環境示例
Centos7 192.168.1.101 master
Centos7 192.168.1.102 slave
已安裝openssl
1、檢查機器名和連通性[root用戶下操作]
master 查看文件“/etc/hostname" 是否配置成”master",文件內容為空,需要添加“master",添加后如:
master
ping slave,無法ping通,查看文件”/etc/hosts" ,是否添加對slave的解析,如:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.101 master 192.168.1.102 slave
相應slave也同樣檢查網絡名稱“slave”和master地址解析
確保在master機器上ping slave成功,在slave機器上ping master成功
2、修改ssh config配置[root用戶下操作]
查看/etc/ssh/sshd_config文件[vi /etc/ssh/sshd_config],開啟ssh證書登錄,即找到注釋配置[#RSAAuthentication yes,#PubkeyAuthentication yes],把前面的“#"號去掉,如:
RSAAuthentication yes PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys
另外在該文件中顯示,AuthorizedKeysFile .ssh/authorized_keys,keys存儲路徑在”.ssh“的文件夾的authorized_keys文件里。
3、在機器master、slave上建立相同的用戶,以下以test用戶為例
[root@slave ~]# useradd test -p test [root@slave ~]# echo test | passwd --stdin test Changing password for user test. passwd: all authentication tokens updated successfully.
4、生成ssh證書文件
使用test登錄master,創建文件夾”.ssh"[mkdir .ssh],cd到.ssh文件夾,輸入命令“ssh-keygen -t rsa",回車到底,如:
[test@master .ssh]$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/hadoop/.ssh/id_rsa):[回車] Enter passphrase (empty for no passphrase):[回車] Enter same passphrase again:[回車] Your identification has been saved in /home/test/.ssh/id_rsa. Your public key has been saved in /home/test/.ssh/id_rsa.pub. The key fingerprint is: e4:37:20:54:19:26:d0:39:34:b3:79:cb:00:6b:c9:e5 test@master The key's randomart image is: +--[ RSA 2048]----+ | o+Bo+o | | . B+B. | | = E.+ | | . B o | | S o | | . . | | | | | | | +-----------------+ [test@master .ssh]$
查看”.ssh“文件夾下文件,產生master的文件私鑰id_rsa和公鑰id_rsa.pub:
[test@master .ssh]$ ls id_rsa id_rsa.pub
使用test登錄slave,相同操作,產生產生slave的文件私鑰id_rsa和公鑰id_rsa.pub
5、合並id_rsa.pub,追加到authorized_key文件中
test登錄master, 在“.ssh”文件夾下,輸入命令“scp id_rsa.pub test@slave:~/.ssh/authorized_keys”,拷貝master的公鑰id_rsa.pub到slave的.ssh/authorized_keys。
[test@master .ssh]$ scp id_rsa.pub test@slave:~/.ssh/authorized_keys The authenticity of host 'slave (192.168.1.102)' can't be established. ECDSA key fingerprint is b5:9e:ca:16:64:66:08:3b:9b:f4:be:5b:9f:f2:fc:a7. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'slave,192.168.1.102' (ECDSA) to the list of known hosts. test@slave's password: id_rsa.pub 100% 395 0.4KB/s 00:00 [test@master .ssh]$
test登錄slave,在“.ssh”文件夾下,輸入命令“cat id_rsa.pub >> authorized.keys”,把slave的公鑰id_rsa.pub追加到slave的authorized_keys文件。檢查文件“authorized_keys”,內容如下:
ssh-rsa ******OfQi3v6lxMGIv/VWgcK5EaYRilz4/XPAmbjxGpFV8nD/JbTrK36v1zsx6TmyckIEfoHU9FvuQoJapxhH/bBSsXix2EWv8UsOCyp test@master ssh-rsa ******knrMMPON0FrTnjhv3hS5ZAPCEad36ah5lyeOtix2Sr2ug0YP6Ai0iT6Jd04hcUAKF21PBMybvlBYxzAfEr5vBxNBp2Ijwlvp1zP test@slave1
注:因文件太長省略,用“******”代替
在slave的“.ssh”文件夾下,復制authorized_keys到master的test,命令“scp authorized_keys test@master:~/.ssh/",此時,master “.ssh”文件夾下,已經存在與slave相同的authorized_keys文件
6、測試登錄
在master,test用戶登錄的情況下,輸入“ssh slave”
在slave,test用戶登錄的情況下,輸入“ssh master”
如在每次ssh登入時需要輸入密碼,跟沒有配置免密登陸時一樣情況,需要需改.ssh文件夾訪問權限,分配權限為登陸用戶
假設無法登陸master,則需要在master上做以下操作
[root@master ~]# chown test: /home/test/.ssh [root@master ~]# chown test: /home/test/.ssh/* [root@master ~]# chmod 700 /home/test/.ssh [root@master ~]# chmod 600 /home/test/.ssh/*