Linux SSH 互信配置

共四台机器: 10.0.16.4(l1.inet.jansora.com). 10.0.4.10(l2.inet.jansora.com). 10.0.4.14(l3.inet.jansora.com). 10.0.4.12(l4.inet.jansora.com)
确保能互相 ping

配置互信共以下几步步

1. 生成互信 key

在四台机器上分别生成 ssh-key

root@l1:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:1OULmKdwgL3gjWfyocJTAXiB03A6D60BX5gMVAq4r6s root@l1
The key's randomart image is:
+---[RSA 3072]----+
|o*=+ o.     .    |
|B.+ + .. + o     |
|.=.. =..= + .    |
|.= o= *+ o . .   |
|+o=..* .S   .    |
| +=+  .          |
| .+o             |
|.  o             |
|E..              |
+----[SHA256]-----+

2. 将 SSH 互信 keys 集中到一起

将四台互信key集中到 l1.inet.jansora.com

ssh -p 22 l1.inet.jansora.com cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
ssh -p 22 l2.inet.jansora.com cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
ssh -p 22 l3.inet.jansora.com cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
ssh -p 22 l4.inet.jansora.com cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

2. 将 SSH 互信 keys 分发到各台机器上

scp -P 22 ~/.ssh/authorized_keys l1.inet.jansora.com:~/.ssh/
scp -P 22 ~/.ssh/authorized_keys l2.inet.jansora.com:~/.ssh/
scp -P 22 ~/.ssh/authorized_keys l3.inet.jansora.com:~/.ssh/
scp -P 22 ~/.ssh/authorized_keys l4.inet.jansora.com:~/.ssh/

验证通过

在各个机器上分别执行下述命令进行测试(同时如果没有添加互信的话会把互信节点添加到 ~/.ssh/known_hosts )

这个步骤是很有必要做的, 因为第一次执行远程 ssh 的话需要把对方节点添加到 ~/.ssh/known_hosts. 这一步骤是需要人工确认(输入yes)的, 第二次就不会了, 见下方测试记录

root@l4:~# ssh -p 22 l1.inet.jansora.com date;ssh -p 22 l2.inet.jansora.com date;ssh -p 22 l3.inet.jansora.com date;ssh -p 22 l4.inet.jansora.com date;
The authenticity of host '[l1.inet.jansora.com]:22 ([10.0.16.4]:22)' can't be established.
ECDSA key fingerprint is SHA256:IRjRyhOGpV8t1TD11Lj6nchvMEtWOLyPJ0qvFG+shq8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[l1.inet.jansora.com]:22,[10.0.16.4]:22' (ECDSA) to the list of known hosts.
Sun 15 May 2022 01:48:49 PM CST
The authenticity of host '[l2.inet.jansora.com]:22 ([10.0.4.10]:22)' can't be established.
ECDSA key fingerprint is SHA256:IQOR/vXTKqdGsJLAQZVzVZYh9xt2qhf8S4pt0IqgukY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[l2.inet.jansora.com]:22,[10.0.4.10]:22' (ECDSA) to the list of known hosts.
Sun 15 May 2022 01:48:51 PM CST
The authenticity of host '[l3.inet.jansora.com]:22 ([10.0.4.14]:22)' can't be established.
ECDSA key fingerprint is SHA256:/0SLIO//nZAaIxXtzon7uCYsKxqrnEDti5Hkw6oXrGg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[l3.inet.jansora.com]:22,[10.0.4.14]:22' (ECDSA) to the list of known hosts.
Sun 15 May 2022 01:48:52 PM CST
The authenticity of host '[l4.inet.jansora.com]:22 ([10.0.4.12]:22)' can't be established.
ECDSA key fingerprint is SHA256:uX9n1S+XS/fwlKo0wqHxL/6ubv1X8rcsE5bKq/qHjkc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[l4.inet.jansora.com]:22,[10.0.4.12]:22' (ECDSA) to the list of known hosts.
Sun 15 May 2022 01:48:53 PM CST

root@l4:~# ssh -p 22 l1.inet.jansora.com date;ssh -p 22 l2.inet.jansora.com date;ssh -p 22 l3.inet.jansora.com date;ssh -p 22 l4.inet.jansora.com date;
Sun 15 May 2022 01:50:28 PM CST
Sun 15 May 2022 01:50:29 PM CST
Sun 15 May 2022 01:50:29 PM CST
Sun 15 May 2022 01:50:30 PM CST
root@l4:~# 

评论栏