节点互信or秘钥登录

1. 背景

经常要ssh登录其他节点，每次都输入密码很麻烦，有没有一种办法可以不用输入密码直接登录呢？

2. 实现

现有如下场景，想要从节点A(ip: 192.168.101.110)免密登录节点B(ip: 192.168.101.112，用户：root)

1. 第一步，登录节点A，使用ssh-keygen生成秘钥对

[root@tudou ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:aR2gokpb3n9jTYpZSeCtpeS5LmTMeSPP00vEqT5Wx70 root@tudou
The key's randomart image is:
+---[RSA 2048]----+
|        .        |
|       o .       |
|    . o o .      |
|   . . o.*..     |
| ...o + S++ .    |
|..+ .B Oo+ + .   |
|.. .o.=.O.=   .  |
|     .oX.* . E   |
|      ++=.o      |
+----[SHA256]-----+

2. 第二步，继续在节点A上执行ssh-copy-id [email protected]

[root@tudou ~]# ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.101.112 (192.168.101.112)' can't be established.
ECDSA key fingerprint is SHA256:3v/5yae9cct4tkicIbN8IoIXXCxxJ+zB23s7q8gk/QQ.
ECDSA key fingerprint is MD5:56:dc:13:cd:5e:8e:f8:33:5e:0b:9a:3b:87:6f:3d:07.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

3. 第三步，从节点A直接ssh [email protected]，即可实现免密登录节点B

[root@tudou ~]# ssh [email protected]
Last login: Sun Jun 25 11:08:23 2023 from 192.168.101.110
[root@localhost ~]#

3. 原理解析

1. 第一步生成秘钥对，在目录~/.ssh下生成文件私钥id_rsa和公钥id_rsa.pub

[root@tudou ~]# ll ~/.ssh/
total 12
-rw-------. 1 root root 1679 May 11 12:31 id_rsa
-rw-r--r--. 1 root root  392 May 11 12:31 id_rsa.pub
-rw-r--r--. 1 root root 1049 May 11 12:34 known_hosts
[root@tudou ~]# cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXN3Iik23n61JJ+M46V72rUiyBO+51DYPNcV/SDZBMovXyudT/I8tf1gfdcKPwo6HcKZgK0pbrGp5OD0Ck0PSSdD9nUYCTr24R3ScIgYUCA4WTfHfIyHRrub70CzVxY0tWawMKAv3+TcrXkMAg/qhjdr5YlBg21VbK4GszS1ZHn6o8vtvtS5u/MHwD0C/e1r+fbIQ2DFKu4rwy1jWi8YeajulORO7wDLbMUJyx5onyqHHscjkm/3XUDB77jyrzZZB1SmfnitIz7yp3s3OL87QSuEJ6fuU6Obu6uE4jayk75vFqMPUCdyRqbQjCqyJbDruhazmUYe/GcRUnlXxsgsaH root@tudou
[root@tudou ~]#

2. 第二步将公钥id_rsa.pub发送给节点B，保存在文件~/.ssh/authorized_keys下，自此节点A便可以免密登录节点B了

[root@localhost ~]# cat ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXN3Iik23n61JJ+M46V72rUiyBO+51DYPNcV/SDZBMovXyudT/I8tf1gfdcKPwo6HcKZgK0pbrGp5OD0Ck0PSSdD9nUYCTr24R3ScIgYUCA4WTfHfIyHRrub70CzVxY0tWawMKAv3+TcrXkMAg/qhjdr5YlBg21VbK4GszS1ZHn6o8vtvtS5u/MHwD0C/e1r+fbIQ2DFKu4rwy1jWi8YeajulORO7wDLbMUJyx5onyqHHscjkm/3XUDB77jyrzZZB1SmfnitIz7yp3s3OL87QSuEJ6fuU6Obu6uE4jayk75vFqMPUCdyRqbQjCqyJbDruhazmUYe/GcRUnlXxsgsaH root@tudou
[root@localhost ~]#

4. 一行免密

上述方法在使用ssh-copy-id时，会交互式地输入密码；如果文件~/.ssh/known_hosts中没有目标节点的信息，还会弹出如下的告警信息，提示你是否需要继续

[root@tudou ~]# ssh [email protected]
The authenticity of host '192.168.101.114 (192.168.101.114)' can't be established.
ECDSA key fingerprint is SHA256:ItgFGWHn6V8e3qAOSnkb3tR8ax7tiknsfGNlN+VrNfc.
ECDSA key fingerprint is MD5:ee:d9:04:df:6e:b8:f4:bc:3c:e5:b4:fe:93:fd:29:6c.
Are you sure you want to continue connecting (yes/no)?

那么有没有一种方法可以一行直接搞定免密，方便特定场景的一些自动化执行，答案是肯定的
sshpass -p tian ssh-copy-id -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no [email protected] >/dev/null 2>&1

注：

1. sshpass -p tian 表示节点B的登录密码是tian
2. -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no连接主机时不进行公钥的校验