Reprinted: http://blog.csdn.net/educast/article/details/7174498
One-way passwordless access
One-way passwordless access to a remote server is relatively simple. For example, if server A needs to access server B (A–>B) without password, then it only needs to generate a key pair on server A and upload the generated public key to relevant users of server B. In the .ssh directory under the directory (if not, create it manually, note that its directory permission is 700), and change the name of the public key file to authorized_keys (note that the permission of this file should be 644), please note that the .ssh directory and If the permissions of the authorized_keys file do not match, the configuration will be invalid. The specific operations are as follows:
1. Generate a password pair on the machine that requires no password to log in to the remote server (server A in this example):
There are several options during the generation process for you to enter the storage directory of the key pair and enter the private key, and just enter .
[root@mysqlcluster ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
0e :4c:ec:e3:04:98:b0:71:00:91:75:57:ee:56:a1:82 root@mysqlcluster
executes the above step, two files id_rsa will be generated in the ~/.ssh directory and id_rsa.pub, where id_rsa is the private key, which is stored locally; id_rsa.pub is the public key, which is to be uploaded to the remote server.
2. Upload the public key to the remote server B that requires no password login and rename it to authorized_keys:
If there is no .ssh directory on the remote server B, create it manually:
[root@www1bak ~]# mkdir .ssh
[root@www1bak ~ ]# chmod 755 .ssh
Then upload the public key file from server A to remote server B:
[root@mysqlcluster ~]# scp .ssh/id_rsa.pub [email protected]:/root/.ssh/authorized_keys
The authenticity of host '192.168.15.234 (192.168.15.234)' can't be established.
RSA key fingerprint is c9:ef:0c:1b:ac:6c:ef:84:a4:a7:e5:d1:20:58:c8:73.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.15.234' (RSA) to the list of known hosts. //This step will add remote server B to the known_hosts list of this machine (server A)
[email protected]'s password:
id_rsa.pub 100% 399 0.4KB/s 00:00
3. Test
After uploading the public key file to the remote, log in from server A to server B immediately. If you log in to server B without entering a password, it means success. If you still need to enter a password, please check whether the .ssh directory permission on remote server B is 700, whether the public key name on the uploaded remote server is changed to authorized_keys, and whether the permission is 644
2. Multiple servers can access each other without password
多台服务器相互无密码访问,与两台服务器单向无密码访问的原理是一样的,只不过由于是多台服务器之间相互无密码访问,不能象两台服务器无密码登录那样直接上传,步骤如下:
1、在每台服务器上都执行ssh-keygen -t rsa生成密钥对:
#ssh-keygen -t rsa
2、在每台服务器上生成密钥对后,将公钥复制到需要无密码登陆的服务器上:
举例如192.168.15.240,192.168.15.241,192.168.15.242这三台服务器需要做相互免密码登陆,在每台服务器生成密钥对后,在每台服务器上执行ssh-copy-id命令(具体说明及用法见最后附录),将公钥复制到其它两台服务器上(此处以192.168.15.240为例,用户为root,其它两台步骤相同)
#ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
#ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
以上命令,可以自动将公钥添加到名为authorized_keys的文件中,在每台服务器都执行完以上步骤后就可以实现多台服务器相互无密码登陆了
附ssh-copy-id介绍及用法:
Linux系统里缺省都包含一个名为ssh-copy-id的工具:
# type ssh-copy-id
ssh-copy-id is /usr/bin/ssh-copy-id
你用cat或者more命令看一下就知道ssh-copy-id本身其实就是一个shell脚本,用法很简单:
# ssh-copy-id -i ~/.ssh/id_rsa.pub user@server
再也不用记如何拼写authorized_keys这个文件名了,是不是很爽,可惜别高兴太早了,ssh-copy-id有一个很要命的问题,那就是缺省它仅仅支持SSH运行在22端口的情况,不过实际上出于安全的需要,我们往往都会更改服务器的SSH端口,比如说改成10022端口,这时候你运行ssh-copy-id就会报错了,直接修改ssh-copy-id脚本当然可以修正这个问题,但是那样显得太生硬了,实际上还有更好的办法:
# vi ~/.ssh/config
加上内容:
Host server
Hostname ip
Port 10022
你也可以单独只加入Port一行配置,那样就是一个全局配置,保存后再运行ssh-copy-id命令就不会报错了。
补充:经网友提示,如果端口不是22,不修改config文件,按如下方式也可以:
ssh-copy-id -i ~/.ssh/id_rsa.pub “-p 10022 user@server”