在Centos7上配置ssh免密码登录

一、实验环境

二、实验要求

实现两台服务器之间免密码可以相互登录

三、实验部署

1、创建秘钥

首先，在server01上创建一个wolf用户，并设置密码，然后创建秘钥

[root@server01 ~]# useradd wolf
[root@server01 ~]# passwd wolf
Changing password for user wolf.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
Sorry, passwords do not match.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@server01 ~]#
[root@server01 ~]# su wolf
[wolf@server01 ~]$ ssh-keygen -t rsa -C "wolf27h@163.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wolf/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/wolf/.ssh/id_rsa.
Your public key has been saved in /home/wolf/.ssh/id_rsa.pub.
The key fingerprint is:
f7:83:93:4b:da:30:dc:7b:7f:eb:d9:7e:dd:1d:75:69 wolf27h@163.com
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|                .|
|               Eo|
|        S .   . o|
|       . o +   . |
|        + * o   =|
|         * +..  O|
|        . +. .o*=|
+-----------------+
[wolf@server01 ~]$ cd ~/.ssh/
[wolf@server01 .ssh]$ ls
id_rsa  id_rsa.pub

在server01上已经创建完成，并且生成了秘钥，下面创建客户端Client。为了区分用户，我们在生成Client秘钥的时候建议添加一个邮箱，这样比较容易区分。 server01生成的秘钥邮箱后缀是wolf27h@163.com，Client改成wolf27w@163.com，这样该的好处后面有用户，继续：

[root@Client ~]# su wolf
[wolf@Client root]$ cd ~/.ssh/
[wolf@Client .ssh]$ ls
[wolf@Client .ssh]$ ssh-keygen -t rsa -C "wolf27w@163.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wolf/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/wolf/.ssh/id_rsa.
Your public key has been saved in /home/wolf/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:jKEz+55drjW2mSqHtdpFual8mUijKCAtFWFLyPskP9w wolf27w@163.com
The key's randomart image is:
+---[RSA 2048]----+
|..+.             |
|.+..             |
|  o.  .          |
| o.. . +   .     |
| o* = . S o      |
|+ .= E  +. o     |
|.o  o. = +Oo     |
|  . ..+=+B+=     |
|   . .=+B+=      |
+----[SHA256]-----+
[wolf@Client .ssh]$ ls
id_rsa  id_rsa.pub

这样server01和Client的秘钥已经创建完成，如果实现从Client免密码登录到server01还需要把Client的公钥拷贝到server01服务器的wolf用户下。

2、使用公钥登录

拷贝的方式有三种，分别是： 1、ssh-copy-id的方式 2、scp 3、Ansible实现批量免密

第一种,ssh-copy-id方式测试

[wolf@Client .ssh]$ ssh-copy-id -i /home/wolf/.ssh/id_rsa.pub wolf@10.211.55.13
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/wolf/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
wolf@10.211.55.13's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'wolf@10.211.55.13'"
and check to make sure that only the key(s) you wanted were added.

[wolf@Client .ssh]$ ssh wolf@10.211.55.13
Last login: Fri Feb 22 18:23:37 2019 from client.shared
[wolf@server01 ~]$ 
ssh-copy-id拷贝之后成功会有一个提示：
Now try logging into the machine, with:   "ssh 'wolf@10.211.55.13'"
意思就是“现在尝试登录到机器，使用 ssh wolf@10.211.55.13”。 直接登录可以不需要密码了，这个时候我们看一下server01的秘钥目录下是不是多了一个文件。
[wolf@server01 ~]$ cd ~/.ssh/
[wolf@server01 .ssh]$ ls
authorized_keys  id_rsa  id_rsa.pub
authorizedkeys的文件内容就是Client秘钥文件中的idrsa.pub，下面说一下秘钥生成的文件说明。
authorized_keys:存放远程免密登录的公钥,主要通过这个文件记录多台机器的公钥
id_rsa : 生成的私钥文件
id_rsa.pub ： 生成的公钥文件
know_hosts : 已知的主机公钥清单
使用普通用户没有创建密码，直接拷贝报错如下：
[wolf@Client .ssh]$ ssh-copy-id -i /home/wolf/.ssh/id_rsa.pub 10.211.55.13
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/wolf/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.
                (if you think this is a mistake, you may want to use -f option)
如果没有ssh-copy-id命令，需要安装：yum -y install openssh-clients

第二种,通过scp方式为了测试一台服务器可以被多台客户端免密码登录，我就在Client服务器的另外一个用户wolf27w登录到server01上：

[wolf27w@Client .ssh]$ scp -p ~/.ssh/id_rsa.pub wolf@10.211.55.13:/home/wolf/.ssh/authorized_keys
The authenticity of host '10.211.55.13 (10.211.55.13)' can't be established.
ECDSA key fingerprint is SHA256:i/fAI6xt+FKBgbBHA4RuQdXS//FlNThzo6RHlDX/PGk.
ECDSA key fingerprint is MD5:a9:ca:4d:ec:49:9f:4d:86:c2:67:ef:77:05:24:23:2a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.211.55.13' (ECDSA) to the list of known hosts.
wolf@10.211.55.13's password: 
id_rsa.pub                                                                                                                          100%  397     1.2MB/s   00:00    
[wolf27w@Client .ssh]$ ssh wolf@10.211.55.13
Last login: Fri Feb 22 18:24:43 2019 from client.shared
[wolf@server01 ~]$ exit

这种登录到server01服务器之后，会把原来的wolf用户的公钥覆盖掉，但是如果实现两个用户都可以使用秘钥登录，就需要把两个秘钥共存，可以追加或者直接复制过去。 复制完成之后，测试如下：

[root@Client ~]# su wolf
[wolf@Client root]$ ssh wolf@10.211.55.13
Last login: Fri Feb 22 18:52:08 2019
[wolf@server01 ~]$ exit
logout
Connection to 10.211.55.13 closed.
[wolf@Client root]$ su root
Password: 
[root@Client ~]# su wolf27w
[wolf27w@Client root]$ ssh wolf@10.211.55.13
Last login: Fri Feb 22 18:52:47 2019 from client.shared
[wolf@server01 ~]$

第三种方式需要安装Ansible 命令如下：

ansible <groupname> -m authorized_key -a "user=root key='{{ lookup('file','/root/.ssh/id_rsa.pub') }}'" -k

因为没有安装ansible所以，暂时不测试，、