最简单的一种形式配置主机间的互信,假设有两台主机A、B,A作为客户端,B作为目标机,可以做如下配置:
在A客户端设置:
bash
➜ ~ ssh-keygen -t rsa -b 2048 -f my_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in my_key
Your public key has been saved in my_key.pub
The key fingerprint is:
SHA256:Ls8NyhrXtrCZQ2lNU+h4E7MPpWu4BjtSo15ZOPSRIo0 xxx@xxxx.local
The key's randomart image is:
+---[RSA 2048]----+
| . |
| o .+ o |
| E + oo B |
| o +..X |
| o o*S* |
| ++=o+ . |
| o+*+o= |
| o.o++@ + |
| ....+*.+ . |
+----[SHA256]-----+
➜ ~将公钥分发到主机B
bash
ssh-copy-id root@192.168.86.129确保目标主机上的 ~/.ssh/authorized_keys 文件的权限为 600
bash
chmod 600 ~/.ssh/authorized_keys设置 SSH 服务
bash
vim /etc/ssh/sshd_config修改如下
bash
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys重启ssh服务
bash
systemctl restart sshd验证免登录
bash
➜ ~ ssh root@192.168.86.129
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Sun Dec 29 21:19:23 2024 from 192.168.86.1
[root@localhost ~]#这是最基础,最简单的用法。
当然更加规范的用法是在互信机器之外为用户(注意,是为用户,不是为某个机器)生成密钥,比如说密钥中心等,这里就不再展开说了