ssh 認證

ssh 祕鑰認證流程

 

ssh配置認證

基於口令(密碼)的安全驗證

[root@m01 ~]# ssh 10.0.0.41 hostname
root@10.0.0.41's password:
backup
[root@m01 ~]# ssh 10.0.0.41 whoami
root@10.0.0.41's password:
root
[root@m01 ~]# ssh lewen@10.0.0.41 whoami
lewen@10.0.0.41's password:
lewen

基於祕鑰的認證

1.生成鑰匙和鎖頭

[root@m01 ~]# hostname
m01
[root@m01 ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):　　　　　　　　　　　　# 給祕鑰加密碼
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
29:37:1b:e1:9f:0a:ab:77:a0:fc:60:41:2d:bc:85:dd root@m01
The key's randomart image is:
+--[ DSA 1024]----+
| |
| . + . |
| = + E |
| . + . o |
| o . S |
| ..o = . |
| .o.... o |
| .o..o.. |
| .+o.. |
+-----------------+

2.把鎖頭髮送到目標機器

發送到 backup
[root@m01 ~]# ssh-copy-id -i /root/.ssh/id_dsa.pub root@172.16.1.41
The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established.
RSA key fingerprint is ac:0f:aa:d2:5b:ff:cf:ac:f0:76:37:a6:be:31:b9:f9.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '172.16.1.41' (RSA) to the list of known hosts.
root@172.16.1.41's password:
Now try logging into the machine, with "ssh 'root@172.16.1.41'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@m01 ~]# ssh 10.0.0.41 hostname
backup
​
​
#nfs01
[root@m01 ~]# ssh-copy-id -i /root/.ssh/id_dsa.pub root@172.16.1.31
The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
RSA key fingerprint is ac:0f:aa:d2:5b:ff:cf:ac:f0:76:37:a6:be:31:b9:f9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.31' (RSA) to the list of known hosts.
root@172.16.1.31's password:
Now try logging into the machine, with "ssh 'root@172.16.1.31'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@m01 ~]# ssh 172.16.1.31 hostname
nfs01

3.免密發送

sshpass 軟件
yum install sshpass -y

#sshpass 給ssh類提供密碼
[root@m01 ~]# sshpass -p123456 ssh 172.16.1.41 hostname
backup
sshpass -p123456 ssh -o StrictHostKeyChecking=no 172.16.1.41 hostname
backup

 

 

非交互式建立 鑰匙鎖頭

  [root@m01 ~]# ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa 

非交互式 分發公鑰

不用輸入密碼將公鑰發送到目的機器

[root@m01 ~]# sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no root@172.16.1.41"
Now try logging into the machine, with "ssh '-o StrictHostKeyChecking=no root@172.16.1.41'",
and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
​
​
[root@m01 ~]# sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no root@172.16.1.31"
Now try logging into the machine, with "ssh '-o StrictHostKeyChecking=no root@172.16.1.31'",
and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
​

[root@m01 ~]# ssh 172.16.1.41 hostname
backup
[root@m01 ~]# ssh 172.16.1.31 hostname
nfs01

 

 

Usage: /usr/bin/ssh-copy-id [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname
    -f: force mode -- copy keys without trying to check if they are already installed
    -n: dry run    -- no keys are actually copied