpenSSH会核对公钥,通过对比公钥1与公钥2 是否相同来进行简单的验证,如果公钥不同,OpenSSH会发出警告, 避免你受到DNS Hijack之类的攻击,简而言之就是避免集群内的ip或者hostname的被冒名顶替了;
  所以当你第一次通过node1 ssh到node2的时候,会弹出以下询问,当你输入yes时,就会把node1的公钥写入know_hosts;

The authenticity of host '192.168.238.35 (192.168.238.35)' can't be established.
ECDSA key fingerprint is SHA256:pLAiD0B5bsTXibA6dnN1z0W9aS1GW68iM/KimWMqfgY.
ECDSA key fingerprint is MD5:22:45:07:9f:66:7a:98:2b:ee:22:c2:4a:9e:42:d7:a5.
Are you sure you want to continue connecting (yes/no)?

  重点:一般情况下的配置,用不到这个文件,但是有一种场景能用到,就是你集群中的某一个节点,假设为node2故障了,但是集群投入了使用,都是配置的node2的hostname以及对应的ip,为了偷懒,可以把坏死的node2的hostname和ip转给一个新的好的节点;或者说你想保留坏死的节点的ip或hostname,给新的好的节点按照以上方法配置好免密登录后,并不能实现免密登录,会报如下警告!,总而言之,就是你的ip或者hostname被冒名顶替了,并不能直接免密登录;

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.The fingerprint for the RSA key sent by the remote host is36:68:a6:e6:43:34:6b:82:d7:f4:df:1f:c2:e7:37:cc.Please contact your system administrator.
Add correct host key in /u/xlian008/.ssh/known_hosts to get rid of this message.Offending key in /u/xlian008/.ssh/known_hosts:2RSA host key for 135.1.35.130 has changed and you have requested strict checking.Host key verification failed. 

  原因就是上面说到的,虽然新的node节点顶替了老的node2的hostname和ip,但是known_hosts的认证机制识别出了你并不是老的node2,所以报了安全警告;

  修复方式:在node1上,把known_hosts文件内的node2,192.168.238.36 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAfgBBASTMekcqFhmRtE4KiR3/DpK5BrmrFRBU6j/r/dkxZxm1rJFydOPl6YpHyTaF88PHWgM2xZExZRAcgDpenDiyDY=这行删除,然后在node1上免密登录自己;

ssh node1  #node2上免密登录自己

#再次弹出询问,输入yes重新再known_hosts文件内建立公钥认证,完成到新的node2免密登录
The authenticity of host '192.168.238.35 (192.168.238.35)' can't be established.
ECDSA key fingerprint is SHA256:pLAiD0B5bsTXibA6dnN1z0W9aS1GW68iM/KimWMqfgY.
ECDSA key fingerprint is MD5:22:45:07:9f:66:7a:98:2b:ee:22:c2:4a:9e:42:d7:a5.
Are you sure you want to continue connecting (yes/no)?

  写个脚本将修复好的known_hosts分发到其他节点;

#! /usr/bin/sh

for i in `cat ./hadoop_ip_list.txt`
do
    echo "*********************$i************************"
    scp  node1:/home/hadoop/.ssh/known_hosts  "${i}:/home/hadoop/.ssh/"
done

  hadoop_ip_list.txt里面的内容为你集群内的所有ip或者hostname;

node1
node2
node3
node4

  以上就是免密登录用到的相关信息;

你可能感兴趣的:(linux,ssh,known_hosts,免密登录)