CVM之间配置免密钥登录

Posted 2020-10-11 一条寻找快乐的咸鱼

背景：

1客户A和B俩台主机之间需要实现免密钥登录，已绑定腾讯云申请的密钥对

系统：centos7.3

A:192.168.0.100

B:192.168.0.84

A主机的私钥文件：aaa

B主机的私钥文件：bbb

公钥文件：authorized_keys

/etc/ssh/sshd.conf文件修改参数，前面有“#”注释符的需要去掉

HostKey /etc/ssh/ssh_host_rsa_key

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

PasswordAuthentication no

参考sshd_config配置文件，注意系统版本，不适用centos6.x版本，修改配置文件前做好备份

  1 #    $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
  2 
  3 # This is the sshd server system-wide configuration file.  See
  4 # sshd_config(5) for more information.
  5 
  6 # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
  7 
  8 # The strategy used for options in the default sshd_config shipped with
  9 # OpenSSH is to specify options with their default value where
 10 # possible, but leave them commented.  Uncommented options override the
 11 # default value.
 12 
 13 # If you want to change the port on a SELinux system, you have to tell
 14 # SELinux about this change.
 15 # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
 16 #
 17 #Port 22
 18 #AddressFamily any
 19 #ListenAddress 192.168.0.100
 20 #ListenAddress 192.168.0.100
 21 
 22 # The default requires explicit activation of protocol 1
 23 #Protocol 2
 24 
 25 # HostKey for protocol version 1
 26 #HostKey /etc/ssh/ssh_host_key
 27 # HostKeys for protocol version 2
 28 HostKey /etc/ssh/ssh_host_rsa_key
 29 #HostKey /etc/ssh/ssh_host_dsa_key
 30 HostKey /etc/ssh/ssh_host_ecdsa_key
 31 HostKey /etc/ssh/ssh_host_ed25519_key
 32 
 33 # Lifetime and size of ephemeral version 1 server key
 34 #KeyRegenerationInterval 1h
 35 #ServerKeyBits 1024
 36 
 37 # Ciphers and keying
 38 #RekeyLimit default none
 39 
 40 # Logging
 41 # obsoletes QuietMode and FascistLogging
 42 #SyslogFacility AUTH
 43 SyslogFacility AUTHPRIV
 44 #LogLevel INFO
 45 
 46 # Authentication:
 47 
 48 #LoginGraceTime 2m
 49 #PermitRootLogin yes
 50 #StrictModes yes
 51 #MaxAuthTries 6
 52 #MaxSessions 10
 53 
 54 RSAAuthentication yes
 55 PubkeyAuthentication yes
 56 
 57 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 58 # but this is overridden so installations will only check .ssh/authorized_keys
 59 AuthorizedKeysFile    .ssh/authorized_keys
 60 
 61 #AuthorizedPrincipalsFile none
 62 
 63 #AuthorizedKeysCommand none
 64 #AuthorizedKeysCommandUser nobody
 65 
 66 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 67 #RhostsRSAAuthentication no
 68 # similar for protocol version 2
 69 #HostbasedAuthentication no
 70 # Change to yes if you don\'t trust ~/.ssh/known_hosts for
 71 # RhostsRSAAuthentication and HostbasedAuthentication
 72 #IgnoreUserKnownHosts no
 73 # Don\'t read the user\'s ~/.rhosts and ~/.shosts files
 74 #IgnoreRhosts yes
 75 
 76 # To disable tunneled clear text passwords, change to no here!
 77 #PasswordAuthentication no
 78 #PermitEmptyPasswords no
 79 PasswordAuthentication no
 80 
 81 # Change to no to disable s/key passwords
 82 #ChallengeResponseAuthentication yes
 83 ChallengeResponseAuthentication no
 84 
 85 # Kerberos options
 86 #KerberosAuthentication no
 87 #KerberosOrLocalPasswd yes
 88 #KerberosTicketCleanup yes
 89 #KerberosGetAFSToken no
 90 #KerberosUseKuserok yes
 91 
 92 # GSSAPI options
 93 GSSAPIAuthentication yes
 94 GSSAPICleanupCredentials no
 95 #GSSAPIStrictAcceptorCheck yes
 96 #GSSAPIKeyExchange no
 97 #GSSAPIEnablek5users no
 98 
 99 # Set this to \'yes\' to enable PAM authentication, account processing,
100 # and session processing. If this is enabled, PAM authentication will
101 # be allowed through the ChallengeResponseAuthentication and
102 # PasswordAuthentication.  Depending on your PAM configuration,
103 # PAM authentication via ChallengeResponseAuthentication may bypass
104 # the setting of "PermitRootLogin without-password".
105 # If you just want the PAM account and session checks to run without
106 # PAM authentication, then enable this but set PasswordAuthentication
107 # and ChallengeResponseAuthentication to \'no\'.
108 # WARNING: \'UsePAM no\' is not supported in Red Hat Enterprise Linux and may cause several
109 # problems.
110 UsePAM yes
111 
112 #AllowAgentForwarding yes
113 #AllowTcpForwarding yes
114 #GatewayPorts no
115 X11Forwarding yes
116 #X11DisplayOffset 10
117 #X11UseLocalhost yes
118 #PermitTTY yes
119 #PrintMotd yes
120 #PrintLastLog yes
121 #TCPKeepAlive yes
122 #UseLogin no
123 UsePrivilegeSeparation sandbox        # Default for new installations.
124 #PermitUserEnvironment no
125 #Compression delayed
126 #ClientAliveInterval 0
127 #ClientAliveCountMax 3
128 #ShowPatchLevel no
129 UseDNS no
130 #PidFile /var/run/sshd.pid
131 #MaxStartups 10:30:100
132 #PermitTunnel no
133 #ChrootDirectory none
134 #VersionAddendum none
135 
136 # no default banner path
137 #Banner none
138 
139 # Accept locale-related environment variables
140 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
141 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
142 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
143 AcceptEnv XMODIFIERS
144 
145 # override default of no subsystems
146 Subsystem    sftp    /usr/libexec/openssh/sftp-server
147 
148 # Example of overriding settings on a per-user basis
149 #Match User anoncvs
150 #    X11Forwarding no
151 #    AllowTcpForwarding no
152 #    PermitTTY no
153 #    ForceCommand cvs server

View Code

 

操作步骤

1.首先把aaa和bbb私钥文件分别上传到A主机和B主机上的/root/.ssh/目录中（上传可以安装lrzsz工具，直接拖文件到服务器即可）

A主机：

 

 

B：主机

 

 

2.将A主机中的authorized_keys中的公钥拷贝到B主机的authorized_keys文件中

   将B主机中的authorized_keys中的公钥保存的A主机的authorized_keys文件中

A主机的authorized_keys文件

B主机的authorized_keys文件

 

3.将A主机和B主机的私钥文件分别修改为id_rsa

A主机.ssh/目录下的内容

 mv /root/.ssh/aaa /root/.ssh/id_rsa

B主机.ssh/目录下的内容

 mv /root/.ssh/aaa /root/.ssh/id_rsa

 

4.分别在A主机和B主机上执行下面授权操作

chmod 700 ~/.ssh/
chmod 600 ~/.ssh/authorized_keys

chmod 600 ~/.ssh/id_rsa

 最后来验证

 A主机远程B主机：

 

B主机远程A主机