目的:在两个Linux之间建立信任关系,互相访问不用输入密码
环境:RHEL5+SSH
说明:需要建立信任关系的用户为Oracle,两台主机hostname分别为:vm1/vm2
【步骤】
(1)、切换到需要建立信任关系的用户,这里是oracle用户
(2)、执行命令:ssh-keygen -d,然后一直回车.
该命令会在用户home目录下生成一个隐藏的.ssh目录。目录里面有两个文件:
id_dsa、id_dsa.pub
这两个是密钥文件,id_dsa是密钥,id_dsa.pub是公钥
(3)、在.ssh目录下建立文件:authorized_keys2
(4)、在主机vm2上面执行步骤1~3
(5)、将vm1主机的id_dsa.pub文件内容复制到vm2主机的authorized_keys2
(6)、将vm2主机的id_dsa.pub文件内容复制到vm1主机的authorized_keys2
详细步骤可以参考下面:
[root@vm1:/]#su - oracle
[oracle@vm1]#pwd
/home/oracle
[oracle@vm1]#ls -la
总计 44
drwx------ 3 oracle oinstall 4096 03-30 17:48 .
drwxr-xr-x 4 root root
4096 03-30 17:00 ..
-rw------- 1 oracle oinstall 933 03-31 15:54 .bash_history
-rw-r--r-- 1 oracle oinstall 24 03-30 17:00 .bash_logout
-rw-r--r-- 1 oracle oinstall 629 03-30 17:48 .bash_profile
-rw-r--r-- 1 oracle oinstall 124 03-30 17:00 .bashrc
-rw-r--r-- 1 oracle oinstall 515 03-30 17:00 .emacs
drwxr-xr-x 3 oracle oinstall 4096 03-30 17:00 .kde
-rw------- 1 oracle oinstall 682 03-30 17:48 .viminfo
-rw-r--r-- 1 oracle oinstall 658 03-30 17:00 .zshrc
[oracle@vm1]#ssh-keygen -d
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_dsa):
Created directory '/home/oracle/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_dsa.
Your public key has been saved in /home/oracle/.ssh/id_dsa.pub.
The key fingerprint is:
24:a2:81:6c:f3:77:b2:99:79:50:c4:2b:bb:98:8f:ca oracle@vm1
[oracle@vm1]#ls -la
总计 48
drwx------ 4 oracle oinstall 4096 04-01 19:27 .
drwxr-xr-x 4 root root
4096 03-30 17:00 ..
-rw------- 1 oracle oinstall 933 03-31 15:54 .bash_history
-rw-r--r-- 1 oracle oinstall 24 03-30 17:00 .bash_logout
-rw-r--r-- 1 oracle oinstall 629 03-30 17:48 .bash_profile
-rw-r--r-- 1 oracle oinstall 124 03-30 17:00 .bashrc
-rw-r--r-- 1 oracle oinstall 515 03-30 17:00 .emacs
drwxr-xr-x 3 oracle oinstall 4096 03-30 17:00 .kde
drwx------ 2 oracle oinstall 4096 04-01 19:27 .ssh
-rw------- 1 oracle oinstall 682 03-30 17:48 .viminfo
-rw-r--r-- 1 oracle oinstall 658 03-30 17:00 .zshrc
[oracle@vm1]#cd .ssh
[oracle@vm1]#ls -l
总计 8
-rw------- 1 oracle oinstall 668 04-01 19:27 id_dsa
-rw-r--r-- 1 oracle oinstall 600 04-01 19:27 id_dsa.pub
[oracle@vm1]#touch authorized_keys2
[oracle@vm1]#ls -l
总计 8
-rw-r--r-- 1 oracle oinstall 0 04-01 19:27 authorized_keys2
-rw------- 1 oracle oinstall 668 04-01 19:27 id_dsa
-rw-r--r-- 1 oracle oinstall 600 04-01 19:27 id_dsa.pub
[oracle@vm1]#cp id_dsa.pub id_dsa.pub.vm1
[oracle@vm1]#scp id_dsa.pub.vm1 vm2:/home/oracle/.ssh/
The authenticity of host 'vm2 (139.122.1.20)' can't be established.
RSA key fingerprint is 2d:01:46:c1:55:6e:57:ef:0c:c1:55:50:b4:fa:39:6a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vm2,139.122.1.20' (RSA) to the list of known hosts.
oracle@vm2's password:
id_dsa.pub.vm1
100%6000.6KB/s 00:00
[oracle@vm1]#ls -l
总计 20
-rw-r--r-- 1 oracle oinstall 0 04-01 19:27 authorized_keys2
-rw------- 1 oracle oinstall 668 04-01 19:27 id_dsa
-rw-r--r-- 1 oracle oinstall 600 04-01 19:27 id_dsa.pub
-rw-r--r-- 1 oracle oinstall 600 04-01 19:29 id_dsa.pub.vm1
-rw-r--r-- 1 oracle oinstall 600 04-01 19:30 id_dsa.pub.vm2
-rw-r--r-- 1 oracle oinstall 398 04-01 19:29 known_hosts
[oracle@vm1]#cat id_dsa.pub.vm2
ssh-dss AAAAB3NzaC1kc3MAAACBAL/W2eqD725BtEZeB+v/VOBm1TIlCU4BnDlatNBLSdNtNpnLvGU4mcv8Ym9Xk25plMB2J3YJY4o6FGVFLrAaBVzsJFvWJcZDzrsGNyaEFmW6M8SbxQV4lC/kITkuSAXnmMGE2oSeHUxRFVO5AdOIQ7x5W7bJtOe+WcHA6xgunUcTAAAAFQCMlW/wduHRlTRyluNsUhz2IF7ZrQAAAIAOzgpQbvibWn0pUstJ5jIN0J53OHVXk4wVz/R8tg9ltob+V7Jru3ABDs3/DpLJC4Ep1B1gW6rI+/sxr6Z2qGT100WOz3xKowDNREst9SHiwXPVjPy/Vv/Ymqeugc5AX3/eicVtgCgY+hxfM+4rBrTLZ19HyNSGF7YxVrsEuPSEqAAAAIB8XKN6qc7HjTfngcqwmDREaagb7y8VkYj4kUTl31vrvTXBBeUCCuaVvAUPF1bf7U55Iy4OMv6hJ4ZBXwNzK/6/2QKYt3tS8ncFg/PkGRHvafQi8HglIbAoI9cErIDDb7G55mDtoctyuoCe6apfcnxJiJNFxxgxJjjgAHdNIpEBsg== oracle@vm2
[oracle@vm1]#cat id_dsa.pub.vm2 > authorized_keys2
[oracle@vm1]#cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 vm1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
139.122.1.10 vm1
139.122.1.20 vm2
[oracle@vm1]#ssh vm2 ls
[oracle@vm1]#ssh vm2 ls -a
.
..
.bash_history
.bash_logout
.bash_profile
.bashrc
.emacs
.kde
.ssh
.viminfo
.zshrcd
成功之后用ssh或者scp命令都不用输入密码【建立后第一次访问可能要确认一次】,如果不成功可能原因如下:
1、.ssh目录以及目录内文件权限不正确
.ssh目录权限为700,目录内文件权限为644
2、复制公钥文件id_dsa.pub的时候复制了多余的字符,比如空格或者换行,所以我上面演示的例子用了一种看起来比较
麻烦但算是安全的做法
备注:
如果要建立多台主机,比如四台主机之间的root用户之间的信任关系,步骤和上面差不多,假设四台主机hostname分别为:
VM1
VM2
VM3
VM4