centos 7 免密登录

本文转载自：https://www.cnblogs.com/hobinly/p/6039844.html

环境示例

Centos7  192.168.1.101 master

Centos7 192.168.1.102 slave

已安装openssl

1、检查机器名和连通性[root用户下操作]

master 查看文件“/etc/hostname"  是否配置成”master",文件内容为空，需要添加“master"，添加后如：

master

ping slave,无法ping通，查看文件”/etc/hosts" ，是否添加对slave的解析,如：

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.101 master
192.168.1.102 slave

相应slave也同样检查网络名称“slave”和master地址解析

确保在master机器上ping slave成功，在slave机器上ping master成功

2、修改ssh config配置[root用户下操作]

查看/etc/ssh/sshd_config文件[vi /etc/ssh/sshd_config],开启ssh证书登录，即找到注释配置[#RSAAuthentication yes,#PubkeyAuthentication yes],把前面的“#"号去掉，如：

RSAAuthentication yes
PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

另外在该文件中显示，AuthorizedKeysFile      .ssh/authorized_keys，keys存储路径在”.ssh“的文件夹的authorized_keys文件里。

3、在机器master、slave上建立相同的用户，以下以test用户为例

[root@slave ~]# useradd test -p test
[root@slave ~]# echo test | passwd --stdin test
Changing password for user test.
passwd: all authentication tokens updated successfully.

4、生成ssh证书文件

使用test登录master,创建文件夹”.ssh"[mkdir .ssh],cd到.ssh文件夹，输入命令“ssh-keygen -t rsa"，回车到底，如：

[test@master .ssh]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hadoop/.ssh/id_rsa):[回车]
Enter passphrase (empty for no passphrase):[回车]
Enter same passphrase again:[回车]
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is:
e4:37:20:54:19:26:d0:39:34:b3:79:cb:00:6b:c9:e5 test@master
The key's randomart image is:
+--[ RSA 2048]----+
|    o+Bo+o       |
|   . B+B.        |
|    = E.+        |
|   .   B o       |
|        S o      |
|         . .     |
|                 |
|                 |
|                 |
+-----------------+
[test@master .ssh]$

查看”.ssh“文件夹下文件，产生master的文件私钥id_rsa和公钥id_rsa.pub：

[test@master .ssh]$ ls
id_rsa  id_rsa.pub

使用test登录slave,相同操作，产生产生slave的文件私钥id_rsa和公钥id_rsa.pub

5、合并id_rsa.pub，追加到authorized_key文件中

test登录master, 在“.ssh”文件夹下，输入命令“scp id_rsa.pub  test@slave:~/.ssh/authorized_keys”,拷贝master的公钥id_rsa.pub到slave的.ssh/authorized_keys。

[test@master .ssh]$ scp id_rsa.pub test@slave:~/.ssh/authorized_keys
The authenticity of host 'slave (192.168.1.102)' can't be established.
ECDSA key fingerprint is b5:9e:ca:16:64:66:08:3b:9b:f4:be:5b:9f:f2:fc:a7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'slave,192.168.1.102' (ECDSA) to the list of known hosts.
test@slave's password:
id_rsa.pub                                    100%  395     0.4KB/s   00:00
[test@master .ssh]$

test登录slave,在“.ssh”文件夹下，输入命令“cat id_rsa.pub >> authorized.keys”,把slave的公钥id_rsa.pub追加到slave的authorized_keys文件。检查文件“authorized_keys”，内容如下：

ssh-rsa ******OfQi3v6lxMGIv/VWgcK5EaYRilz4/XPAmbjxGpFV8nD/JbTrK36v1zsx6TmyckIEfoHU9FvuQoJapxhH/bBSsXix2EWv8UsOCyp test@master
ssh-rsa ******knrMMPON0FrTnjhv3hS5ZAPCEad36ah5lyeOtix2Sr2ug0YP6Ai0iT6Jd04hcUAKF21PBMybvlBYxzAfEr5vBxNBp2Ijwlvp1zP test@slave1

注：因文件太长省略，用“******”代替
在slave的“.ssh”文件夹下，复制authorized_keys到master的test，命令“scp authorized_keys test@master:~/.ssh/"，此时，master “.ssh”文件夹下，已经存在与slave相同的authorized_keys文件

6、测试登录

在master，test用户登录的情况下，输入“ssh slave”

在slave，test用户登录的情况下，输入“ssh master”

如在每次ssh登入时需要输入密码，跟没有配置免密登陆时一样情况，需要需改.ssh文件夹访问权限,分配权限为登陆用户

假设无法登陆master，则需要在master上做以下操作

[root@master ~]# chown test: /home/test/.ssh
[root@master ~]# chown test: /home/test/.ssh/*
[root@master ~]# chmod 700 /home/test/.ssh
[root@master ~]# chmod 600 /home/test/.ssh/*