SSH 登录问题 （生成RSA Key，无密码登录，root SSH登录，etc.）

先让root能ssh登录一台机器：

update_ini('/etc/ssh/sshd_config', 'PermitRootLogin', 'yes')update_ini('/etc/ssh/sshd_config', 'PasswordAuthentication', pwauth)update_ini('/etc/ssh/sshd_config', 'ChallengeResponseAuthentication', 'no')

就是修改/etc/ssh/sshd_config 中的3个值.

关于不用密码从一台linux机器登录另外一台机器：

1：用ssh-keygen 生成一个用户的RSA key

一路默认，这样可以得到两个文件 id_ras 和id_ras.pub

和一个像是这样的fingerprints

e9:37:e4:48:1f:96:f3:3a:1a:ac:57:cc:85:39:bb:6f mac@ngmp-master

[mac@ngmp-master .ssh]$ lltotal 16-rw------- 1 mac mac 1675 May 24 10:33 id_rsa-rw-r--r-- 1 mac mac  397 May 24 10:33 id_rsa.pub[mac@ngmp-master .ssh]$ pwd/home/mac/.ssh

2: 用ssh-copy-id user@host 把你刚刚创建的SSH公钥传到host机器上

或者， 自己拷贝 id_ras.pub 文件内容到目标机器的 .ssh/authorized_keys2 文件中就好了

3:从A机器ssh去B机器，A机器上你的帐号下~/.ssh/known_hosts文件中多了一行，关于B机器的记录，看起来像是：

10.36.126.32 ssh-rsa AAAAB3NzaC1yc2EAAAQEAqB1PcXHO7....yDZGvKqYJIYluKQ==

不是密钥，是B机器的fingerpringts, （应该是base64编码过的）

如果B机器重新安装了，要从A的known_hosts文件中把B的记录删除掉

多台相互信任机器的SSH设置：

1: 在其中一台机器上的root下用 ssh-keygen生成key

2: 把文件id_rsa 和 id_ras.pub 拷贝到各台信任的机器上 /root/.ssh/

3: 在authorized_keys2文件中加入一行：

from="server1, server2, server3, ...." ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtSVYgX8z5WiHpaKpb9eYQ+Ubytap34tcKbhTW7Pw69I9OVFcGtrPhc35o4OO4aPb47MKBlnq/bVOMzKginDOGnw== root@master.server

格式是 from="server, .... server list" ssh-ras ASSDFA(公用的pub秘钥)aASDFASDFAf <user>@<server>

用于做这件事情的ruby script：

#!/usr/bin/rubyIMHT_ROOT = "/opt/trend/imht"require 'central_config'  require 'tempfile'def update_ini(fn, kw, value)  f = Tempfile.new(File.basename(fn))  f.close  system("awk \"BEGIN {i=0} {if (/^#?#{kw}[ \t]+.*/) {if(i == 0) print \\\"#{kw} #{value}\\\"; i++} else print}\" #{fn} > #{f.path}")  system("cp -f #{f.path} #{fn}")  f.unlinkend# Push our hosts's public key to the mastercfg = CentralConfig.newmyhost = cfg.get_my_host()master = cfg.get_hosts_by_role_dc_pod('slack-master', myhost.dc, myhost.pod)[0]key = IO.read('/etc/ssh/ssh_host_rsa_key.pub')myentry = "#{myhost.host},#{myhost.host}.#{cfg.get_domain_by_datacenter_pod(myhost.dc, myhost.pod)},#{cfg.get_host_ip(myhost)} #{key}"f = Tempfile.new('known_hosts')f.write(myentry)f.closesystem("rsync #{f.path} #{master.host}::imht/ssh-config/#{myhost.host}.pub")f.unlink# Install the known-hosts filesystem("cp -f #{IMHT_ROOT}/setup/ssh-config/ssh_known_hosts /etc/ssh")# Install roots's ssh key pair system("mkdir -p /root/.ssh")system("cp -f #{IMHT_ROOT}/setup/ssh-config/id_rsa /root/.ssh")system("chmod 600 /root/.ssh/id_rsa")system("cp -f #{IMHT_ROOT}/setup/ssh-config/id_rsa.pub /root/.ssh")system("chmod 644 /root/.ssh/id_rsa.pub")system("cp -f #{IMHT_ROOT}/setup/ssh-config/id_rsa.pub /root/.ssh")# Allow root acceess only from nodes within the podhosts =  cfg.get_hosts_by_datacenter_pod(myhost.dc, myhost.pod)domain = cfg.get_domain_by_datacenter_pod(myhost.dc, myhost.pod)from = 'from="'hosts.each do |h|  from << "#{h.host}.#{domain},"endextra = cfg.get_pod_parameter(myhost.dc, myhost.pod, 'ssh.authkeys.extra_ips')if extra  from << extra.split(/ *, */).join(',') + ','endfrom[from.length-1] = '" 'f = Tempfile.new('auth_keys_from')f.write(from)f.closesystem("cat /root/.ssh/id_rsa.pub >> #{f.path}")system("cat #{f.path} >> /root/.ssh/authorized_keys2") if !File.exist?('/root/.ssh/authorized_keys2') || !system("grep -q -f #{f.path} /root/.ssh/authorized_keys2")system("chmod 644 /root/.ssh/authorized_keys2")f.unlink# Check if PasswordAuthentication is allowedautodeploy = cfg.get_my_parameter('autodeploy')autodeploy_opts = autodeploy ?  autodeploy.split(/ *, */) : []pwauth = (autodeploy_opts.include?('+sshdpwauth')) ? 'yes' : 'no'# Enable root login. Disable password authenticationupdate_ini('/etc/ssh/sshd_config', 'PermitRootLogin', 'yes')update_ini('/etc/ssh/sshd_config', 'PasswordAuthentication', pwauth)update_ini('/etc/ssh/sshd_config', 'ChallengeResponseAuthentication', 'no')# Restart sshdif cfg.get_host_os(myhost) == 'ubuntu'  system("/etc/init.d/ssh restart")else  system("/etc/init.d/sshd restart")end