Linux的金鑰交換是一個滿方便的東西,如果沒有太多安全疑慮的情況下,這招學起來可以省掉很多輸入密碼的時間,例如架設了多台node做練習或測試時,每次切換都要輸入密碼挺麻煩的,這時候交換金鑰就是一個很有用的技術。首先只要釐清一下金鑰的定義:
private key:私密金鑰,自己本機留著,用來跟其他node公鑰配對用,只能有自己擁有,用實際來舉例就有點像是鎖頭。
public key:公開金鑰,發給其他node的鑰匙,有點像是去打了備用鑰匙給其他人來開鎖用,可以打很多把分出去。
public key:公開金鑰,發給其他node的鑰匙,有點像是去打了備用鑰匙給其他人來開鎖用,可以打很多把分出去。
金鑰交換的概念有點像是管理者自己有一個專屬的鑰匙,然後製作好幾個鎖頭、裝在每一扇門上,最後可以用這把鑰匙訪問每個有上鎖頭的門,不用每次都敲門(打密碼),如果只是在做測試時,這樣就可以省掉每次都要登入輸入密碼的麻煩,不過正式環境就不建議這樣做,因為等於是讓有陌生人也能這樣四處訪問。這個操作過程相當簡單,準備兩台node(node1和node2)作測試,預計讓node1的root登入node2的root時不用再輸入密碼:
[root@centos7-node1 ~]# ssh-keygen \\打這段指令即可
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): \\可空白
Enter passphrase (empty for no passphrase): \\可空白
Enter same passphrase again: \\可空白
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:/BMZ8k2Op9GlcPHHHPI0sRxCzK42llrkivXtsjVRcrc root@centos7-node1
The key's randomart image is:
+---[RSA 2048]----+
| =+ *.|
| =*o=|
| . o +.o*=|
| . o % ++.o|
| S O O. E |
| o & . |
| o @ oo |
| . o +... |
| .+. |
+----[SHA256]-----+
[root@centos7-node1 ~]# ll -a \\本地產生了一個隱藏ssh資料夾
總計 32
dr-xr-x---. 4 root root 179 3月 15 13:35 .
dr-xr-xr-x. 17 root root 224 3月 2 17:23 ..
-rw-------. 1 root root 1498 3月 2 17:24 anaconda-ks.cfg
drwx------. 3 root root 17 3月 15 13:35 .ansible
-rw-------. 1 root root 631 3月 15 10:35 .bash_history
-rw-r--r--. 1 root root 18 12月 29 2013 .bash_logout
-rw-r--r--. 1 root root 176 12月 29 2013 .bash_profile
-rw-r--r--. 1 root root 176 12月 29 2013 .bashrc
-rw-r--r--. 1 root root 100 12月 29 2013 .cshrc
drwx------. 2 root root 80 3月 22 09:26 .ssh
-rw-r--r--. 1 root root 129 12月 29 2013 .tcshrc
-rw-------. 1 root root 662 3月 15 10:24 .viminfo
[root@centos7-node1 ~]# ll -a .ssh/ \\資料夾內id_rsa是私密金鑰,id_rsa_pub是公開金鑰
總計 16
drwx------. 2 root root 80 3月 22 09:26 .
dr-xr-x---. 4 root root 179 3月 15 13:35 ..
-rw-------. 1 root root 406 3月 15 09:19 authorized_keys
-rw-------. 1 root root 1679 3月 22 09:26 id_rsa
-rw-r--r--. 1 root root 400 3月 22 09:26 id_rsa.pub
-rw-r--r--. 1 root root 175 3月 22 09:26 known_hosts
[root@centos7-node1 ~]#
[root@centos7-node1 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@node2
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): \\可空白
Enter passphrase (empty for no passphrase): \\可空白
Enter same passphrase again: \\可空白
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:/BMZ8k2Op9GlcPHHHPI0sRxCzK42llrkivXtsjVRcrc root@centos7-node1
The key's randomart image is:
+---[RSA 2048]----+
| =+ *.|
| =*o=|
| . o +.o*=|
| . o % ++.o|
| S O O. E |
| o & . |
| o @ oo |
| . o +... |
| .+. |
+----[SHA256]-----+
[root@centos7-node1 ~]# ll -a \\本地產生了一個隱藏ssh資料夾
總計 32
dr-xr-x---. 4 root root 179 3月 15 13:35 .
dr-xr-xr-x. 17 root root 224 3月 2 17:23 ..
-rw-------. 1 root root 1498 3月 2 17:24 anaconda-ks.cfg
drwx------. 3 root root 17 3月 15 13:35 .ansible
-rw-------. 1 root root 631 3月 15 10:35 .bash_history
-rw-r--r--. 1 root root 18 12月 29 2013 .bash_logout
-rw-r--r--. 1 root root 176 12月 29 2013 .bash_profile
-rw-r--r--. 1 root root 176 12月 29 2013 .bashrc
-rw-r--r--. 1 root root 100 12月 29 2013 .cshrc
drwx------. 2 root root 80 3月 22 09:26 .ssh
-rw-r--r--. 1 root root 129 12月 29 2013 .tcshrc
-rw-------. 1 root root 662 3月 15 10:24 .viminfo
[root@centos7-node1 ~]# ll -a .ssh/ \\資料夾內id_rsa是私密金鑰,id_rsa_pub是公開金鑰
總計 16
drwx------. 2 root root 80 3月 22 09:26 .
dr-xr-x---. 4 root root 179 3月 15 13:35 ..
-rw-------. 1 root root 406 3月 15 09:19 authorized_keys
-rw-------. 1 root root 1679 3月 22 09:26 id_rsa
-rw-r--r--. 1 root root 400 3月 22 09:26 id_rsa.pub
-rw-r--r--. 1 root root 175 3月 22 09:26 known_hosts
[root@centos7-node1 ~]#
[root@centos7-node1 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@node2
\\將id_rsa_pub複製到配發公鑰的node上
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host 'node2 (10.113.112.62)' can't be established.
ECDSA key fingerprint is SHA256:cl6vLpYg0sgZPy6Thun+Va6GSV6/M4RPEc7cVT0tQgo.
ECDSA key fingerprint is MD5:20:41:85:0f:89:4e:2f:f2:11:ed:82:1d:b5:f0:ec:cf.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@node2's password:redhat \\這邊要輸node2的root密碼,依使用者而異
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@node2'"
and check to make sure that only the key(s) you wanted were added.
[root@centos7-node1 ~]# ssh root@node2 \\這時就可以不用再入密碼登入node2了
Last login: Tue Mar 22 09:26:26 2022 from 10.113.112.61
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host 'node2 (10.113.112.62)' can't be established.
ECDSA key fingerprint is SHA256:cl6vLpYg0sgZPy6Thun+Va6GSV6/M4RPEc7cVT0tQgo.
ECDSA key fingerprint is MD5:20:41:85:0f:89:4e:2f:f2:11:ed:82:1d:b5:f0:ec:cf.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@node2's password:redhat \\這邊要輸node2的root密碼,依使用者而異
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@node2'"
and check to make sure that only the key(s) you wanted were added.
[root@centos7-node1 ~]# ssh root@node2 \\這時就可以不用再入密碼登入node2了
Last login: Tue Mar 22 09:26:26 2022 from 10.113.112.61
[root@centos7-node2 ~]#
public key還可以複製到多台node上,這樣做就可以省略許多登入輸入密碼的麻煩。
沒有留言:
張貼留言