[精华] 服务器间通过ssh使用密钥对实现无密码登录solaris,redhat,linux |
|---|
|
| http://www.chinaunix.net 作者:yuhuohu 发表于:2008-05-09 15:48:02 |
|
【发表评论】
【查看原文】
【Solaris讨论区】【关闭】
|
受flutter的启发,把bigadmin上的文档完善并简化一下,非常简单。
E文原址:http://www.sun.com/bigadmin/content/submitted/ssh_setting.html
关键词:ssh 密钥 无密码登录 信任关系
以下做法在solaris 10,redhat as 5.0上测试通过。
hosta和hostb都必须同步完成以下操作,以hosta为例
================================================================
[color=#ff1200]1、创建密钥对[/color]
[root@hosta /]# who am i
root pts/1 2008-04-30 12:08 (172.16.10.220)
[root@hosta /]# [color=#01ff00]cd ~/.ssh[/color]
[root@hosta .ssh]# [color=#01ff00]ssh-keygen -t dsa[/color]
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
[color=#ff1ff0]Enter passphrase (empty for no passphrase):[/color]
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
0a:13:25:19:a2:59:2c:b1:49:e6:62:90:57:07:e5:f7 root@hosta
[color=#ff1ff0]passphrase(密钥保护) 保留为空,否则使用ssh时将要求输入passphrase(密钥保护)[/color]
[color=#ff1200]2、发布公钥和获取公钥[/color]
[root@hosta .ssh]# [color=#01ff00]scp id_dsa.pub hostb:/root/.ssh/hosta.key.pub[/color]
root@hostb's password:
id_dsa.pub 100% 600 0.6KB/s 00:00
[root@hosta .ssh]# [color=#01ff00]scp hostb:/root/.ssh/id_dsa.pub /root/.ssh/hostb.key.pub[/color]
root@hostb's password:
id_dsa.pub 100% 600 0.6KB/s 00:00
[color=#ff1200]3、对公钥授权[/color]
[root@hosta .ssh]# [color=#01ff00]cat id_dsa.pub >>authorized_keys2[/color]
[root@hosta .ssh]# [color=#01ff00]cat hostb.key.pub >>authorized_keys2[/color]
如果是ssh v1版本,比如solaris 9,就使用authorized_keys文件
[color=#ff1200]4、使用密钥对登录[/color]
[root@hosta .ssh]# ssh hostb
Last login: Sun Apr 27 00:04:49 2008 from 172.16.10.220
[color=DarkRed]已经不用输入密码[/color]:lol:lol:victory::victory:
[root@hostb ~]# exit
logout
Connection to hostb closed.
[color=#ff1200]5、查看日志[/color]
[root@hosta .ssh]# more /var/log/secure
Apr 27 10:26:47 hosta sshd[9309]: Accepted password for root from 172.16.10.220 port 239
5 ssh2
Apr 27 10:26:47 hosta sshd[9309]: pam_unix(sshd:session): session opened for user root b
y (uid=0)
Apr 27 10:41:51 hosta sshd[12195]: Accepted password for root from 172.16.10.220 port 24
08 ssh2
Apr 27 10:41:51 hosta sshd[12195]: pam_unix(sshd:session): session opened for user root
by (uid=0)
Apr 27 12:42:15 hosta sshd[3331]: pam_unix(sshd:session): session closed for user root
Apr 27 13:08:32 hosta sshd[26563]: Accepted password for root from 172.16.10.2 port 4324
7 ssh2
Apr 27 13:08:32 hosta sshd[26563]: pam_unix(sshd:session): session opened for user root
by (uid=0)
Apr 27 13:08:33 hosta sshd[26563]: pam_unix(sshd:session): session closed for user root
Apr 27 13:08:52 hosta sshd[26607]: Accepted password for root from 172.16.10.2 port 4324
8 ssh2
Apr 27 13:08:52 hosta sshd[26607]: pam_unix(sshd:session): session opened for user root
by (uid=0)
Apr 27 13:08:52 hosta sshd[26607]: pam_unix(sshd:session): session closed for user root
Apr 27 13:09:15 hosta sshd[26658]: Accepted password for root from 172.16.10.2 port 4324
9 ssh2
Apr 27 13:09:15 hosta sshd[26658]: pam_unix(sshd:session): session opened for user root
by (uid=0)
Apr 27 13:09:15 hosta sshd[26658]: pam_unix(sshd:session): session closed for user root
Apr 27 13:09:25 hosta sshd[26689]: Accepted password for root from 172.16.10.2 port 4325
0 ssh2
Apr 27 13:09:25 hosta sshd[26689]: pam_unix(sshd:session): session opened for user root
by (uid=0)
Apr 27 13:09:25 hosta sshd[26689]: pam_unix(sshd:session): session closed for user root
Apr 27 13:51:27 hosta sshd[29770]: Accepted password for root from 172.16.10.220 port 4248 ssh2
Apr 27 13:51:27 hosta sshd[29770]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 27 13:53:54 hosta sshd[29770]: pam_unix(sshd:session): session closed for user root
Apr 27 15:13:48 hosta sshd[9309]: pam_unix(sshd:session): session closed for user root
Apr 27 15:22:20 hosta sshd[12195]: pam_unix(sshd:session): session closed for user root
Apr 27 23:37:48 hosta sshd[7798]: Accepted password for root from 172.16.10.220 port 4948 ssh2
Apr 27 23:37:48 hosta sshd[7798]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 28 04:30:58 hosta sshd[7798]: pam_unix(sshd:session): session closed for user root
Apr 30 12:08:32 hosta sshd[15039]: Accepted password for root from 172.16.10.220 port 1637 ssh2
Apr 30 12:08:32 hosta sshd[15039]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 30 12:11:05 hosta useradd[15282]: new group: name=mysql, GID=503
Apr 30 12:11:05 hosta useradd[15282]: new user: name=mysql, UID=503, GID=503, home=/home/mysql, shell=/bin/bash
Apr 30 12:22:18 hosta sshd[16164]: Accepted password for root from 172.16.10.2 port 47224 ssh2
Apr 30 12:22:18 hosta sshd[16164]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 30 12:22:18 hosta sshd[16164]: pam_unix(sshd:session): session closed for user root
[color=#ff1200]6、查看ssh的详细操作记录[/color](ssh -v, scp -v or sftp -v ...)
[root@hosta .ssh]# scp -v /root/install.log hostb:/root
Executing: program /usr/bin/ssh host hostb, user (unspecified), command scp -v -t /root
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to hostb [172.16.10.2] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'hostb' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering public key: /root/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = zh_CN.GB18030
debug1: Sending command: scp -v -t /root
Sending file modes: C0644 35582 install.log
Sink: C0644 35582 install.log
install.log 100% 35KB 34.8KB/s 00:00
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.2 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 0
[ 本帖最后由 yuhuohu 于 2008-5-9 14:33 编辑 ]
flutter 回复于:2008-05-09 14:47:36
呵呵,向斑斑致敬,这么快就整理出来了,网上的帖子都是缺少第2步,第3步用的也是SSH1的文件,导致很多人不成功,包括偶。
斑斑为大家开路铺石,值得敬佩。
steedz 回复于:2008-05-09 15:18:45
呵呵,这个我也经常做,补充一些:
不只是root用户,如果两个联网的主机,test1用户在主机A1上,另一台主机A2,要想实现test1登陆A2时不用敲密码直接登陆,即建立信任关系:
在A1上使用test1用户键入:ssh-keygen -t dsa
然后:scp /home/test1/.ssh/id_dsa.pub A2_ip_address:/home/test1/.ssh/id_dsa.pub_bak
最后在A2上:cd /home/test1/.ssh
cat id_dsa.pub_bak >> authorized_keys
就OK了。
当然A2上的用户不一定非要test1,其它的也可以,但是相同用户比较多见。
flutter 回复于:2008-05-09 15:45:01
LZ上,你这个办法好象不行了,网上的帖子都跟你写的一样,可就是通过不了,需要密码的,我看了N个帖子,都跟你写的一样,后来看了SUN文章,才发现多了第2步,第3步的文件也不一样了,SSH1和SSH2的文件不一样了。
steedz 回复于:2008-05-09 15:48:02
我在Solaris10上经常做,没有问题呀,可以的。
|
 |
原文链接:http://bbs.chinaunix.net/viewthread.php?tid=1095160
转载请注明作者名及原文出处
|
|
|