Linux系統互信ssh的配置方法
一、ssh互信的介紹
ssh互信是兩臺機器(terminal-1和terminal-2)經過預先設定好認證的key檔案,雙方互相訪問時,進行自動認證,無需再次輸入密碼,從而實現互信。
實現原理:
1.在要配置互信的機器(terminal-1和terminal-2)上生成各自經過認證的key檔案。
2.將所有的key檔案彙總到一個總的認證資料夾中。
3.將打包的key發給想要進行互信的機器(terminal-1和terminal-2)
4.互信驗證
二、實驗
1. 兩臺機器檢查(sam 172.16.211.129 suzzy 172.16.211.130)
terminal-1:
3. 建立互信所用到的目錄並修改許可權(如果沒有的話),如果你用過ssh登入過對方機器,該目錄會自動建立,即便登入不成功。
5. 將每個主機上的公共金鑰檔案id_rsa.pub和id_dsa.pub的內容複製到~/.ssh/authorized_keys檔案中。並把這個檔案分別放到所有機器中。注意,當您第一次使用ssh訪問遠端主機時,其RSA金鑰是未知的,所以提示確認一下,確認完畢後SSH將記錄遠端主機的RSA金鑰,以後連線該主機就不用密碼了。
7. 將總金鑰檔案傳到其他機器對應目錄
9. 將authorized_keys檔案許可權變更為600,以便安全,每臺都需要更改
-
[root@sam ~]# hostname
-
sam
-
terminal-2:
-
[root@suzzy ~]# hostname
- suzzy
2. sam機器ssh到suzzy機器(需要輸入正確密碼才可以登入)
密碼正確:
-
[root@sam ~]# ssh suzzy
-
The authenticity of host 'suzzy (172.16.211.130)' can't be established.
-
RSA key fingerprint is e0:4b:15:f3:fe:6c:2d:11:f7:ad:7e:a6:d6:65:0e:0d.
-
Are you sure you want to continue connecting (yes/no)? yes
-
Warning: Permanently added 'suzzy,172.16.211.130' (RSA) to the list of known hosts.
-
root@suzzy's password:
-
Last login: Fri Oct 30 15:27:15 2015 from 172.16.211.1
- [root@suzzy ~]#
密碼錯誤:
-
[root@sam ~]# ssh suzzy
-
root@suzzy's password:
-
Permission denied, please try again.
-
root@suzzy's password:
-
Permission denied, please try again.
- root@suzzy
3. 建立互信所用到的目錄並修改許可權(如果沒有的話),如果你用過ssh登入過對方機器,該目錄會自動建立,即便登入不成功。
-
[root@sam ~]# rm -rf .ssh
-
[root@sam ~]# mkdir .ssh
-
[root@sam ~]# chmod 755 .ssh
-
[root@sam ~]# ls -la
-
total 376
-
dr-xr-x---. 31 root root 4096 Oct 30 16:05 .
-
dr-xr-xr-x. 28 root root 4096 Aug 31 15:28 ..
-
drwxr-xr-x. 2 root root 4096 Nov 27 2014 .abrt
-
… ...
- drwxr-xr-x 2 root root 4096 Oct 30 16:05 .ssh
4. 建立金鑰(預設回車)
sam機器:
-
[root@sam ~]# /usr/bin/ssh-keygen -t rsa
-
Generating public/private rsa key pair.
-
Enter file in which to save the key (/root/.ssh/id_rsa):
-
Enter passphrase (empty for no passphrase):
-
Enter same passphrase again:
-
Your identification has been saved in /root/.ssh/id_rsa.
-
Your public key has been saved in /root/.ssh/id_rsa.pub.
-
The key fingerprint is:
-
70:d2:c8:c6:01:6d:1c:2b:2e:8c:89:c0:ae:fc:14:2d root@sam
-
The key's randomart image is:
-
+--[ RSA 2048]----+
-
| .+o. |
-
|. o+= |
-
|.. ..O o |
-
|++ ..o + |
-
|+.oE.. S |
-
|o .o |
-
|.. . |
-
| o |
-
| . |
-
+-----------------+
-
[root@sam .ssh]# ll
-
total 8
-
-rw------- 1 root root 1675 Oct 30 17:42 id_rsa
-
-rw-r--r-- 1 root root 390 Oct 30 17:42 id_rsa.pub
-
-
[root@sam .ssh]# /usr/bin/ssh-keygen -t dsa
-
Generating public/private dsa key pair.
-
Enter file in which to save the key (/root/.ssh/id_dsa):
-
Enter passphrase (empty for no passphrase):
-
Enter same passphrase again:
-
Your identification has been saved in /root/.ssh/id_dsa.
-
Your public key has been saved in /root/.ssh/id_dsa.pub.
-
The key fingerprint is:
-
9e:12:19:4e:6a:d5:46:64:47:3d:f9:2a:11:e0:49:ad root@sam
-
The key's randomart image is:
-
+--[ DSA 1024]----+
-
| .*+o. . |
-
| * oo + |
-
| + =. . o |
-
| = +E . . |
-
| o + S . . |
-
| . o .. . |
-
| . o . |
-
| . |
-
| |
-
+-----------------+
-
[root@sam .ssh]# ll
-
total 16
-
-rw------- 1 root root 672 Oct 30 17:49 id_dsa
-
-rw-r--r-- 1 root root 598 Oct 30 17:49 id_dsa.pub
-
-rw------- 1 root root 1675 Oct 30 17:42 id_rsa
- -rw-r
注:suzzy機器同上
-
[root@suzzy ~]# ssh-keygen -t rsa
-
Generating public/private rsa key pair.
-
Enter file in which to save the key (/root/.ssh/id_rsa):
-
Enter passphrase (empty for no passphrase):
-
Enter same passphrase again:
-
Your identification has been saved in /root/.ssh/id_rsa.
-
Your public key has been saved in /root/.ssh/id_rsa.pub.
-
The key fingerprint is:
-
d9:d1:27:75:5b:85:a2:af:77:75:83:74:d1:2a:02:35 root@suzzy
-
The key's randomart image is:
-
+--[ RSA 2048]----+
-
| .E ..*|
-
| . o...o+|
-
| ...o..o.|
-
| oo..+.. |
-
| S .o..o |
-
| .. .o|
-
| . .o|
-
| . . . |
-
| . . |
-
+-----------------+
-
[root@suzzy ~]# ssh-keygen -t dsa
-
Generating public/private dsa key pair.
-
Enter file in which to save the key (/root/.ssh/id_dsa):
-
Enter passphrase (empty for no passphrase):
-
Enter same passphrase again:
-
Your identification has been saved in /root/.ssh/id_dsa.
-
Your public key has been saved in /root/.ssh/id_dsa.pub.
-
The key fingerprint is:
-
c4:94:b1:87:9a:34:1d:35:cb:51:03:12:f1:86:b7:fe root@suzzy
-
The key's randomart image is:
-
+--[ DSA 1024]----+
-
| B*=oo |
-
| +.O + . |
-
| o B B |
-
| . = + . |
-
| o S . |
-
| . |
-
| . |
-
| . |
-
| E |
- +
5. 將每個主機上的公共金鑰檔案id_rsa.pub和id_dsa.pub的內容複製到~/.ssh/authorized_keys檔案中。並把這個檔案分別放到所有機器中。注意,當您第一次使用ssh訪問遠端主機時,其RSA金鑰是未知的,所以提示確認一下,確認完畢後SSH將記錄遠端主機的RSA金鑰,以後連線該主機就不用密碼了。
-
[root@sam .ssh]# cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
-
[root@sam .ssh]# cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
-
[root@sam .ssh]# ssh root@suzzy cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
-
The authenticity of host 'suzzy (172.16.211.130)' can't be established.
-
RSA key fingerprint is e0:4b:15:f3:fe:6c:2d:11:f7:ad:7e:a6:d6:65:0e:0d.
-
Are you sure you want to continue connecting (yes/no)? yes
-
Warning: Permanently added 'suzzy,172.16.211.130' (RSA) to the list of known hosts.
-
root@suzzy's password:
-
[root@sam .ssh]# ssh root@suzzy cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
- root@suzzy
6. 檢查總金鑰檔案
-
[root@sam .ssh]# ls -l authorized_keys
-
-rw-r--r-- 1 root root 1980 Oct 30 18:19 authorized_keys
-
[root@sam .ssh]# cat authorized_keys
-
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzxsnq3tyb50Z+uRGp0tFpMOSTqZpvOvcyrB0S2vbL0YdUl4oJg2xnwo6duteS5EHzoVKzRjSdfrDM5owKRVsWJnufAA/o6z0kiiYje6Cvfd5hlw/jgJtU1TVuzZsj+bwnCzWuSKfkkM/uhBvWk9UQe0GuTClUn4bxuXuFNGwWuDi020pwwNLdUbEtH93rhWFGskUrj9s2RLd3eDquT18TQzNGwwG0PrbedxyT57aVdbqKyLnxMDx/eOHKW4dWZQMIaUe/n73rjuGG43F6oRFk3R52bMSdOqYqljUSI5FmtBAAO1AyTALldg09rdg6PqTlYyQvLt1T9JVok6BLm9nHQ== root@sam
-
ssh-dss AAAAB3NzaC1kc3MAAACBAPR47OE9s4nnzVEpoH6/rPgJexROcNSwMPJeF9QSXpuIcbUNmLocrab8xQ33rfFkjUOAaf5PG9AJa3T0FReobaEA8uRui4NjJJ74/Bjs+Rm6Lg9FAeboIwBAuEyIG4VcoFXCf7bpplg6+hiRd4oNkuDA+GJdVMyBqWvborAIhuPJAAAAFQCnj9Ft5BQs5tzP6uoV0pBvx7lEAQAAAIEA15+u2GTGGiEMeeCCOwu4kQNjKUGHrZsMBepbOmaBImBeYJP3Q76dpSxjJpPjQ/bk61oVHnKjceuXwpmiND08BvjrGAtw15q2wodKdr0EnRjFQ/8MIWsfSgkBx1ngWDvAD+YqZI1V9imnUUEU+Xlq84PDxDKn45tZ2sauSkYWrhwAAACBAK3I2fkbaLwd/3gWcXkMoA7jm2euYB48DXm2NMYe0WddI/lN+LocRKEf9ZEwts48tw7G/lwcD+eP6jWPYNnSBr8xavjt3ZtVlGnuUlU4yuzUFvtBC8AnG7nyihEFM7lM+V2N0Tx/83K6gRXFGDoOpT4/xfEFxlVFsLdfuuodHhh3 root@sam
-
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1H5kArvHN1jagQEUIwTHBEQXI0CHNgMJMZrnIlgNY2ssSFKfJdCdA8bfBtoIesfBSLfyQHFFqwh5CZqfXTlhL6JLlVL0anUnpEHX9v5B1vrNIfsQTXhfjXpyJOJNd1pWFweOQLq/fSvuoWvxQQESBloN8rUFs+eXvxMYi4y5rfQ+9MkJ6y+6HA1JB2KlHadzoA0vbZ4JxS/gcifhAzCv0goEw6ulNwHxdgx4Sp3EG+i8QxlSjV3BJ16FknaMRV8eMy8+pRibY6dWB+FW7sV5rQoT9/2PaqgUf0rMvCPzDE4aNpPYPXiU53dX+691iarmQo1Km26YHu7gDPsGbxa+lw== root@suzzy
- ssh-dss AAAAB3NzaC1kc3MAAACBAI4e0Ul5sHev0cAc0uwTgIU9x7oNTQq0YYSdBySfJ1iqpeKM5B1nf4y8C6o+m8IOh5C6BH7Jx3oLyW0oBetlfGroU3WHVSC2D/lAY9CywvRqmLB96OFICJG7NMU48vfFTyYj7m4ARo/gFnhF6svY65tUkrZgf7vxX8F+PNH66YDdAAAAFQCVKW/d0cQ6HBwIZheTbZ+mwkDEYwAAAIAEG0tEw2CKvysYNglifESkHmNw8DqgFvZ0azXTkr8OVxfNKB/h9lzV7U+IyIMMcsSfZaukGVntTtg0RVFPTMq/5rhUrupUWfRNgm0vgTGS2v5JPc5xYdoqZXQS8EIFvndkDyqGU233aievALTITY6bCyt4Nks95obUrSDl4T5ZnAAAAIAv5IVdJ8l2XKNdWMCSJXPhzepDtuzXbx5hKMRoNtoi+Qz8s/uAn3wEJC4qB7zjTnZQcfOdoV0R0JegvI46GO1D3sQhtUy76I2DlwXr0HjrOd/+UXQzfXf3rY3/B4rCTuGjwbbuAZeJVS+joV+MkeaiFrXoXisXjFDOoUiAIX1amw== root@suzzy
7. 將總金鑰檔案傳到其他機器對應目錄
-
[root@sam .ssh]# scp authorized_keys root@suzzy:~/.ssh/
- root@suzzy
8. 測試連線(首次還是需要YES下,第二次便可以不需要)
-
[root@sam ~]# ssh suzzy
-
Last login: Fri Oct 30 18:25:38 2015 from sam
-
[root@suzzy ~]# ssh sam
-
Last login: Fri Oct 30 18:26:34 2015 from suzzy
- [root@sam ~]#
9. 將authorized_keys檔案許可權變更為600,以便安全,每臺都需要更改
-
[root@sam ~]# cd .ssh
-
[root@sam .ssh]# ls -l authorized_keys
-
-rw-r--r-- 1 root root 1980 Oct 30 18:19 authorized_keys
-
[root@sam .ssh]# chmod 600 authorized_keys
-
[root@sam .ssh]# ls -l authorized_keys
- -rw
三、總結
這個互信操作在Oracle 10g配置RAC(real application cluster)前是需要手工來操作的,從11G安裝開始,可以在圖形介面按鈕式配置,相當容易,但我們還是應該掌握該技巧,在需要免密登入時還是要通過手工配置。看家的本領可不能丟。
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/26148431/viewspace-2145771/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- linux環境下ssh 互信配置Linux
- 快速配置Linux-ssh互信Linux
- 配置系統間互信
- 三臺linux機器做ssh互信的方法Linux
- Linux系統配置SSH信任關係Linux
- Linux/Unix shell內嵌expect自動配置多臺主機SSH互信Linux
- 建立Linux的互信Linux
- LINUX SSH互信與使用者家目錄許可權Linux
- 利用Python Fabric配置主機間SSH互信和新增公鑰薦Python
- Linux系統修改ssh埠教程。Linux
- 兩臺Linux伺服器之間配置互信Linux伺服器
- SSH linux下配置。Linux
- oracle手動配置互信Oracle
- 按照標準建立SSH互信後,ssh仍需要輸入密碼密碼
- Linux系統下雙網路卡bonding的配置方法Linux
- oracle RAC手動配置互信Oracle
- windows10系統使用SSH登入Ubuntu的方法WindowsUbuntu
- Linux系統配置(系統優化)Linux優化
- rhel Linux系統yum的配置Linux
- Linux伺服器---ssh配置Linux伺服器
- Linux配置SSH免登入Linux
- linux主機互信操作Linux
- Linux 作業系統配置互信認證後,登入仍然需要輸入使用者密碼的解決辦法Linux作業系統密碼
- Linux下NFS(網路檔案系統)的建立與配置方法LinuxNFS
- linux雲伺服器系統FTP、apache、mysql配置方法Linux伺服器FTPApacheMySql
- Linux - 配置SSH免密登入 - “ssh-keygen”的基本用法Linux
- 如何配置Linux系統下的yumLinux
- ORACLE在LINUX上的系統配置OracleLinux
- Linux 系統中的Samba配置(轉)LinuxSamba
- Linux系統伺服器下Nginx支援ipv6配置的方法Linux伺服器Nginx
- linux雙機互信設定Linux
- Linux系統下ssh登陸很慢的解決辦法Linux
- 如何為 Linux 系統中的 SSH 新增雙重認證Linux
- CentOS7禁止Linux系統使用者透過SSH登入方法介紹CentOSLinux
- Linux修改ssh預設22埠的方法Linux
- LINUX 修改SSH預設22埠的方法Linux
- 配置安全的Linux作業系統(轉)Linux作業系統
- Linux 系統中的Samba配置(轉貼)LinuxSamba