该服务比较简单,原理就是锁和钥匙的概念。
主机A 和主机B
A主机通过ssh-keygen命令(输入3次回车) 在/root/.ssh/目录下生成秘钥和公钥,把公钥id_rsa.pub发送给主机B
发送的命令: scp /root/.ssh/id_rsa.pub root@10.0.0.88:/home/chkusr/
主机B 收到了A的公钥后,将其移动到/root/.ssh/ 目录下,并且重命名为 authorized_keys
权限改小 chmod 600 /root/.ssh/authorized_keys
这时候A主机就可以不输入密码直接登陆B主机
[root@cnsz142728 ~]# ssh-keygen -t rsa (空格3次)
[root@cnsz142728 ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@cnsz142728 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@cnsz142727
root@cnsz142727's password:
[root@cnsz142728 ~]# ssh cnsz142727
Last login: Mon Oct 9 14:01:10 2017
WARNING: If you are not authorized to access this private computer system, disconnect now. All activities on this system will be monitored and recorded without prior notification or permission!
**************************************************************************
* *
*Attention: Auditing process will report your every action! *
*Warning: Don't delete any files in directory /root/slogs!! *
* *
* -PING AN INSURANCE (GRP) COMPANY OF CHINA,LTD.*
**************************************************************************
Script started, file is /root/slogs/2017-10-16_13:39:58pts-5root.log
[root@cnsz142727 ~]# ^C
[root@cnsz142727 ~]# exit
需要注意的几点:
1.确保A机器私钥文件名是id_rsa,否则会因为识别不到私钥文件而不会执行免密rsa登录;
2.确保B机器上.ssh/authorized_keys文件的属性是600,否则要使用命令
3.如果还不行,则将这三行注释掉(/etc/ssh/sshd_config)
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
优化的项目(/etc/ssh/sshd_config):
UseDNS no ### 不使用DNS
GSSAPIAuthentication no ### 加速ssh登陆
PermitEmptyPasswords no ### 禁止空密码登陆
Permitrootlogin no ###禁止root 的远程登陆,yes 是允许的意思
Port 22 ### 22数字可以更改,默认是22 登陆时候 ssh -p321 10.0.0.1即可