Linux(CentOS)SSH無密碼驗證登陸

最近在搭建Hadoop集群，為了操作方便，需要Master用無密碼驗證的方式的SSH登陸Slave。

1.原理：
Master作為客戶端，要實現無密碼公鑰認證，連接到服務器Salve上時，需要在Master上生成一個密鑰對，包括一個公鑰和一個私鑰，而後將公鑰復制到所有的Salve上。當Master通過SSH鏈接到Salve上時，Salve會生成一個隨機數並用Master的公鑰對隨機數進行加密，並發送給Master。Master收到加密數之後再用私鑰解密，並將解密數回傳給Salve，Salve確認解密數無誤之後就允許Master進行連接了。這就是一個公鑰認證過程，期間不需要手工輸入密碼，重要的過程是將Master上產生的公鑰復制到Salve上。

2.在Master上登陸Hadoop用戶，執行以下命令，生成密鑰對，並把公鑰文件寫入授權文件中，並賦值權限

[hadoop@master bin]$ ssh-keygen -t rsa -P ''
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hadoop/.ssh/id_rsa):
Your identification has been saved in /home/hadoop/.ssh/id_rsa.
Your public key has been saved in /home/hadoop/.ssh/id_rsa.pub.
The key fingerprint is:
93:21:fb:20:01:c9:13:a3:28:01:6c:57:3b:a0:e0:e2 hadoop@master
The key's randomart image is:
+--[ RSA 2048]----+
|*.++..           |
|+==+. .          |
|*o...o. .        |
|+    ..o o       |
| E  . o S        |
|     . o .       |
|        .        |
|                 |
|                 |
+-----------------+
[hadoop@master bin]$  cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
[hadoop@master bin]$ chmod 600 ~/.ssh/authorized_keys

3 切換root用戶，配置sshd，取消被注釋的公鑰字段，
RSAAuthentication yes # 啟用 RSA 認證
PubkeyAuthentication yes # 啟用公鑰私鑰配對認證方式
AuthorizedKeysFile .ssh/authorized_keys # 公鑰文件路徑（和上面生成的文件同） 並保存設置，然後重啟sshd，即可測試本機的SSH

[hadoop@master bin]$ su root
密碼：
bash-4.1# vim /etc/ssh/sshd_config
bash-4.1# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

4.本機測試：這裡我用了localhost，IP地址，hostname來進行測試，可以發現均不需要輸入密碼。

[hadoop@master bin]$ ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
RSA key fingerprint is 3a:99:7f:41:68:bd:3b:80:43:bb:8a:5c:62:73:1f:45.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
[hadoop@master ~]$ ssh 172.16.1.17
The authenticity of host '172.16.1.17 (172.16.1.17)' can't be established.
RSA key fingerprint is 3a:99:7f:41:68:bd:3b:80:43:bb:8a:5c:62:73:1f:45.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.17' (RSA) to the list of known hosts.
Last login: Wed Jun 10 12:37:23 2015 from ::1
[hadoop@master ~]$ ssh master
sysconfig/       system-release
The authenticity of host 'master (172.16.1.17)' can't be established.
RSA key fingerprint is 3a:99:7f:41:68:bd:3b:80:43:bb:8a:5c:62:73:1f:45.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'master' (RSA) to the list of known hosts.
Last login: Wed Jun 10 12:38:37 2015 from 172.16.1.17

下面介紹Master用無密碼驗證的方式的SSH登陸Slave

1.首先在Slave上創建用戶hadoop，並設置密碼

-bash-4.1# useradd hadoop
-bash-4.1# ls -l /home
總用量 8
drwx------ 2 hadoop hadoop 4096 6月  10 12:58 hadoop
drwx------ 2 xc     xc     4096 7月   9 2013 xc
-bash-4.1# passwd hadoop
更改用戶 hadoop 的密碼 。
新的 密碼：
重新輸入新的 密碼：
passwd： 所有的身份驗證令牌已經成功更新。

2.切換到Master，並將Master上的公鑰scp到Slave節點的Hadoop用戶上

[hadoop@master ~]$ scp ~/.ssh/id_rsa.pub hadoop@slave2:~/
The authenticity of host 'slave2 (172.16.1.20)' can't be established.
RSA key fingerprint is 67:22:ba:43:ad:fe:a2:d4:ad:43:26:4b:71:d0:54:af.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'slave2,172.16.1.20' (RSA) to the list of known hosts.
hadoop@slave2's password:
id_rsa.pub                                                         100%  395     0.4KB/s   00:00
[hadoop@master ~]$

• 1

3.拷貝完後到Slave節點上，公鑰追加授權文件，並修改權限

[hadoop@master ~]$ ssh hadoop@slave2
hadoop@slave2's password:
[hadoop@slave2 ~]$ ls
id_rsa.pub
[hadoop@slave2 ~]$ mkdir ~/.ssh
[hadoop@slave2 ~]$ chmod 700 ~/.ssh/
[hadoop@slave2 ~]$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
[hadoop@slave2 ~]$ chmod 600 ~/.ssh/authorized_keys
[hadoop@slave2 ~]$

4.然後切換至root用，修改sshd配置，並重啟sshd服務。
1)在/etc/sys下添加下面兩行代碼

sysconfig/      system-release
sysctl.conf     system-release-cpe

2）然後修改 /etc/ssh/sshd_config文件，將下面三行注釋(#)取消掉)

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

3)重啟sshd服務

service sshd restart

5.回到Master下進行測試，發現可以不用輸入密碼，便可以ssh到Slave節點的Hadoop用戶上。

[hadoop@master ~]$ ssh hadoop@slave2
Last login: Wed Jun 10 13:09:53 2015 from 172.16.1.17
[hadoop@slave2 ~]$

SSH服務遠程訪問Linux服務器登陸慢 http://www.linuxidc.com/Linux/2011-08/39742.htm

提高Ubuntu的SSH登陸認證速度的辦法 http://www.linuxidc.com/Linux/2014-09/106810.htm

開啟SSH服務讓Android手機遠程訪問 Ubuntu 14.04 http://www.linuxidc.com/Linux/2014-09/106809.htm

如何為Linux系統中的SSH添加雙重認證 http://www.linuxidc.com/Linux/2014-08/105998.htm

在 Linux 中為非 SSH 用戶配置 SFTP 環境 http://www.linuxidc.com/Linux/2014-08/105865.htm

Linux 上SSH 服務的配置和管理 http://www.linuxidc.com/Linux/2014-06/103627.htm

SSH入門學習基礎教程 http://www.linuxidc.com/Linux/2014-06/103008.htm

SSH免密碼登錄詳解 http://www.linuxidc.com/Linux/2015-03/114709.htm