1. One-way password-free access
One-way, password-less access to the remote server is relatively simple. For example, if server a requires no password to access server B (A-> B), you only need to generate a key pair on server, upload the generated public key to the user directory of server B. SSH directory (if not, manually create it. Note that the directory permission is 700), and change the public key file name to authorized_keys (note that the permission for this file should be 644 ), note. the permission of the SSH directory and the authorized_keys file. If the permission does not match, the configuration will be invalid. The procedure is as follows:
1. Generate a password pair on the machine on which you need to log on to the remote server without a password (in this example, server:
There are several options in the generation process that allow you to enter the storage directory of the key pair and the private key, just enter.
[Root @ mysqlcluster ~] # Ssh-keygen-T RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/root/. Ssh/id_rsa ):
Created directory '/root/. Ssh '.
Enter passphrase (empty for no passphrase ):
Enter same passphrase again:
Your identification has been saved in/root/. Ssh/id_rsa.
Your public key has been saved in/root/. Ssh/id_rsa.pub.
The key fingerprint is:
0e: 4C: EC: E3: 04: 98: B0: 71: 00: 91: 75: 57: EE: 56: A1: 82
Root @ mysqlcluster
After performing the preceding step ~ /. Two files, id_rsa and id_rsa.pub, are generated in the SSH directory. id_rsa is the private key and is stored on the local machine. id_rsa.pub is the public key and is uploaded to the remote server.
2. Upload the public key to the remote server B that requires login without a password and change it to authorized_keys:
If the. Ssh directory does not exist on the remote server B, manually create:
[Root @ www1bak ~] # Mkdir. SSH
[Root @ www1bak ~] # Chmod 755. SSH
Then upload the public key file from server a to remote server B:
[Root @ mysqlcluster ~] # SCP. Ssh/id_rsa.pub
Root@192.168.15.234:/root/. Ssh/authorized_keys
The authenticity of host' 192. 168.15.234 (192.168.15.234) 'can't be established.
RSA key fingerprint is C9: EF: 0C: 1b: AC: 6C: EF: 84: A4: A7: E5: D1: 20: 58: C8: 73.
Are you sure you want to continue connecting (Yes/No )? Yes
Warning: Permanently added '192. 168.15.234 '(RSA) to the list of known hosts. // This step adds the remote server B to the known_hosts list of the local server (server ).
Root@192.168.15.234's password:
Id_rsa.pub 100% 399 0.4kb/s
3. Test
After the public key file is uploaded to the remote server, log on to server B from server a immediately. If the password is not entered, log on to server B, which means the operation is successful. If you want to enter the password, check. whether the SSH directory permission is 700, whether the public key name on the uploaded remote server is changed to authorized_keys, and whether the permission is 644
2. multiple servers access each other without a password
Multiple servers access each other without a password. The principle is the same as that of one-way password-free access between the two servers, but because multiple servers access each other without a password, you cannot directly upload the file as if you did not log on to the two servers without a password. The steps are as follows:
1. Execute ssh-keygen-t rsa on each server to generate the key pair:
# Ssh-keygen-T RSA
2. After a key pair is generated on each server, copy the public key to the server that requires logon without a password:
For example, the three servers 192.168.15.240, 192.168.15.241, and 192.168.15.242 need to perform password-free login. After each server generates a key pair, run the ssh-copy-id command on each server (for detailed instructions and usage, see the appendix at the end) to copy the public key to the other two servers (192.168.15.240 is used as an example here, the user is root, the other two steps are the same)
# Ssh-copy-ID-I ~ /. Ssh/id_rsa.pub root@192.168.15.241
# Ssh-copy-ID-I ~ /. Ssh/id_rsa.pub root@192.168.15.242
The preceding command automatically adds the public key to the file named authorized_keys. After performing the preceding steps on each server, multiple servers can log on without a password.
Ssh-copy-ID:
By default, a tool named ssh-copy-ID is included in Linux:
# Type ssh-copy-ID
Ssh-copy-ID is/usr/bin/ssh-copy-ID
You can run the cat or more command to check whether ssh-copy-ID is actually a shell script. The usage is simple:
# Ssh-copy-ID-I ~ /. Ssh/id_rsa.pub user @ Server
There is no need to remember how to spell the name of the authorized_keys file. Isn't that nice, but it's too early to be happy. There is a terrible problem with ssh-copy-id, that is, by default, it only supports SSH running on port 22. However, for security purposes, we often change the ssh port of the server, for example, to port 10022, when you run ssh-copy-ID, an error will be reported. You can modify the ssh-copy-ID script to correct this problem, but it seems too stiff. In fact, there are better methods:
# Vi ~ /. Ssh/config
Add the following content:
Host server
Hostname IP
Port 10022
You can also add only one port configuration line separately, which is a global configuration. After saving the configuration and running the ssh-copy-id command, no error will be reported.
Note: If the port is not 22 and the config file is not modified, you can do the following:
Ssh-copy-ID-I ~ /. Ssh/id_rsa.pub "-P 10022 user @ server"