SSH 互信配置(ssh-keygen,ssh-copy-id,known_hosts)

时间:2021-12-31 04:19:21

一 核心命令
  1. 创建密钥对:ssh-keygen
  2. 转发密钥:ssh-copy-id -i ~/.ssh/id_rsa.pub puppet@Hadoop-NN-02
     常用密钥类型:
  1. ssh-keygen -t dsa 
  2. ssh-keygen -t rsa 
  3. ssh-keygen -t rsa1
二 原理
(一)基础
     1) 公钥:用于加密,存在于服务器
     2) 私钥:用于解密,存在于客户机
(二)流程
     1)客户端向服务器发出连接请求
     2)服务器查看客户端公钥( ~/.ssh/authorized_keys)该客户机( 客户机标志:用户@Host)对应的公钥
     3)服务器验证公钥合法,则产生一条 随机数(challenge),用公钥加密发送给客户端
     4)客户端用私钥 解密回传服务器端。
     5)随机数一致,认证通过。
三 样例
(一)ssh-keygen
[puppet@BigData-01 cdh4.4]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/puppet/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/puppet/.ssh/id_rsa.
Your public key has been saved in /home/puppet/.ssh/id_rsa.pub.
The key fingerprint is:
af:e2:f5:3a:e8:24:64:c1:f3:d9:bc:44:3d:9a:84:a0 puppet@BigData-01
The key's randomart image is:
+--[ RSA 2048]----+
|    .            |
|   o . . .       |
|  E + . o o      |
|     + * o .     |
|    o o S        |
|   o   . o       |
|    . ..o .      |
|     oo..o       |
|     oo.oo.      |
+-----------------+
 
注:
1)公钥( id_rsa.pub ):

[puppet@BigData-01 .ssh]$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8CscWlgavdb76EVfhZadM4uMBzN8iVMEC0KuTHdGCzm

6LfMzLguf90uw+4ZKpYgxN4XSbbLbu1MPFLLqFxlo7oC2TOhhr84N1Zdm8jtfuh53IhNZDHKpvByUHS4ZZV

YVtAKt3+fZOEL700+p228JdQzkzfLHoaPvSD774igY+yB4d3pXkqk+fUALkE2H1hgbfJNjMoar5lls6KfdF6ocL

KBILj56Lt+b9KhVtPbllsP8TA8Vino9eF1TeCdKnRmxBFdYTBFlx8s1gRx2VHQnwVpUJcUuVPyGaxvPNXvL

HtPZPwi3xJmSFpPB9y8pzID1WqDKKAWkv7CcJqstIhBN3w==puppet@BigData-01
 
2)私钥(id_rsa):
[puppet@BigData-01 .ssh]$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQEA8CscWlgavdb76EVfhZadM4uMBzN8iVMEC0KuTHdGCzm6LfMz
Lguf90uw+4ZKpYgxN4XSbbLbu1MPFLLqFxlo7oC2TOhhr84N1Zdm8jtfuh53IhNZ
DHKpvByUHS4ZZVYVtAKt3+fZOEL700+p228JdQzkzfLHoaPvSD774igY+yB4d3pX
kqk+fUALkE2H1hgbfJNjMoar5lls6KfdF6ocLKBILj56Lt+b9KhVtPbllsP8TA8V
ino9eF1TeCdKnRmxBFdYTBFlx8s1gRx2VHQnwVpUJcUuVPyGaxvPNXvLHtPZPwi3
xJmSFpPB9y8pzID1WqDKKAWkv7CcJqstIhBN3wIBIwKCAQA9wfFZD1dVYyrVU6rZ
NVufikiUIy6m+Bb7lM275Cf0QgtNpO/nRNFc2PL+2WOm6IGvMQo5dyKPQT5kaIVW
ZZ6jurKIzgp9qgOOsedFmj0v2/K/npM9txW0B1lJVP83UKZ+vtxA49jFUw2OG8yX
gvPNpDrV31fnvHC6zl4G9F4x8eiW97O3CV+BBF2zdGFNgkliya7qyQFPjHsExnJE
Y+dp22lszjDKBCLHmVpg/x1BiM5vtWvdA0xzJNqTgo1q2Kw4iuL1RsWEz2DW6p01
kYFdmhy/gsC4SyhEjPGu6F0B8WpZJbmvPRrzVlxoet4yXJ4sU1kOG3hURuUzXAcn
iNV7AoGBAPrwBbYzV0G4HgJrifZM1BRe4gNvD1LCExhmoCvLuPAqlE9d1qWxNIuf
p1+he0Cnc87KZvnSchgzrV8v/u03drNsZc9XbxGoWGgg8SIpNSV3vQxeJTEKSVPU
QjeTbFF2yyx8oZPuIWZ6Ee1+KCj8SUFwiYItlrkRMDHL7wRIY0r5AoGBAPUDeHSz
9KXPZmPcqaVb15RkoQzdFFQLXOfhPNh63m8tfdCbDRbBYhdMyQhhYqTwdQqyyiLq
wm29y0zuEDdwyib08d1zq4ziE3E409Ra7LXdm0nCap4MOZX+Cs9PMoG87A8u1G4s
/FEGo8Jw8EthsxPoYV9uPPtKUERaHWJcX/2XAoGBAIENuctq3Grw+X2WZDWGmPSI
kX4b2/6s8+CpzrdwFffbYjdyFp5bIlZvXWRhrRnvt+axPEX3M1znYHoYrv2nft/u
msJnevMjYKqUmUTEvD8now2swquBog3a4DnWyf4ClGAFlOz+H85NaE5A4XQp+cni
GtU8BF8taT4uXapuXvNbAoGAdwGviSQ1ABRHrNjkr2cfkTgw956U2F1KYf+v1tyX
7NuU4aplcXPfL+N3llsv6bafP7XtJucN+snmZzHNXMHBRh8zphOcd6ECIQz5LKEx
JSJ+oCs7GZDoxTI/w8dhrLrZDrBYjUkM1uX3xNfFK+2gH5zBlMCEBQbWh5l7/JNE
kR0CgYA3ip6Mo+6iXLeXmsSwT+p3CGDdZe1SsQElLDDgOZvMEpy8wzZ1sIKYY0Oe
lsc23TrC+BHoJHaMKa9CHuZTwdQXGQuVam313WaGtD/3q6Inq6PosQj60v02jogx
rsfnG3WOSygeNS03PEflKpf6k5A0b3EZyZ5gatql/7I4D/3MPA==
-----END RSA PRIVATE KEY-----
 
(二)公钥上传服务器
[puppet@BigData-01 .ssh]$ ssh-copy-id -i ~/.ssh/id_rsa.pub puppet@Hadoop-NN-02
puppet@hadoop-nn-02's password:
Now try logging into the machine, with "ssh 'puppet@Hadoop-NN-02'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.
 
注:
1)服务器公钥(authorized_keys ):

[puppet@BigData-02 .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8CscWlgavdb76EVfhZadM4uMBzN8iVMEC0KuTHdGCzm6

LfMzLguf90uw+4ZKpYgxN4XSbbLbu1MPFLLqFxlo7oC2TOhhr84N1Zdm8jtfuh53IhNZDHKpvByUHS4ZZVY

VtAKt3+fZOEL700+p228JdQzkzfLHoaPvSD774igY+yB4d3pXkqk+fUALkE2H1hgbfJNjMoar5lls6KfdF6ocLK

BILj56Lt+b9KhVtPbllsP8TA8Vino9eF1TeCdKnRmxBFdYTBFlx8s1gRx2VHQnwVpUJcUuVPyGaxvPNXvLHt

PZPwi3xJmSFpPB9y8pzID1WqDKKAWkv7CcJqstIhBN3w==puppet@BigData-01
 
四 客户端公钥记录文件(known_hosts)
     登陆到服务器时,比对服务器公钥与客户端记录是否一致, 防止伪造的服务器。
(一)流程
     1)客户端登陆服务器
     2)客户端接收服务器公钥,查看~/.ssh/known_hosts查看是否记录,没有则提示用户选择是否记录
     3)服务器端公钥已记录则验证一致性,一致则进行验证,否则警告。
     警告样例:

[puppet@BigData-01 .ssh]# sshpuppet@BigData-02
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@@@@@@@@@@@@

@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @ <==警告有问题

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
a7:2e:58:51:9f:1b:02:64:56:ea:cb:9c:92:5e:79:f9.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1 <==该数字为文件中有问题的行号
RSA host key for localhost has changed and you have requested strict checking.
Host key verification failed.
 
(二)公钥记录验证失败的解决方法
删除known_hosts中对应的记录。

标签:

相关文章