A-》B ,C 
1.生成公钥和私钥
   ssh-keygen -t dsa
2.发送公钥
  oldboy888@ser200 .ssh]$ ssh-copy-id  -i id_dsa.pub "-p 20000 [email protected]"
10
The authenticity of host '192.168.1.201 (192.168.1.201)' can't be established.
RSA key fingerprint is 0a:13:db:54:60:3e:85:46:b5:ea:d5:b9:c0:5e:51:74.
Are you sure you want to continue connecting (yes/no)? 
Host key verification failed.
[oldboy888@ser200 .ssh]$ ssh-copy-id  -i id_dsa.pub "-p 20000 [email protected]"\
> ;
10
The authenticity of host '192.168.1.201 (192.168.1.201)' can't be established.
RSA key fingerprint is 0a:13:db:54:60:3e:85:46:b5:ea:d5:b9:c0:5e:51:74.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.201' (RSA) to the list of known hosts.
[email protected]'s password: 
Now try logging into the machine, with "ssh '-p 20000 [email protected]'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

3.检查是否免密码论证
  [oldboy888@ser200 .ssh]$ ssh -p2000 [email protected] free -m
ssh: connect to host 192.168.1.201 port 2000: Connection refused
[oldboy888@ser200 .ssh]$ ssh -p20000 [email protected] free -m
             total       used       free     shared    buffers     cached
Mem:           484         71        412          0          9         30
-/+ buffers/cache:         31        452
Swap:         1027          0       1027

SSHKEY免密码实理数据分发备份管理_第1张图片


二.B,C->A的

  1. ssh-copy-id -p 20000 [email protected]  (把公钥发给自己)

  2.scp -P 20000 .ssh/id_dsa [email protected]:~/.ssh (把私钥通过SCP发送到B和C上)

  3.scp -P 20000 .ssh/id_dsa [email protected]:~/.ssh

三.用途

  数据分发,控制管理,发布程序


四.私钥权限要求:

[oldboy888@ser200 .ssh]$ ll
total 16
-rw------- 1 oldboy888 oldboy888 606 Oct 11 16:36 authorized_keys
-rw------- 1 oldboy888 oldboy888 668 Oct 11 16:30 id_dsa
-rw-r--r-- 1 oldboy888 oldboy888 606 Oct 11 16:30 id_dsa.pub
-rw-r--r-- 1 oldboy888 oldboy888 790 Oct 11 16:33 known_hosts
[oldboy888@ser200 .ssh]$ chmod 644 id_dsa
[oldboy888@ser200 .ssh]$ ll
total 16
-rw------- 1 oldboy888 oldboy888 606 Oct 11 16:36 authorized_keys
-rw-r--r-- 1 oldboy888 oldboy888 668 Oct 11 16:30 id_dsa
-rw-r--r-- 1 oldboy888 oldboy888 606 Oct 11 16:30 id_dsa.pub
-rw-r--r-- 1 oldboy888 oldboy888 790 Oct 11 16:33 known_hosts
[oldboy888@ser200 .ssh]$ ssh -p 20000 192.168.1.201 /sbin/ifconfig eth0
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/oldboy888/.ssh/id_dsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/oldboy888/.ssh/id_dsa
Enter passphrase for key '/home/oldboy888/.ssh/id_dsa':
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-with-mic,password).
[oldboy888@ser200 .ssh]$


总结:私钥id-dsa 权限要求为 600 。要求非常严格。authorized_key相对来说比较宽松


五.sshkey免密码普通用户备份到root或者备份服务器的任何地方

1.visudo

  增加rsync 免密码的sudo 功能 oldboy888 ALL=(ALL)     NOPASSWD : /usr/bin/rsync

2.需要备份服务器:

  A.

  [oldboy888@client201 ~]$ ls
  testdir  test.log
  [oldboy888@client201 ~]$ scp -P 2000 -rp testdir/ [email protected]:~

  上面先用scp到备份服务器的普通用户家目录

  B.

  [oldboy888@client201 ~]$ ssh -t  -p 20000 192.168.1.200 sudo rsync -avzP   /home/oldboy888    /testdir /root/
 sending incremental file list
 testdir/
 testdir/22.txt
           0 100%    0.00kB/s    0:00:00 (xfer#1, to-check=0/2)

sent 119 bytes  received 35 bytes  308.00 bytes/sec
total size is 0  speedup is 0.00
Connection to 192.168.1.200 closed.


ssh免密码登陆到备份服务器。sudo 使用rsync,实现本地复制到root下面。