当前位置:   article > 正文

linux ssh 免密互信自动化配置(摒弃繁琐一步到位)_linux 自动配置互信

linux 自动配置互信

分布式结构的使用逐渐增多之后发现以前使用的配置互信免密太繁琐了

直到遇到了“它”,我都忘了以前怎么配置ssh 免密登录了

ssh免密脚本下载

sshUserSetup.sh --oracle自动化互信工具

  1. [root@rac2 ios]# sh sshUserSetup.sh -user root -hosts "rac1 rac2" -advanced
  2. The output of this script is also logged into /tmp/sshUserSetup_2023-06-27-13-32-30.log
  3. Hosts are rac1 rac2
  4. user is root
  5. Platform:- Linux
  6. Checking if the remote hosts are reachable
  7. PING rac1 (192.168.1.79) 56(84) bytes of data.
  8. 64 bytes from rac1 (192.168.1.79): icmp_seq=1 ttl=64 time=0.224 ms
  9. 64 bytes from rac1 (192.168.1.79): icmp_seq=2 ttl=64 time=0.181 ms
  10. 64 bytes from rac1 (192.168.1.79): icmp_seq=3 ttl=64 time=0.217 ms
  11. 64 bytes from rac1 (192.168.1.79): icmp_seq=4 ttl=64 time=0.183 ms
  12. 64 bytes from rac1 (192.168.1.79): icmp_seq=5 ttl=64 time=0.263 ms
  13. --- rac1 ping statistics ---
  14. 5 packets transmitted, 5 received, 0% packet loss, time 4000ms
  15. rtt min/avg/max/mdev = 0.181/0.213/0.263/0.034 ms
  16. PING rac2 (192.168.1.80) 56(84) bytes of data.
  17. 64 bytes from rac2 (192.168.1.80): icmp_seq=1 ttl=64 time=0.052 ms
  18. 64 bytes from rac2 (192.168.1.80): icmp_seq=2 ttl=64 time=0.049 ms
  19. 64 bytes from rac2 (192.168.1.80): icmp_seq=3 ttl=64 time=0.058 ms
  20. 64 bytes from rac2 (192.168.1.80): icmp_seq=4 ttl=64 time=0.063 ms
  21. 64 bytes from rac2 (192.168.1.80): icmp_seq=5 ttl=64 time=0.059 ms
  22. --- rac2 ping statistics ---
  23. 5 packets transmitted, 5 received, 0% packet loss, time 3999ms
  24. rtt min/avg/max/mdev = 0.049/0.056/0.063/0.006 ms
  25. Remote host reachability check succeeded.
  26. The following hosts are reachable: rac1 rac2.
  27. The following hosts are not reachable: .
  28. All hosts are reachable. Proceeding further...
  29. firsthost rac1
  30. numhosts 2
  31. The script will setup SSH connectivity from the host rac2 to all
  32. the remote hosts. After the script is executed, the user can use SSH to run
  33. commands on the remote hosts or copy files between this host rac2
  34. and the remote hosts without being prompted for passwords or confirmations.
  35. NOTE 1:
  36. As part of the setup procedure, this script will use ssh and scp to copy
  37. files between the local host and the remote hosts. Since the script does not
  38. store passwords, you may be prompted for the passwords during the execution of
  39. the script whenever ssh or scp is invoked.
  40. NOTE 2:
  41. AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY
  42. AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEDGES TO THESE
  43. directories.
  44. Do you want to continue and let the script make the above mentioned changes (yes/no)?
  45. yes
  46. The user chose yes
  47. Please specify if you want to specify a passphrase for the private key this script will create for the local host. Passphrase is used to encrypt the private key and makes SSH much more secure. Type 'yes' or 'no' and then press enter. In case you press 'yes', you would need to enter the passphrase whenever the script executes ssh or scp.
  48. The estimated number of times the user would be prompted for a passphrase is 4. In addition, if the private-public files are also newly created, the user would have to specify the passphrase on one additional occasion.
  49. Enter 'yes' or 'no'.
  50. yes
  51. The user chose yes
  52. The files containing the client public and private keys already exist on the local host. The current private key may or may not have a passphrase associated with it. In case you remember the passphrase and do not want to re-run ssh-keygen, press 'no' and enter. If you press 'no', the script will not attempt to create any new public/private key pairs. If you press 'yes', the script will remove the old private/public key files existing and create new ones prompting the user to enter the passphrase. If you enter 'yes', any previous SSH user setups would be reset. If you press 'change', the script will associate a new passphrase with the old keys.
  53. Press 'yes', 'no' or 'change'
  54. yes
  55. The user chose yes
  56. Creating .ssh directory on local host, if not present already
  57. Creating authorized_keys file on local host
  58. Changing permissions on authorized_keys to 644 on local host
  59. Creating known_hosts file on local host
  60. Changing permissions on known_hosts to 644 on local host
  61. Creating config file on local host
  62. If a config file exists already at /root/.ssh/config, it would be backed up to /root/.ssh/config.backup.
  63. Removing old private/public keys on local host
  64. Running SSH keygen on local host
  65. Enter passphrase (empty for no passphrase):
  66. Enter same passphrase again:
  67. Generating public/private rsa key pair.
  68. Your identification has been saved in /root/.ssh/id_rsa.
  69. Your public key has been saved in /root/.ssh/id_rsa.pub.
  70. The key fingerprint is:
  71. SHA256:+vp8+7LiLphjO2lg/whKsg5Ai00pIV6+jfSpnmg3qXA root@rac2
  72. The key's randomart image is:
  73. +---[RSA 1024]----+
  74. |o . |
  75. |o.o. |
  76. |.ooo |
  77. |o+o = . |
  78. |o..o + S |
  79. |. o . . |
  80. |+oE+.+. |
  81. |==o=@..o. o |
  82. |=+o=+=o**oo=. |
  83. +----[SHA256]-----+
  84. Creating .ssh directory and setting permissions on remote host rac1
  85. THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR root. THIS IS AN SSH REQUIREMENT.
  86. The script would create ~root/.ssh/config file on remote host rac1. If a config file exists already at ~root/.ssh/config, it would be backed up to ~root/.ssh/config.backup.
  87. The user may be prompted for a password here since the script would be running SSH on host rac1.
  88. Warning: Permanently added 'rac1,192.168.1.79' (ECDSA) to the list of known hosts.
  89. root@rac1's password:
  90. Done with creating .ssh directory and setting permissions on remote host rac1.
  91. Creating .ssh directory and setting permissions on remote host rac2
  92. THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR root. THIS IS AN SSH REQUIREMENT.
  93. The script would create ~root/.ssh/config file on remote host rac2. If a config file exists already at ~root/.ssh/config, it would be backed up to ~root/.ssh/config.backup.
  94. The user may be prompted for a password here since the script would be running SSH on host rac2.
  95. Warning: Permanently added 'rac2,192.168.1.80' (ECDSA) to the list of known hosts.
  96. root@rac2's password:
  97. Permission denied, please try again.
  98. root@rac2's password:
  99. Done with creating .ssh directory and setting permissions on remote host rac2.
  100. Copying local host public key to the remote host rac1
  101. The user may be prompted for a password or passphrase here since the script would be using SCP for host rac1.
  102. root@rac1's password:
  103. Done copying local host public key to the remote host rac1
  104. Copying local host public key to the remote host rac2
  105. The user may be prompted for a password or passphrase here since the script would be using SCP for host rac2.
  106. root@rac2's password:
  107. Done copying local host public key to the remote host rac2
  108. Creating keys on remote host rac1 if they do not exist already. This is required to setup SSH on host rac1.
  109. Creating keys on remote host rac2 if they do not exist already. This is required to setup SSH on host rac2.
  110. Updating authorized_keys file on remote host rac1
  111. Updating known_hosts file on remote host rac1
  112. The script will run SSH on the remote machine rac1. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.
  113. Updating authorized_keys file on remote host rac2
  114. Updating known_hosts file on remote host rac2
  115. The script will run SSH on the remote machine rac2. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.
  116. cat: /root/.ssh/known_hosts.tmp: No such file or directory
  117. cat: /root/.ssh/authorized_keys.tmp: No such file or directory
  118. SSH setup is complete.
  119. ------------------------------------------------------------------------
  120. Verifying SSH setup
  121. ===================
  122. The script will now run the date command on the remote nodes using ssh
  123. to verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP,
  124. THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FOR
  125. PASSWORDS. If you see any output other than date or are prompted for the
  126. password, ssh is not setup correctly and you will need to resolve the
  127. issue and set up ssh again.
  128. The possible causes for failure could be:
  129. 1. The server settings in /etc/ssh/sshd_config file do not allow ssh
  130. for user root.
  131. 2. The server may have disabled public key based authentication.
  132. 3. The client public key on the server may be outdated.
  133. 4. ~root or ~root/.ssh on the remote host may not be owned by root.
  134. 5. User may not have passed -shared option for shared remote users or
  135. may be passing the -shared option for non-shared remote users.
  136. 6. If there is output in addition to the date, but no password is asked,
  137. it may be a security alert shown as part of company policy. Append the
  138. additional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file.
  139. ------------------------------------------------------------------------
  140. --rac1:--
  141. Running /usr/bin/ssh -x -l root rac1 date to verify SSH connectivity has been setup from local host to rac1.
  142. IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
  143. The script will run SSH on the remote machine rac1. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.
  144. Tue Jun 27 01:35:32 EDT 2023
  145. ------------------------------------------------------------------------
  146. --rac2:--
  147. Running /usr/bin/ssh -x -l root rac2 date to verify SSH connectivity has been setup from local host to rac2.
  148. IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
  149. The script will run SSH on the remote machine rac2. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.
  150. Tue Jun 27 13:35:33 CST 2023
  151. ------------------------------------------------------------------------
  152. ------------------------------------------------------------------------
  153. Verifying SSH connectivity has been setup from rac1 to rac1
  154. IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL.
  155. Tue Jun 27 01:35:33 EDT 2023
  156. ------------------------------------------------------------------------
  157. ------------------------------------------------------------------------
  158. Verifying SSH connectivity has been setup from rac1 to rac2
  159. IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL.
  160. Tue Jun 27 13:35:34 CST 2023
  161. ------------------------------------------------------------------------
  162. -Verification from complete-
  163. SSH verification complete.

执行脚本后

看到yes/no 输入yes,

Enter passphrase (empty for no passphrase): 回车
Enter same passphrase again:回车

输入对应ip的对应ssh密码即可。

效果演示:

配置一些集群和分布式都能用到

重点参数介绍:            -user 用户    指定互信

                                     -hosts "ip或主机名......." 指定互信主机

                                     -advanced   不加单向互信,加上双向互信。参考:使用Oracle的sshUserSetup.sh脚本配置SSH互信_Expect-乐的博客-CSDN博客

本文内容由网友自发贡献,转载请注明出处:https://www.wpsshop.cn/w/喵喵爱编程/article/detail/906216
推荐阅读
相关标签
  

闽ICP备14008679号