Realize SSH Trust under Linux
Today we mainly introduce how to implement SSH login and data transmission mutual trust, so-called mutual trust is the server with the server data transfer or SSH login does not need to enter a password can be accessed, specifically said, see the following:
Today we are going to use three CentOS server to complete this experiment, mainly embodies three servers: A, B, c server between SSH login and data transmission does not enter the password to complete;
650) this.width=650; "title=" clip_image002 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image002 "src=" Http://s3.51cto.com/wyfs02/M01/88/1F/wKiom1fqDNOg4svnAAFCPpDK_iQ765.png "height=" 431 "/>
Hostname:a ip:192.168.5.21
Hostname:b ip:192.168.5.22
Hostname:c ip:192.168.5.23
Environment requirements: three servers using SSH (SCP) mutual access to each other does not need to enter a password, it can be understood that the SCP protocol is the SSH protocol, so long as the SSH is mutual trust, SCP data transfer is also mutual trust;
We need to install openssh-clients on each server
Yum Install-y openssh-clients
650) this.width=650; "title=" clip_image001 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image001" src= "Http://s3.51cto.com/wyfs02/M02/88/1F/wKiom1fqDNOTBPyqAAD_XEhlQbg509.png" height= "233"/>
We perform the registration of the key file on the a server
SSH-KEYGEN-T RSA all the way to return
The first return confirmation is the key file to save the road strength
Second return to confirm
Create directory, authentication directory, and then return all the way.
650) this.width=650; "title=" clip_image003 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image003" src= "Http://s3.51cto.com/wyfs02/M00/88/1F/wKiom1fqDNTibwS0AAEFZB5WmLs565.png" height= "309"/>
ls. ssh/
View the production key file
A pair of key files are generated in the/ROOT/.SSH directory
Id_rsa private Key
Id_rsa.pub Public Key
650) this.width=650; "title=" clip_image004 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image004" src= "http://s3.51cto.com/wyfs02/M00/88/1B/wKioL1fqDNSjERnHAAA1RTeIoLA096.png" height= "/>"
Use cat id_rsa.pub >> Authorized_keys to generate the verification file at this time
Must be the name Authorized_keys;
Why this name: Look at the SSH configuration file
Vim/etc/ssh/sshd_config
650) this.width=650; "title=" clip_image005 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image005" src= "Http://s3.51cto.com/wyfs02/M02/88/1F/wKiom1fqDNXCG-LHAAD_cIL9O8Y743.png" height= "285"/>
Cat Id_rsa.put >>authorized_keys
Note: The use of cat id_rsa.pub >> Authorized_keys to generate the verification file, must be an additional form
650) this.width=650; "title=" clip_image006 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image006" src= "Http://s3.51cto.com/wyfs02/M01/88/1B/wKioL1fqDNbysHqXAACTbT8TR_o405.png" height= "161"/>
We look at the verification file, and only the a host's own public key
Cat Authorized_keys
We can see when the current [email protected] server is already in the authentication group.
650) this.width=650; "title=" clip_image007 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image007" src= "http://s3.51cto.com/wyfs02/M02/88/1F/wKiom1fqDNezpICUAAB09lGEQWo834.png" height= "/>"
The B host also generates the public key [[email protected] ~]# ssh-keygen-t RSA
650) this.width=650; "title=" clip_image008 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image008" src= "Http://s3.51cto.com/wyfs02/M00/88/1F/wKiom1fqDNeQebdaAADrk1keLxE910.png" height= "285"/>
650) this.width=650; "title=" clip_image009 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image009" src= "http://s3.51cto.com/wyfs02/M00/88/1F/wKiom1fqDNjjf_VwAADyKMcf7So367.png" height= "310"/>
Copy the public key generated by the B server to the a server
Ssh-copy-id-i id_rsa.pub [email protected]
650) this.width=650; "title=" clip_image010 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image010" src= "http://s3.51cto.com/wyfs02/M00/88/1B/wKioL1fqDNnRgGSVAACswvczz1Y714.png" height= "146"/>
Then we can view the Authorized_keys file of server A; the authentication key of the [e-mail protected] server is found.
650) this.width=650; "title=" clip_image011 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image011" src= "http://s3.51cto.com/wyfs02/M01/88/1F/wKiom1fqDNrj0I86AADHwHd9DVc380.png" height= "/>"
At this point we have B to a is no problem, copy or SSH login do not need to enter a password
650) this.width=650; "title=" clip_image012 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image012" src= "Http://s3.51cto.com/wyfs02/M02/88/1F/wKiom1fqDNrTPjvcAAE6tsjOBNk911.png" height= "239"/>
But A to B also requires a password;
Now just copy the verification file from a to B machine.
SCP Authorized_keys [Email protected]:/root/.ssh/
650) this.width=650; "title=" clip_image013 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image013" src= "http://s3.51cto.com/wyfs02/M01/88/1B/wKioL1fqDNux-IHZAABhV5BwtlU085.png" height= "/>"
We also view the validation files on the B server
650) this.width=650; "title=" clip_image014 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image014" src= "http://s3.51cto.com/wyfs02/M02/88/1B/wKioL1fqDNyR43fbAAC4heuaMcQ853.png" height= "/>"
Next we ssh from a server to B server
650) this.width=650; "title=" clip_image015 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image015" src= "Http://s3.51cto.com/wyfs02/M02/88/1B/wKioL1fqDNyy2OpCAAERyYFp2iI073.png" height= "215"/>
Finally we look at C server;
We also need to generate the public key on the C server
ssh-keygen–t RSA
650) this.width=650; "title=" clip_image016 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image016" src= "http://s3.51cto.com/wyfs02/M00/88/1B/wKioL1fqDN2CKz2vAAB5e66CVkQ239.jpg" height= "267"/>
Copy the public key generated by the C server to the A and B servers
Ssh-copy-id-i id_rsa.pub [email protected]ssh-copy-id-i id_rsa.pub [email protected]
650) this.width=650; "title=" clip_image017 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image017" src= "http://s3.51cto.com/wyfs02/M01/88/1F/wKiom1fqDN6guu0-AACf4eQmNzM583.jpg" height= "246"/>
Then we can view a server and B server's Authorized_keys file; I found a lot of it. [Email protected] Authentication key for server
Server A has a public key for Server C.
650) this.width=650; "title=" clip_image018 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image018" src= "http://s3.51cto.com/wyfs02/M02/88/1F/wKiom1fqDN_QoCfIAABM0RodqcU492.jpg" height= "/>"
Server B also has a public key for Server C.
650) this.width=650; "title=" clip_image019 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image019" src= "http://s3.51cto.com/wyfs02/M01/88/1B/wKioL1fqDN_hNwevAABOp1aq2MM248.jpg" height= "/>"
But a to C, B to C also requires a password;
Just copy the verification file from a to C machine, copy from B to C machine.
Execute from a server
SCP Authorized_keys [Email protected]:/root/.ssh/
650) this.width=650; "title=" clip_image020 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image020" src= "http://s3.51cto.com/wyfs02/M00/88/1F/wKiom1fqDODxLVImAAAs1CbwBgs710.jpg" height= "/>"
Execute from B server
SCP Authorized_keys [Email protected]:/root/.ssh/
650) this.width=650; "title=" clip_image021 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image021" src= "http://s3.51cto.com/wyfs02/M00/88/1F/wKiom1fqDOCBeg_sAAAqjH92G80971.jpg" height= "/>"
Finally, we view the contents of the authentication key on the C server.
Cat Authorized_keys
650) this.width=650; "title=" clip_image022 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image022" src= "http://s3.51cto.com/wyfs02/M01/88/1B/wKioL1fqDOHQS211AABUOkwUtOY527.jpg" height= "/>"
We ssh into a and B servers on server C
650) this.width=650; "title=" clip_image023 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image023" src= "Http://s3.51cto.com/wyfs02/M02/88/1B/wKioL1fqDOGSgP2aAAFbtRGpgfE245.png" height= "276"/>
650) this.width=650; "title=" clip_image024 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image024" src= "Http://s3.51cto.com/wyfs02/M00/88/1B/wKioL1fqDOKBLdbRAAFs64MBsDA155.png" height= "278"/>
We ssh into B server and C server on Server A
650) this.width=650; "title=" clip_image025 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image025" src= "Http://s3.51cto.com/wyfs02/M01/88/1F/wKiom1fqDOST5MUqAAF5dBVayus822.png" height= "271"/>
650) this.width=650; "title=" clip_image026 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image026" src= "Http://s3.51cto.com/wyfs02/M00/88/1B/wKioL1fqDOXzdbRYAAGmTU6N39k477.png" height= "302"/>
Finally we use SSH to login a server and B server on the B server
650) this.width=650; "title=" clip_image027 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image027" src= "Http://s3.51cto.com/wyfs02/M01/88/1B/wKioL1fqDOawBC0xAAHueHJWyuU881.png" height= "332"/>
650) this.width=650; "title=" clip_image028 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image028" src= "http://s3.51cto.com/wyfs02/M02/88/1F/wKiom1fqDObSeB7XAAHJrT045SQ972.png" height= "321"/>
Finally, let's test the file copy.
First create a new file on a server and then test the copy, all without entering a password to transfer the copy
[[email protected] ~]# Touch A.txt[[email protected] ~]# echo A >> a.txt[[email protected] ~]# SCP A.txt [email prot Ected]:/root[[email protected] ~]# SCP A.txt [email protected]:/root
650) this.width=650; "title=" clip_image029 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image029" src= "http://s3.51cto.com/wyfs02/M02/88/1B/wKioL1fqDOfQgMDGAAArCCy88E8965.png" height= "/>"
We look at the B server.
650) this.width=650; "title=" clip_image030 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image030" src= "http://s3.51cto.com/wyfs02/M02/88/1B/wKioL1fqDOfjtYzfAAA7v4us_7w636.png" height= "/>"
Next we test the file transfer between the B-->a and B-->C servers, and we also create a B file on the B server;
Tested without losing a password to verify the transmission
650) this.width=650; "title=" clip_image031 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image031" src= "http://s3.51cto.com/wyfs02/M00/88/1F/wKiom1fqDOjiWFPPAABFA5iDTzk879.png" height= "/>"
[[email protected] ~]# Touch B.txt[[email protected] ~]# echo b-s >> b.txt[[email protected] ~]# ls b.txtb.txt
650) this.width=650; "title=" clip_image032 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image032" src= "Http://s3.51cto.com/wyfs02/M00/88/1B/wKioL1fqDOmAZEZNAAA-OS0mbX4476.png" height= "Bayi"/>
Finally, we test the file transfer between the C-->a and C-->b servers, and also create a C file on the C server;
Tested without the need to enter a password to transfer
[[email protected] ~]# Touch C.txt[[email protected] ~]# echo c-s >> c.txt[[email protected] ~]# ls C.txtc.txt[[emai L protected] ~]# SCP C.txt [email protected]:/root/c.txt[[email protected] ~]# SCP C.txt [email protected]8.5.22:/root/c.t Xt[[email protected] ~]#
650) this.width=650; "title=" clip_image033 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image033 "src=" Http://s3.51cto.com/wyfs02/M01/88/1B/wKioL1fqDOmyF15PAAA4_kamoJg058.png "height=" "/>
This article from "Gao Wenrong" blog, declined reprint!
Realize SSH Trust under Linux
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
