SSH 互信配置（ssh-keygen，ssh-copy-id，known_hosts）

一 核心命令

1. 创建密钥对：ssh-keygen
2. 转发密钥：ssh-copy-id -i ~/.ssh/id_rsa.pub puppet@Hadoop-NN-02

     常用密钥类型：

1. ssh-keygen -t dsa 
2. ssh-keygen -t rsa 
3. ssh-keygen -t rsa1

二 原理

（一）基础

     1） 公钥：用于加密，存在于服务器

     2） 私钥：用于解密，存在于客户机

（二）流程

     1）客户端向服务器发出连接请求

     2）服务器查看客户端公钥（~/.ssh/authorized_keys）该客户机（客户机标志：用户@Host）对应的公钥

     3）服务器验证公钥合法，则产生一条随机数（challenge），用公钥加密发送给客户端

     4）客户端用私钥解密回传服务器端。

     5）随机数一致，认证通过。

三 样例

（一）ssh-keygen

[puppet@BigData-01 cdh4.4]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/puppet/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/puppet/.ssh/id_rsa.
Your public key has been saved in /home/puppet/.ssh/id_rsa.pub.
The key fingerprint is:
af:e2:f5:3a:e8:24:64:c1:f3:d9:bc:44:3d:9a:84:a0 puppet@BigData-01
The key's randomart image is:
+--[ RSA 2048]----+
|    .            |
|   o . . .       |
|  E + . o o      |
|     + * o .     |
|    o o S        |
|   o   . o       |
|    . ..o .      |
|     oo..o       |
|     oo.oo.      |
+-----------------+

 

注：

1）公钥（ id_rsa.pub ）：

[puppet@BigData-01 .ssh]$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8CscWlgavdb76EVfhZadM4uMBzN8iVMEC0KuTHdGCzm

6LfMzLguf90uw+4ZKpYgxN4XSbbLbu1MPFLLqFxlo7oC2TOhhr84N1Zdm8jtfuh53IhNZDHKpvByUHS4ZZV

YVtAKt3+fZOEL700+p228JdQzkzfLHoaPvSD774igY+yB4d3pXkqk+fUALkE2H1hgbfJNjMoar5lls6KfdF6ocL

KBILj56Lt+b9KhVtPbllsP8TA8Vino9eF1TeCdKnRmxBFdYTBFlx8s1gRx2VHQnwVpUJcUuVPyGaxvPNXvL

HtPZPwi3xJmSFpPB9y8pzID1WqDKKAWkv7CcJqstIhBN3w==puppet@BigData-01

 

2）私钥（id_rsa）：

[puppet@BigData-01 .ssh]$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQEA8CscWlgavdb76EVfhZadM4uMBzN8iVMEC0KuTHdGCzm6LfMz
Lguf90uw+4ZKpYgxN4XSbbLbu1MPFLLqFxlo7oC2TOhhr84N1Zdm8jtfuh53IhNZ
DHKpvByUHS4ZZVYVtAKt3+fZOEL700+p228JdQzkzfLHoaPvSD774igY+yB4d3pX
kqk+fUALkE2H1hgbfJNjMoar5lls6KfdF6ocLKBILj56Lt+b9KhVtPbllsP8TA8V
ino9eF1TeCdKnRmxBFdYTBFlx8s1gRx2VHQnwVpUJcUuVPyGaxvPNXvLHtPZPwi3
xJmSFpPB9y8pzID1WqDKKAWkv7CcJqstIhBN3wIBIwKCAQA9wfFZD1dVYyrVU6rZ
NVufikiUIy6m+Bb7lM275Cf0QgtNpO/nRNFc2PL+2WOm6IGvMQo5dyKPQT5kaIVW
ZZ6jurKIzgp9qgOOsedFmj0v2/K/npM9txW0B1lJVP83UKZ+vtxA49jFUw2OG8yX
gvPNpDrV31fnvHC6zl4G9F4x8eiW97O3CV+BBF2zdGFNgkliya7qyQFPjHsExnJE
Y+dp22lszjDKBCLHmVpg/x1BiM5vtWvdA0xzJNqTgo1q2Kw4iuL1RsWEz2DW6p01
kYFdmhy/gsC4SyhEjPGu6F0B8WpZJbmvPRrzVlxoet4yXJ4sU1kOG3hURuUzXAcn
iNV7AoGBAPrwBbYzV0G4HgJrifZM1BRe4gNvD1LCExhmoCvLuPAqlE9d1qWxNIuf
p1+he0Cnc87KZvnSchgzrV8v/u03drNsZc9XbxGoWGgg8SIpNSV3vQxeJTEKSVPU
QjeTbFF2yyx8oZPuIWZ6Ee1+KCj8SUFwiYItlrkRMDHL7wRIY0r5AoGBAPUDeHSz
9KXPZmPcqaVb15RkoQzdFFQLXOfhPNh63m8tfdCbDRbBYhdMyQhhYqTwdQqyyiLq
wm29y0zuEDdwyib08d1zq4ziE3E409Ra7LXdm0nCap4MOZX+Cs9PMoG87A8u1G4s
/FEGo8Jw8EthsxPoYV9uPPtKUERaHWJcX/2XAoGBAIENuctq3Grw+X2WZDWGmPSI
kX4b2/6s8+CpzrdwFffbYjdyFp5bIlZvXWRhrRnvt+axPEX3M1znYHoYrv2nft/u
msJnevMjYKqUmUTEvD8now2swquBog3a4DnWyf4ClGAFlOz+H85NaE5A4XQp+cni
GtU8BF8taT4uXapuXvNbAoGAdwGviSQ1ABRHrNjkr2cfkTgw956U2F1KYf+v1tyX
7NuU4aplcXPfL+N3llsv6bafP7XtJucN+snmZzHNXMHBRh8zphOcd6ECIQz5LKEx
JSJ+oCs7GZDoxTI/w8dhrLrZDrBYjUkM1uX3xNfFK+2gH5zBlMCEBQbWh5l7/JNE
kR0CgYA3ip6Mo+6iXLeXmsSwT+p3CGDdZe1SsQElLDDgOZvMEpy8wzZ1sIKYY0Oe
lsc23TrC+BHoJHaMKa9CHuZTwdQXGQuVam313WaGtD/3q6Inq6PosQj60v02jogx
rsfnG3WOSygeNS03PEflKpf6k5A0b3EZyZ5gatql/7I4D/3MPA==
-----END RSA PRIVATE KEY-----

 

（二）公钥上传服务器

[puppet@BigData-01 .ssh]$ ssh-copy-id -i ~/.ssh/id_rsa.pub puppet@Hadoop-NN-02
puppet@hadoop-nn-02's password:
Now try logging into the machine, with "ssh 'puppet@Hadoop-NN-02'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

 

注：

1）服务器公钥（authorized_keys ）：

[puppet@BigData-02 .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8CscWlgavdb76EVfhZadM4uMBzN8iVMEC0KuTHdGCzm6

LfMzLguf90uw+4ZKpYgxN4XSbbLbu1MPFLLqFxlo7oC2TOhhr84N1Zdm8jtfuh53IhNZDHKpvByUHS4ZZVY

VtAKt3+fZOEL700+p228JdQzkzfLHoaPvSD774igY+yB4d3pXkqk+fUALkE2H1hgbfJNjMoar5lls6KfdF6ocLK

BILj56Lt+b9KhVtPbllsP8TA8Vino9eF1TeCdKnRmxBFdYTBFlx8s1gRx2VHQnwVpUJcUuVPyGaxvPNXvLHt

PZPwi3xJmSFpPB9y8pzID1WqDKKAWkv7CcJqstIhBN3w==puppet@BigData-01

 

四 客户端公钥记录文件（known_hosts）

     登陆到服务器时，比对服务器公钥与客户端记录是否一致，防止伪造的服务器。

（一）流程

     1）客户端登陆服务器

     2）客户端接收服务器公钥，查看~/.ssh/known_hosts查看是否记录，没有则提示用户选择是否记录

     3）服务器端公钥已记录则验证一致性，一致则进行验证，否则警告。

     警告样例：

[puppet@BigData-01 .ssh]# sshpuppet@BigData-02
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@@@@@@@@@@@@

@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @ <==警告有问题

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
a7:2e:58:51:9f:1b:02:64:56:ea:cb:9c:92:5e:79:f9.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1 <==该数字为文件中有问题的行号
RSA host key for localhost has changed and you have requested strict checking.
Host key verification failed.

 

（二）公钥记录验证失败的解决方法

删除known_hosts中对应的记录。