伺服器:
MasterIP:192.168.2.66
Slave1IP:192.168.2.10
Slave2 IP:192.168.2.18
一、首先實現單向Master可以免密碼ssh登錄slave1和slave2
1、三台伺服器都需要修改/etc/ssh/sshd_config設定檔
[root@master ~]# vim /etc/ssh/sshd_config將以下的注釋符號(#)刪除, 這三個配置主要是允許公開金鑰檔的RSA授權, 授權檔為:~/.ssh/authorized_keys
RSAAuthentication yesPubkeyAuthentication yesAuthorizedKeysFile .ssh/authorized_keyswq保存退出, 然後重啟ssh服務
[root@master ~]# systemctl restart sshd.service2、到三台伺服器的使用者家目錄檢查是否存在.ssh, 如果沒有則需要手動創建。 這裡使用root使用者演示
[root@master ~]# ll -atotal 60dr-xr-x---. 7 root root 4096 Mar 19 17:17 .dr-xr-xr-x. 20 root root 4096 Mar 19 17:12 ..-rw-------. 1 root root 1138 Sep 12 2017 anaconda-ks.cfg-rw-------. 1 root root 52 Mar 19 17:11 .bash_history-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout-rw-r--r-- 1 root root 201 Jan 16 18:54 .bash_profile-rw-r--r--. 1 root root 176 Dec 29 2013 .bashrcdrwxr-xr-x. 3 root root 4096 Sep 12 2017 .cachedrwxr-xr-x. 3 root root 4096 Sep 12 2017 .config-rw-r--r--. 1 root root 100 Dec 29 2013 .cshrcdrwxr-xr-x 2 root root 4096 Nov 14 17:14 .oracle_jre_usagedrwxr-----. 3 root root 4096 Sep 13 2017 .pkidrwx------. 2 root root 4096 Mar 19 15:50 .ssh-rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc-rw------- 1 root root 850 Mar 19 17:17 .viminfo3、生成ssh公開金鑰、私密金鑰檔
[root@master ~]# cd .ssh/[root@master .ssh]# ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/root/.ssh/id_rsa):Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:SHA256:UXhkXi1bx/a3jrSoHYhu6C+vD2cWnd67rBjpQEiSk3w root@masterThe key's randomart image is:+---[RSA 2048]----+| o+ .. . ||. o .+... o +|| * E ... + o.|| = . ... . o|| . . .So o|| . = o . . || o.B o oo + || oO.o o.oo . || .oBB oo=. |+----[SHA256]-----+無需輸入任何資訊, 一路回車即可, 生成完成後會在使用者根路徑下的ssh目錄(cd ~/.ssh)發現:id_rsa、id_rsa.pub兩個文件;
[root@master .ssh]# lltotal 8-rw------- 1 root root 0 Mar 19 15:50 authorized_keys-rw------- 1 root root 1675 Mar 19 17:26 id_rsa-rw-r--r-- 1 root root 393 Mar 19 17:26 id_rsa.pub4、ssh公開金鑰追加到本機ssh驗證文件:
[root@master .ssh]# cat id_rsa.pub >> authorized_keys5、將master的公開金鑰追加至slave1伺服器authorized_keys檔, slave2同理拷貝master公開金鑰到authorized_keys。
[root@master ~]# cd .ssh/[root@master .ssh]# scp id_rsa.pub root@192.168.2.10:~/.ssh/authorized_keysThe authenticity of host '192.168.2.10 (192.168.2.10)' can't be established.ECDSA key fingerprint is SHA256:ZTtQLCTg21cYLQ5iJa5LkC51xN6lKGxVyLRAxjXPUOw.ECDSA key fingerprint is MD5:6d:5b:e9:d9:bd:12:64:06:c5:cc:a2:07:a6:99:96:3d.Are you sure you want to continue connecting (yes/no) yesWarning: Permanently added '192.168.2.10' (ECDSA) to the list of known hosts.root@192.168.2.10's password:id_rsa.pub 100% 393 1.2MB/s 00:006、測試可以登錄
7、如果不可以登錄, 就需要檢查檔, 資料夾許可權
[root@master ~]# chmod 700 .ssh[root@master ~]# chmod 600 .ssh/authorized_keys二、雙向登錄, slave伺服器也能登錄master伺服器
1、基本步驟跟上面的一致, 只是拷貝slave伺服器的公開金鑰到master的時候, 先分開命名, 要不第二個就會覆蓋第一個導致第一個無法登錄
[root@slave1 .ssh]# scp id_rsa.pub root@192.168.2.66:~/.ssh/authorized_keys_slave1root@192.168.2.66's password:id_rsa.pub 100% 393 0.4KB/s 00:00 [root@slave2 .ssh]# scp id_rsa.pub root@192.168.2.66:~/.ssh/authorized_keys_slave2The authenticity of host '192.168.2.66 (192.168.2.66)' can't be established.ECDSA key fingerprint is b8:0f:8c:d2:9f:10:65:22:73:ea:ea:02:75:89:5d:98.Are you sure you want to continue connecting (yes/no) yesWarning: Permanently added '192.168.2.66' (ECDSA) to the list of known hosts.root@192.168.2.66's password:id_rsa.pub 100% 393 0.4KB/s 00:002、回到master伺服器把authorized.keys_(slave1和slave2)檔追加為一個authorized.keys文件
[root@master .ssh]# lltotal 24-rw------- 1 root root 393 Mar 19 17:29 authorized_keys-rw-r--r-- 1 root root 393 Mar 19 21:30 authorized_keys_slave1-rw-r--r-- 1 root root 393 Mar 19 21:32 authorized_keys_slave2-rw------- 1 root root 1675 Mar 19 17:26 id_rsa-rw-r--r-- 1 root root 393 Mar 19 17:26 id_rsa.pub-rw-r--r-- 1 root root 348 Mar 19 21:21 known_hosts[root@master .ssh]# cat authorized_keys_slave1 >> authorized_keys[root@master .ssh]# cat authorized_keys_slave2 >> authorized_keys合併之後可以刪除authorized_keys_*檔
3、slave1和slave2測試登錄master成功
[root@slave1 .ssh]# ssh 192.168.2.66Last failed login: Mon Mar 19 21:32:10 CST 2018 from 192.168.2.10 on ssh:nottyThere were 2 failed login attempts since the last successful login.Last login: Mon Mar 19 21:28:38 2018 from 113.109.21.73[root@master ~]#[root@slave2 .ssh]# ssh 192.168.2.66Last login: Mon Mar 19 21:36:32 2018 from 192.168.2.10[root@master ~]#