The use and configuration of Ssh-keygen Authorized_keys two Linux machines mutual authentication __linux

I. Overview

1, is to allow two Linux machines to use SSH between the user name and password is not required. Digital signature RSA or DSA is used to complete this operation.

2. Model Analysis

Assuming that a (192.168.20.59) is a client machine, B (192.168.20.60) is the target machine;

The purpose to be achieved:
A machine SSH login B machine does not need to enter a password;
Encryption method to select RSA|DSA, the default DSA

Second, the specific operation process

One-way landing procedures (to meet the above purposes):
1, Login a machine
2, Ssh-keygen-t [RSA|DSA], will generate the key file and private key file id_rsa,id_rsa.pub or id_dsa,id_dsa.pub
3. Copy the. pub file to the. SSH directory of B machine, and cat id_dsa.pub >> ~/.ssh/authorized_keys
4, finished, from a machine login B machine target account, no longer need password; (Directly run #ssh 192.168.20.60 )

Two-way landing operation process:

1, Ssh-keygen do password verification can be made to the other machine ssh, SCP do not use the password. The specific methods are as follows:
2, two nodes perform operations:#ssh-keygen-t RSA
Then all enter, using the default value.

3, this generates a pair of keys, stored in the user directory under the ~/.SSH.
take the public key to the other machine's user directory and copy it to ~/.ssh/authorized_keys (Operation command:#cat id_dsa.pub >> ~/.ssh/authorized_keys ).

4. Set file and directory permissions:

Set Authorized_keys Permissions
$ chmod Authorized_keys
setting. SSH Directory Permissions
$ chmod 700-r. SSH

5, to ensure that. Both SSH and Authorized_keys have write permission only to the user. Otherwise the validation is invalid. (Today is the problem, looking for a long time the problem), in fact, think about it, this is to avoid system vulnerabilities.

When I visit 20.59 from 20.60, I will be prompted with the following error: [Java] view plain Copy the authenticity of host ' 192.168.20.59 (192.168.20.59) ' can ' t   be established.   RSA key fingerprint is 6a:37:c0:e1:09:a4:29:8d:68:d0:ca:21:20:94:be:18. Are you sure your want to continue connecting (yes/no)?   Yes warning:permanently added ' 192.168.20.59 ' (RSA) to the list of known hosts.   root@192.168.20.59 ' s password:permission denied, please try again.   root@192.168.20.59 ' s password:permission denied, please try again. root@192.168.20.59 ' s password:permission denied (Publickey,gssapi-with-mic,password).

Iii. Summary of matters needing attention

1, file and directory permissions must not be set to chmod 777. This permission is too large, unsafe, and digital signature is not supported. I'm starting to figure out how to do it.

2, the generated RSA/DSA signature of the public key is to the other machine use. This public key content is also copied to the Authorized_keys

3, access between Linux direct SSH machine IP

4, a machine to generate their own RSA or DSA digital signature, the public key to the target machine, and then the target machine after receiving the relevant permissions (public and Authorized_keys permissions), the target machine can be generated digitally signed machine without password access

Add:

The way Jenkins Master and slave Communicate:

Copy Master's public key to Slave's ~/.ssh/authorized_keys and save slave private key to a PPK file on master.

Jenkins will automatically do other configuration work, such as copy slave agent binary, start and stop slave.