自动化运维之【SSH】 免密远程控制
2020-05-20 本文已影响0人
张毅SOHO
SSH 互信可以实现各个计算机之间基于 SSH 协议实现免密登录,是远程通信和控制的基础条件。本地计算机通过非对称加密算法在本地生成秘钥(包括公钥和私钥),并为远程计算机的登录信息创建加密文件。SSH 互信可用于基于 Shell 脚本的自动化远程服务器配置和应用部署。
本方案基于CentOS8系统设计,建议在RedHat/CentOS系统及其他基于RedHat的衍生发行版中使用。
假设网络中计算机的角色分配如下:
| 计算机 | 主机名 | IP:PORT | 程序 | 操作系统 | 管理账号 |
|---|---|---|---|---|---|
| 本地计算机 | Local | 192.168.216.128:22 | SSH | CentOS8 | centos |
| 远程计算机-1 | Remote-1 | 192.168.216.129:22 | SSH | CentOS8 | centos |
| 远程计算机≥2 | Remote-2 | 192.168.216.130:22 | SSH | CentOS8 | centos |
1. 配置本地计算机(Local)
1、生成秘钥。
[centos@Local ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/centos/.ssh/id_rsa):
Created directory '/home/centos/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/centos/.ssh/id_rsa.
Your public key has been saved in /home/centos/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:rs2DQzcsvGIwRjjQn7PQzUaa44M7gur/u5ktf8ZadfE centos@Local
The key's randomart image is:
+---[RSA 3072]----+
| . |
|. . . |
|.. o B . |
|o o O + o |
| o + * .S . . E |
| = + +.+ . . |
|.. + o =oo |
|o o o.B+o+ |
|+o.+.B*=*. |
+----[SHA256]-----+
2、创建远程主机登录信息加密文件。
[centos@Local ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub centos@192.168.216.129
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/centos/.ssh/id_rsa.pub"
The authenticity of host 'remote-1(192.168.216.129)' can't be established.
ECDSA key fingerprint is SHA256:Dqg7nSUaVc5Op+ghjV4l/EG1QMSawffo9svdLCVlgiw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
centos@remote-1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'centos@192.168.216.129'"
and check to make sure that only the key(s) you wanted were added.
[centos@Local ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub centos@192.168.216.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/centos/.ssh/id_rsa.pub"
The authenticity of host 'remote-2(192.168.216.130)' can't be established.
ECDSA key fingerprint is SHA256:Dqg7nSUaVc5Op+ghjV4l/EG1QMSawffo9svdLCVlgiw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
centos@remote-2's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'centos@192.168.216.130'"
and check to make sure that only the key(s) you wanted were added.
3、测试登录远程计算机。
[centos@Local ~]$ ssh 192.168.216.129
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Wed May 20 15:04:53 2020
[centos@Remote-1 ~]$ exit
注销
Connection to 192.168.216.129 closed.
2. 配置远程计算机(Remote-1、Remote-2)
注意:RedHat 8/CentOS 8 已默认安装 SSH 服务,正常情况无需以下配置。
以计算机 "Remote-1" 为例:
1、安装 OpenSSH。
[centos@Remote-1 ~ ]$ sudo dnf install openssh
2、设置防火墙端口(CentOS8默认安装firewall防火墙),允许"22" 端口(SSH 默认端口)访问服务器。
[centos@Remote-1 ~ ]$ sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
[centos@Remote-1 ~ ]$ sudo firewall-cmd --reload
3、设置开机启动。
[centos@Remote-1 ~ ]$ sudo systemctl daemon-reload
[centos@Remote-1 ~ ]$ sudo systemctl enable sshd
[centos@Remote-1 ~ ]$ sudo systemctl start sshd
其他远程计算机上全部需要按照以上步骤配置。
