SSH 互信可以实现各个计算机之间基于 SSH 协议实现免密登录，是远程通信和控制的基础条件。本地计算机通过非对称加密算法在本地生成秘钥（包括公钥和私钥），并为远程计算机的登录信息创建加密文件。SSH 互信可用于基于 Shell 脚本的自动化远程服务器配置和应用部署。

本方案基于CentOS8系统设计，建议在RedHat/CentOS系统及其他基于RedHat的衍生发行版中使用。

假设网络中计算机的角色分配如下：

计算机	主机名	IP:PORT	程序	操作系统	管理账号
本地计算机	Local	192.168.216.128:22	SSH	CentOS8	centos
远程计算机-1	Remote-1	192.168.216.129:22	SSH	CentOS8	centos
远程计算机≥2	Remote-2	192.168.216.130:22	SSH	CentOS8	centos

---

1. 配置本地计算机（Local）

1、生成秘钥。

[centos@Local ~]$ ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/centos/.ssh/id_rsa): 
Created directory '/home/centos/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/centos/.ssh/id_rsa.
Your public key has been saved in /home/centos/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:rs2DQzcsvGIwRjjQn7PQzUaa44M7gur/u5ktf8ZadfE centos@Local
The key's randomart image is:
+---[RSA 3072]----+
| .               |
|. .   .          |
|.. o B       .   |
|o o O +       o  |
| o + * .S  . . E |
|  = + +.+ . .    |
|.. + o =oo       |
|o o o.B+o+       |
|+o.+.B*=*.       |
+----[SHA256]-----+

2、创建远程主机登录信息加密文件。

[centos@Local ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub centos@192.168.216.129

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/centos/.ssh/id_rsa.pub"
The authenticity of host 'remote-1(192.168.216.129)' can't be established.
ECDSA key fingerprint is SHA256:Dqg7nSUaVc5Op+ghjV4l/EG1QMSawffo9svdLCVlgiw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
centos@remote-1's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'centos@192.168.216.129'"
and check to make sure that only the key(s) you wanted were added.



[centos@Local ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub centos@192.168.216.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/centos/.ssh/id_rsa.pub"
The authenticity of host 'remote-2(192.168.216.130)' can't be established.
ECDSA key fingerprint is SHA256:Dqg7nSUaVc5Op+ghjV4l/EG1QMSawffo9svdLCVlgiw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
centos@remote-2's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'centos@192.168.216.130'"
and check to make sure that only the key(s) you wanted were added.

3、测试登录远程计算机。

[centos@Local ~]$ ssh 192.168.216.129
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Wed May 20 15:04:53 2020


[centos@Remote-1 ~]$ exit
注销
Connection to 192.168.216.129 closed.

---

2. 配置远程计算机（Remote-1、Remote-2）

注意：RedHat 8/CentOS 8 已默认安装 SSH 服务，正常情况无需以下配置。

以计算机 "Remote-1" 为例：

1、安装 OpenSSH。

[centos@Remote-1 ~ ]$ sudo dnf install openssh

2、设置防火墙端口（CentOS8默认安装firewall防火墙），允许"22" 端口（SSH 默认端口）访问服务器。

[centos@Remote-1 ~ ]$ sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
[centos@Remote-1 ~ ]$ sudo firewall-cmd --reload

3、设置开机启动。

[centos@Remote-1 ~ ]$ sudo systemctl daemon-reload
[centos@Remote-1 ~ ]$ sudo systemctl enable sshd
[centos@Remote-1 ~ ]$ sudo systemctl start sshd

其他远程计算机上全部需要按照以上步骤配置。