Centos7 服務器部署ssh證書授權登錄

在當前服務器生成密鑰對 ssh-keygen –t rsa –P ”

ssh-keygen –t rsa –P ''
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
59:17:be:64:5e:23:d3:76:eb:8f:87:5a:e8:8f:d9:b5 
root@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
......

確認一路回車，命令默認會在用戶家目錄下生成.ssh目錄，有兩密鑰對文件

[root@Centos6 ~]# cd .ssh/
[root@Centos6 .ssh]# ll
total 16
-rw-r--r--. 1 root root  416 Nov  7 08:09 authorized_keys
-rw-------. 1 root root 1671 Nov  7 08:06 id_rsa
-rw-r--r--. 1 root root  416 Nov  7 08:06 id_rsa.pub
-rw-r--r--. 1 root root  784 Nov  7 08:21 known_hosts
[root@Centos6 .ssh]#
 //id_rsa是私鑰，id_rsa.pub是公鑰

接著在master節點上做如下配置，把id_rsa.pub追加到授權的key里面去。

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
[root@Centos6 ~]# 非root用戶則需要授權

服務器改SSH配置文件”vim sshd_config”修改如下內容（去掉前面的注釋）

RSAAuthentication yes # 啟用 RSA 認證
PubkeyAuthentication yes # 啟用公鑰私鑰配對認證方式
AuthorizedKeysFile .ssh/authorized_keys # 公鑰文件路徑同上
# 有了證書登錄了，就把密碼登錄禁用，安全要緊
PasswordAuthentication no

最后重啟ssh服務

systemctl restart sshd.service
測試登錄
ssh localhost
[root@Centos6 ~]# ssh localhost
Last login: Mon Nov  7 08:34:38 2016 from localhost
[root@Centos6 ~]# 
第一次要確認輸入yes，以后就不用。
因為無法確認host主機的真實性，只知道它的公鑰指紋，問你還想不想繼續
繼續，會將localhost加入known hosts中，后面就不會再出現這種情況了。

Centos7 配置用于節點鑒別權限的SSH密鑰

功能同上面的一樣，只是這種方法我在ansible上用就記下來了。怕忘

root@localhost ~]# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
da:7a:b6:8c:e3:05:da:d4:04:0a:a4:43:58:f0:e1:33 root@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
|o==   .          |
|o+ o . .         |
|o E .   .        |
| . o   o         |
|      o S        |
|     + +         |
|    . o o        |
|      .=o        |
|     .++o.       |
+-----------------+
[root@localhost ~]# 

使用ssh-copy-id命令來復制Ansible公鑰到每個節點中。

[root@localhost ~]# ssh-copy-id -i root@10.1.252.205
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.1.252.205's password: 
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'root@10.1.252.205'"
and check to make sure that only the key(s) you wanted were added.
[root@localhost ~]# 

還有很多都可以復制到節點上的 
scp、ansible all -m copy -a （copy是ansible命令里的一個模塊）

生成一個文件
ansible all -m copy -a "src=/root/.ssh/id_rsa.pub dest=/tmp/id_rsa.pub" --ask-pass -c paramiko 
再拷貝到遠程服務器上
ansible all -m shell -a "cat /tmp/id_rsa.pub >> /root/.ssh/authorized_keys" --ask-pass -c paramiko