51工具盒子
说明
Jenkins构建时需要连接远程服务器并且执行脚本,这时就需要配置ssh免密钥登录。Jenkins构建时都是以jenkins用户进行操作,所以要以jeknins用户来配置免密钥登录。本教程以用户名sjfuser为例说明。 A:192.168.3.104, B:192.168.3.107,需求:A登录B时免密钥。
命令
ssh-keygen -t rsa 产生公钥与私钥对
ssh-copy-id 将本机的公钥复制到远程机器的authorized_keys文件中
步骤
1. 切换到sjfuser用户
su - sjfuser
2. 用ssh-keygen -t rsa产生密钥对
[sjfuser@jenkins ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:EBT/9AOYfMRIkB5C6ImR6wmRAaS/PC169+akTE4FMqA root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|*= o..==.o. |
|B.. . o+.+. |
|E*o..o..= + |
|+.oo ... + o |
|o o . S . o |
| + o . . |
| = + . |
| ..B.o. |
|.. .++o |
+----[SHA256]-----+
3.创建authorized_keys文件夹并授权
进入/root/.ssh/目录:cd /root/.ssh/
创建目录:touch authorized_keys
授权目录:chmod 600 authorized_keys (注:文件权限必须是600,否则无效)
4. 用ssh-copy-id将公钥从A复制到B
[sjfuser@jenkins ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub "-p 23456 root@192.168.3.107"
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
Usage: /usr/bin/ssh-copy-id [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname
-f: force mode -- copy keys without trying to check if they are already installed
-n: dry run -- no keys are actually copied
-h|-?: print this help
[root@jenkins .ssh]# ssh-copy-id -i ~/.ssh/id_rsa.pub -p 23456 yilian@192.168.3.107
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
yilian@112.125.88.167's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '23456' 'yilian@192.168.3.107'"
and check to make sure that only the key(s) you wanted were added.
[root@jenkins .ssh]#
注意
ssh-copy-id 将key写到远程机器的 ~/ .ssh/authorized_key.文件中。
如果你远程服务器SSH端口没有修改过,可以不用加-p 23456,要特别注意双引号。(如果端口非22远程免密要使用非root用户不然会报错)
当然你复制文件到远程服务器也可以用SCP命令。
5. 验证登录
[sjfuser@jenkins ~]$ ssh -p 23456 root@192.168.3.107
Last login: Mon Apr 19 15:10:04 2019 from 192.168.3.104
[root@YiLian ~]#
扩展
-
现在实现了需求,如果你想B访问A时也免密钥,只要在B上按上面的步骤来。
-
如果添加指纹的时候提示添加失败,是因为你以前添加过了这个ip的指纹。
解决办法:将.ssh目录的known_hosts文件删除掉。也可以打开这个文件把对应ip的那条记录删除。
- 注意文件权限的问题
A
[sjfuser@jenkins ~]$ ll .ssh/
-rw-------. 1 sjfuser sjfuser 1671 4月 19 05:10 id_rsa
-rw-r--r--. 1 sjfuser sjfuser 398 4月 19 05:10 id_rsa.pub
-rw-r--r--. 1 sjfuser sjfuser 417 4月 19 05:08 known_hosts
B
-rw------- 1 root root 1217 Apr 21 10:46 /root/.ssh/authorized_keys
- Jenkins配置免密SSH Servers 两种方式(当然 SSH Servers直接输入账号密码也是可以的)
方式一:Publish over SSH 的 Path to key 中配置 id_rsa 路劲。(这个一次配置好后,后期更新 known_hosts 无需再次配置)
方式一:Publish over SSH 的 key 粘贴 id_rsa 的内容。(这个每更新一次 known_hosts 就要去重新添加更新一下,不然后面新加的免密机器会无法登录)
