免密登录的目的
在搭建Linux集群服务的时候,想在master或者跳板机上执行远程命令的时候,我们需要一遍一遍的属于密码,如果是编写脚本的话,我们还需要利用expect工具自动实现交互任务,这在实际生产环境当中是相当耗时的.所以我们需要了解linux的免密码登录。
环境
三台虚拟机,如下:
| ip | hostname |
|---|---|
| 10.0.52.13 | k8s.master |
| 10.0.52.14 | k8s.node1 |
| 10.0.52.6 | k8s.node2 |
ssh-keygen和ssh-copy-id实现免密登录
在不建立ssh信任关系的情况下,从A机器的B机器的,需要输入密码,如下图:
[root@k8s ~]# ssh [email protected]
[email protected]'s password:
现在我们使用ssh-keygen生成本机的私钥和公钥,输入ssh-keygen -t rsa 一路回车就可以了:
[root@k8s ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:DzAUBN3VdFdegqOouCKMBSyd+R7Q1jzlyxa9ImKRum4 [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| .++o ..o..o =|
| .. o +. +.|
|.. + +oo o . . .|
|o.= = +o+ o |
|.. = o +So . |
| o * o =o. |
|o. + + o .. |
|o.E o |
| +.. |
+----[SHA256]-----+
[root@k8s ~]#
查看当前用户目录下的文件夹,多出一个.ssh的隐藏文件夹:
[root@k8s ~]# ls -alt
total 24
drwx------. 2 root root 57 May 20 17:41 .ssh
dr-xr-x---. 3 root root 126 May 20 17:30 .
-rw-------. 1 root root 1249 May 20 14:11 anaconda-ks.cfg
dr-xr-xr-x. 17 root root 224 May 20 14:11 ..
-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 29 2013 .bash_profile
-rw-r--r--. 1 root root 176 Dec 29 2013 .bashrc
-rw-r--r--. 1 root root 100 Dec 29 2013 .cshrc
-rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc
[root@k8s ~]#
进入.ssh目录,多了两个文件:
[root@k8s .ssh]# ls -lt
total 12
-rw-------. 1 root root 1679 May 20 17:41 id_rsa
-rw-r--r--. 1 root root 397 May 20 17:41 id_rsa.pub
[root@k8s .ssh]#
文件说明:
| 文件 | 描述 |
|---|---|
| id_rsa | 私钥文件 |
| id_rsa.pub | 公钥文件 |
[root@k8s .ssh]# cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvMcZTzsrl5jxBBR5CDXofsg6TRSCK9DZnNnBN4hc/6Pp4vTO
kdcp2xfM6nRHOQgYZCO/aKpV3Qrqj0+IWskgdDy+5c0oPixcT49afp4MB8QggPV+
J8NWXghcNLgPweMfeFq3pNg2hlMXdzFcOH1Z9Qlr3s6hLF6z3YRG+UcG80BdOeqp
EijhD9K+BagZkpZ55F28JpGhjp/rNYBe8je3lex2sIl7bc0AAFTkyBwnSdIUJ/9b
JE8WOfyjiOcx5343WjdDJbLx6ELW7NkoeB/3BD/P+5D/FPCvwhF02wvrSurs79bL
lNYxwd1uPu5Xs7yWkm4JvNFI79pWiqHZzNg6AQIDAQABAoIBAQCMN/rlrhawEOsc
07Qe1CPwX/tmG5CgyQ2KgvgQrpodTHxClwIEs+QkF+aeU2Y/x3KOlzrqnHMQr7YQ
YsvuWyxfCmvlN2Dn5X1fnyRhnjVjY1udTju5f09coysSAZG6u2A5vnBf4jWFypxI
bYKJdxpldu0H30U6NtG0/TbWm9pevS4Y4NFvLxS4ttlYxHo6PjYNPxY7+BrUhkmy
m3aQnZroKkZ8KxYZtsdl8Fk+B1+H7itDgnv4JkUxa85Vfg9N8Zwxn9gMwU9P1yxp
CGGaIgNtHP0K7ct8L2NtGRoA5ArxsVn8zv5X4ZWHhy3e1KpdPHjCIHDlvTmM+ky5
+rPlvvXRAoGBAOlc35Eyg0xHE+gU+FWVsJOw7uxQ6uSf6oSppp7Cup+47T7tq7mP
QN+F+jx/HOq36RJ5nCpzcUjob31xom+8Cm0e3vyol/I1sChF4FqbMZSsNMfkyBlf
SPGOkWY/456oQ26BAgv07j1WX6zPEzCYftFRCSixLcSp4SFRRo7sRdc1AoGBAM8X
ChT3JXPtaGToEW9F59aVr1d/ysSg1AxrSqjHDOl4WFkjKjs90aj1oALmZNYeckpL
CBeg8kNEiRW9QSWK7G9C7DoTDpkO2VxwKLcMCZys6OJsxklklt57tpYjugPU/G1u
EDdBdLPx1nIQTbUOZ7M5goYLNk2AGfDsufA0mZUdAoGAa70OFqn8hk3WefKciF7Y
rAcm94GQQMc37dGpdGiw4qbtGX1/J+dkaw4e7qk8/3yzJW1x1QOBTMjLGF5LQUzO
f3yeNIXdyNxSnPVN1GcMJ/itUZBldZlRQvywUkWy4AANScpT2JNXHohvGYhs8qWk
/xxrnxbV65MGtmwgqEGbKPUCgYEAhNuWFz87ovUTfXE5BjdF9nAPjsYokx9PCyym
OEODcCFKJN2fkWQmpwv1/QZMeOYNksYySd5yrl9Ax1akfe5zoym/Hb7uJZnWLyyx
okWxwPdZbTI1wA4tkEy0JfyDsUOqMpZjBuASfANR/dmh0N+N/fiOWWrGCtB9VAi7
fXRxd60CgYAhfMkmZl/0z3WDZYorvF84FJkTrGPQQAs6kpbxX9Ny929FeI7ZDSFo
X8rhHreg6W7C97fg0ZzavaRSOUnG8tqCRNbebKBUdEtp3zNQyvgN5EUXzZFs6JxS
hRmwoQaMgQ03c7zQR7E/zBEuiTQuEJY4dHGm36q+JRo0E0YhRkHcjQ==
-----END RSA PRIVATE KEY-----
[root@k8s .ssh]#
[root@k8s .ssh]# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8xxlPOyuXmPEEFHkINeh+yDpNFIIr0Nmc2cE3iFz/o+ni9M6R1ynbF8zqdEc5CBhkI79oqlXdCuqPT4haySB0PL7lzSg+LFxPj1p+ngwHxCCA9X4nw1ZeCFw0uA/B4x94Wrek2DaGUxd3MVw4fVn1CWvezqEsXrPdhEb5RwbzQF056qkSKOEP0r4FqBmSlnnkXbwmkaGOn+s1gF7yN7eV7HawiXttzQAAVOTIHCdJ0hQn/1skTxY5/KOI5zHnfjdaN0MlsvHoQtbs2Sh4H/cEP8/7kP8U8K/CEXTbC+tK6uzv1suU1jHB3W4+7lezvJaSbgm80Ujv2laKodnM2DoB [email protected]
[root@k8s .ssh]#
接下来就是将公钥下发给k8s.node1和k8s.node2,下发公钥,有两种方式,一种是使用ssh-copy-id,另一种是直接将公钥的字符串复制到~/.ssh/authorized_keys中.下面我们展示这两种的使用方式.
- ssh-copy-id (k8s.node1免登录)
[root@k8s .ssh]# ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.0.52.14 (10.0.52.14)' can't be established.
ECDSA key fingerprint is SHA256:bvCsLSq6EwwetIo2EJgIY8mFhwBz7wSgBVxocWlVU1A.
ECDSA key fingerprint is MD5:91:38:5c:46:e9:ce:57:f3:99:57:81:5a:ba:10:ac:18.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
[root@k8s .ssh]# ssh [email protected]
Last login: Mon May 20 16:31:46 2019 from 10.0.52.8
[root@k8s ~]# hostname
k8s.node1
[root@k8s ~]#
- 先将公钥文件传输到k8s.node2上,然后将文件导入到~/.ssh/authorized_keys
k8s.master 上执行
[root@k8s ~]# scp .ssh/id_rsa.pub [email protected]:~
The authenticity of host '10.0.52.6 (10.0.52.6)' can't be established.
ECDSA key fingerprint is SHA256:YERr5FvWvvtzZpMM8VHSQKm8fhbQOcuqu/EKMSlwzfA.
ECDSA key fingerprint is MD5:f7:69:37:a2:91:ae:fb:1f:82:bf:0d:d3:41:b8:8f:13.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.52.6' (ECDSA) to the list of known hosts.
[email protected]'s password:
id_rsa.pub 100% 397 708.0KB/s 00:00
在k8s.node2上执行
[root@k8s ~]# ls -al
total 36
dr-xr-x---. 2 root root 169 May 21 10:30 .
dr-xr-xr-x. 17 root root 224 May 20 14:47 ..
-rw-------. 1 root root 1248 May 20 14:47 anaconda-ks.cfg
-rw-------. 1 root root 56 May 20 16:14 .bash_history
-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 29 2013 .bash_profile
-rw-r--r--. 1 root root 176 Dec 29 2013 .bashrc
-rw-r--r--. 1 root root 100 Dec 29 2013 .cshrc
-rw-r--r--. 1 root root 397 May 21 10:27 id_rsa.pub
-rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc
-rw-------. 1 root root 4011 May 20 17:08 .viminfo
[root@k8s ~]# mkdir .ssh
[root@k8s ~]# ls -al
total 36
dr-xr-x---. 3 root root 181 May 21 10:31 .
dr-xr-xr-x. 17 root root 224 May 20 14:47 ..
-rw-------. 1 root root 1248 May 20 14:47 anaconda-ks.cfg
-rw-------. 1 root root 56 May 20 16:14 .bash_history
-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 29 2013 .bash_profile
-rw-r--r--. 1 root root 176 Dec 29 2013 .bashrc
-rw-r--r--. 1 root root 100 Dec 29 2013 .cshrc
-rw-r--r--. 1 root root 397 May 21 10:27 id_rsa.pub
drwxr-xr-x. 2 root root 6 May 21 10:31 .ssh
-rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc
-rw-------. 1 root root 4011 May 20 17:08 .viminfo
[root@k8s ~]# cat id_rsa.pub >> ~/.ssh/authorized_keys
[root@k8s ~]#
在k8s.master上执行
[root@k8s ~]# ssh [email protected]
Last login: Mon May 20 17:30:48 2019 from 10.0.52.13
[root@k8s ~]# hostname
k8s.node2
[root@k8s ~]#
我们接下来看看k8s.node1和k8s.node2上的~/.ssh/authorized_keys文件中的内容
k8s.node1
[root@k8s .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8xxlPOyuXmPEEFHkINeh+yDpNFIIr0Nmc2cE3iFz/o+ni9M6R1ynbF8zqdEc5CBhkI79oqlXdCuqPT4haySB0PL7lzSg+LFxPj1p+ngwHxCCA9X4nw1ZeCFw0uA/B4x94Wrek2DaGUxd3MVw4fVn1CWvezqEsXrPdhEb5RwbzQF056qkSKOEP0r4FqBmSlnnkXbwmkaGOn+s1gF7yN7eV7HawiXttzQAAVOTIHCdJ0hQn/1skTxY5/KOI5zHnfjdaN0MlsvHoQtbs2Sh4H/cEP8/7kP8U8K/CEXTbC+tK6uzv1suU1jHB3W4+7lezvJaSbgm80Ujv2laKodnM2DoB [email protected]
[root@k8s .ssh]#
k8s.node2
[root@k8s .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8xxlPOyuXmPEEFHkINeh+yDpNFIIr0Nmc2cE3iFz/o+ni9M6R1ynbF8zqdEc5CBhkI79oqlXdCuqPT4haySB0PL7lzSg+LFxPj1p+ngwHxCCA9X4nw1ZeCFw0uA/B4x94Wrek2DaGUxd3MVw4fVn1CWvezqEsXrPdhEb5RwbzQF056qkSKOEP0r4FqBmSlnnkXbwmkaGOn+s1gF7yN7eV7HawiXttzQAAVOTIHCdJ0hQn/1skTxY5/KOI5zHnfjdaN0MlsvHoQtbs2Sh4H/cEP8/7kP8U8K/CEXTbC+tK6uzv1suU1jHB3W4+7lezvJaSbgm80Ujv2laKodnM2DoB [email protected]
[root@k8s .ssh]#
综上所述,我们看到其实~/.ssh/authorized_keys保存的内容就是k8s.master上面公钥 id_rsa.pub的内容.
其实ssh-copy-id是在/usr/bin/ssh-copy-id 的一个脚本文件,如果你有兴趣,可以读一读这个脚本,一共连注释才320行,不过里面却有不少shell编程技巧可以学习。
谢谢!