同一個網段的兩臺機器免密登錄
免密登錄的配置,除了方便登錄,還方便傳輸文件。在兩臺機器之間如果要傳輸文件,每次都要輸入密碼,做了免密登錄,傳輸文件不需要輸入密碼。但是做機器的免密登錄也有一定的弊端,如果有攻擊者將自己的公鑰放到我們的服務器中,那麼他就不需要密碼直接就能登錄到我們的服務器。
服務器1:192.168.184.137
服務器2:192.168.184.150
1、在兩臺機器上做解析,修改完主機名再重新連接一下即可
在服務器1上
[root@localhost ~]# vim /etc/hosts
192.168.184.137 web-1
192.168.184.150 web-2
[root@localhost ~]# hostnamectl set-hostname web-1
在服務器2上
[root@localhost ~]# vim /etc/hosts
192.168.184.137 web-1
192.168.184.150 web-2
[root@localhost ~]# hostnamectl set-hostname web-2
2、測試連通性
使用ping命令測試兩臺機器是否可以連通
[root@web-1 ~]# ping -c1 192.168.184.150 #返回以下值說明機器連通
PING 192.168.184.150 (192.168.184.150) 56(84) bytes of data.
64 bytes from 192.168.184.150: icmp_seq=1 ttl=64 time=1.22 ms
--- 192.168.184.150 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.228/1.228/1.228/0.000 ms
3、在服務器1上生成祕鑰對
輸入ssh-keygen,按三次回車(回車表示默認值),生成祕鑰對(祕鑰對存在於/root/.ssh/文件中)。
[root@web-1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:bs6VQ7GKjbkUT2WUEnG7FZc/bRAIjFdtwORI1S7PSCY root@localhost
The key's randomart image is:
+---[RSA 2048]----+
| o==B*=oo |
| o+++oo* |
| o* oo o.|
| oE=+ ..+|
| . S ++ = ..|
| X o .. o |
| = * + |
| . = . . |
| . o |
+----[SHA256]-----+
[root@web-1 ~]# ls .ssh/ #查看是否生成了祕鑰對
id_rsa id_rsa.pub
4、拷貝公鑰
生成祕鑰對後,拷貝公鑰給服務器2 — 使用ssh-copy-id
[root@web-1 ~]# ssh-copy-id -i 192.168.184.150 #將公鑰拷給服務器2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.184.150 (192.168.184.150)' can't be established.
ECDSA key fingerprint is SHA256:j0/tu1CABCF02pkRgidcJtsmPTFF5Cjhnh7rE+9rO4I.
ECDSA key fingerprint is MD5:7f:f1:84:99:27:b5:a2:d0:4d:09:ba:11:94:15:33:c9.
Are you sure you want to continue connecting (yes/no)? yes #輸入"yes",繼續連接
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: #輸入密碼,此處的密碼輸入是不顯示的
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.184.150'"
and check to make sure that only the key(s) you wanted were added.
[root@web-1 ~]# ls .ssh/
id_rsa id_rsa.pub known_hosts
[root@web-1 ~]# cat .ssh/known_hosts #cat查看一下新生成的這個文件,寫入了已知的主機
192.168.184.150 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM1gXyboMN2qBA4ienZRgw23rTw1ukFusV9AucuPBHifaaAKYjys4uNhQ5/6paETsUI8/YcWfAQU9FCCYBfNI5k=
查看服務器2上的文件
[root@web-2 ~]# ls .ssh/
authorized_keys
5、測試
使用ssh 登錄服務器2 ,並查看登錄後的ip地址。
[root@web-1 ~]# ssh 192.168.184.150
Last login: Mon Sep 16 21:50:28 2019 from 192.168.184.1
[root@web-1 ~]# ip a |grep ens33 #查看登陸後的ip,若爲服務器2的地址,則免密登錄成功
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 192.168.184.150/24 brd 192.168.184.255 scope global dynamic ens33
[root@web-1 ~]# exit 退出登錄
logout
Connection to 192.168.184.150 closed.
[root@web-1 ~]# ip a | grep ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 192.168.184.137/24 brd 192.168.184.255 scope global dynamic ens33
至此,免密登錄配置成功。
擴展
如果服務器2不想讓服務器1免密登錄,則刪除掉自己/root/.ssh/下的文件即可
[root@web-2 ~]# cd .ssh/
[root@web-2 .ssh]# ls
authorized_keys
[root@web-2 .ssh]# rm -rf authorized_keys