ssh密鑰認證與mussh簡單測試

##### STEP 1 ：主機之間互相信任，密鑰對認證

### mussh 主機生成密鑰對：

[root@localhost ~]# ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/root/.ssh/id_dsa):

Enter passphrase (empty for no passphrase): ## 輸入私鑰密碼

Enter same passphrase again: ## 重複私鑰密碼

Your identification has been saved in /root/.ssh/pri_dsa.

Your public key has been saved in /root/.ssh/pri_dsa.pub.

The key fingerprint is:

c0:06:54:98:49:5b:9f:f3:de:79:1c:0f:3f:46:ef:51 [email protected]

The key's randomart p_w_picpath is:

+--[ DSA 1024]----+

| o+=o |

| += . . |

| . + + |

| . . o |

| S . o.E|

| . . o.=o|

| . o o++|

| ...o|

| .|

+-----------------+'

[root@localhost ~]# cat /root/.ssh/id_dsa.pub

ssh-dss AAAAB3NzaC1kc3MAAACBAOJ20Be45e/E/6AqlBFG89qcNPmsKqlXsWTmerf+MvY4G2qcxluGtjzCLwrGAf0JKFwEC+5OfJBU5JlUhM6HJ3+57zOyK0ZNnhv0h1ICKqF1ndRqoP3eonHD0krKySc/CYMJM2nGF5NRqMhUc+0wOLT4RmX+NB0kXH1EfTAyfSAVAAAAFQDU151234sGUKK4GAPagd87jBqXkwAAAIEA4FmcUNIZ2em2doZqg9jKeTa9GlK1vr2n2jiBTPmyxjY5BHcRb8zje4fm92e/CPTOWWC0ljKjLwzSavcLRfHg0+KU3lb5vxqHImp94HprkUW4e4T3+79h+HKlJ/TKd5UyxnEJDxUG2FNMT9mwq+T+HlMTmaEHGWxSS6ModmCruKEAAA369870bGvp7XP2WWGgclNnHO3IXPXrEuBui6CjjC1S6CdTEE6Z/BX7FarsPr5yI4wnSAHHoojbg78XcxWPlopoyXjxumvIU0WeVyVqVs4V8mgbIuGeamGjXdbeY3XxzcSURnYzZ1+hZJv70+RsS8G083gPi6if7j8vitV/4tfHHx [email protected]

[root@localhost ~]#

### 目標主機修改 sshd 配置文件

[root@vm1 ~]# vi /etc/ssh/sshd_config

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

#### 標準教程做法，但是我試了一下注釋了這兩行，依然可以正常登錄，sshd應該是默認打開了密鑰認證，所以，除非你想關閉密鑰認證，否則修改配置文件沒什麼意義。

[root@vm1 ~]# service sshd restart

Stopping sshd: [ OK ]

Starting sshd: [ OK ]

[root@vm1 ~]#

### 上傳公鑰到目標主機 vm1 - vm5 ：多種方式執行，我是用scp的。

[root@vm1 ~]# mkdir -p /root/.ssh/

# Tip: 若自行創建.ssh/目錄，需要確保.ssh/目錄（及其下文件）的安全上下文爲 ssh_home_t ，否則公鑰認證失敗。

[root@vm1 ~]# ll -dZ /root/.ssh/

drwxr-xr-x. root root system_u:object_r:ssh_home_t:s0 /root/.ssh/

[root@vm1 ~]#

# 使用restorecon 命令可以修正文件夾安全上下文：

Shell> restorecon -r -vv /root/.ssh

# 當然也可以禁用selinux，但不推薦

[root@localhost ~]# scp /root/.ssh/id_dsa.pub [email protected]:/root/.ssh/authorized_keys

[root@vm1 ~]# cat /root/.ssh/authorized_keys

ssh-dss AAAAB3NzaC1kc3MAAACBAOJ20Be45e/E/6AqlBFG89qcNPmsKqlXsWTmerf+MvY4G2qcxluGtjzCLwrGAf0JKFwEC+5OfJBU5JlUhM6HJ3+57zOyK0ZNnhv0h1ICKqF1ndRqoP3eonHD0krKySc/CYMJM2nGF5NRqMhUc+0wOLT4RmX+NB0kXH1EfTAyfSAVAAAAFQDU15fnq1sGUKK4GAPagd87jBqXkwAAAIEA4FmcUNIZ2em2doZqg9jKeTa9GlK1vr2n2jiBTPmyxjY5BHcRb8zje4fm92e/CPTOWWC0ljKjLwzSavcLRfHg0+KU3lb5vxqHImp94HprkUW4e4T3+79h+HKlJ/TKd5UyxnEJDxUG2FNMT9mwq+T+HlMTmaEHGWxSS6ModmCruKEAAACBAM6IH0bGvp7XP2WWGgclNnHO3IXPXrEuBui6CjjC1S6CdTEE6Z/BX7FarsPr5yI4wnSAHHoojbg78XcxWPlopoyXjxumvIU0WeVyVqVs4V8mgbIuGeamGjXdbeY3XxzcSURnYzZ1+hZJv70+RsS8G083gPi6if7j8vitV/4tfHHx [email protected]

[root@vm1 ~]#

若ssh到普通用戶必須修改權限，否則認證失敗, 當然，無論是用什麼用戶，都推薦修改。

[root@vm1 ~]# chmod 700 ~/.ssh#

[root@vm1 ~]# chmod 600 ~/.ssh/authorized_keys

[root@vm1 ~]#

# Tip：普通用戶默認是不允許給ssh的, 需要將普通用戶加到sshd用戶組中。

# 這個是在網上看到的，我不知道其他系統是怎樣的，我用CentOS6.4時，沒有什麼問題，普通用戶不用加到sshd用戶組也行，無論是ssh登錄到普通用戶，還是用普通用戶ssh登錄，不過當ssh出現問題時不訪試試。

### ssh測試:

[root@localhost ~]# ssh [email protected]

The authenticity of host '172.16.67.201 (172.16.67.201)' can't be established.

RSA key fingerprint is 5d:27:0f:5c:33:f3:44:f5:b5:f2:c2:a2:5f:a3:ee:35.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.67.201' (RSA) to the list of known hosts.

Enter passphrase for key '/root/.ssh/id_dsa':

Last login: Mon Sep 2 17:11:40 2013 from 172.16.67.38'

[root@vm1 ~]# exit

logout

Connection to 172.16.67.201 closed.

### 啓用ssh-agent，減少私鑰密碼認證次數

[root@localhost ~]# eval `ssh-agent`

Agent pid 3939

[root@localhost ~]# ssh-add

Enter passphrase for /root/.ssh/id_dsa:

Identity added: /root/.ssh/id_dsa (/root/.ssh/id_dsa)

[root@localhost ~]# ssh [email protected]

Last login: Mon Sep 2 17:12:48 2013 from 172.16.64.11

[root@vm1 ~]# exit

logout

Connection to 172.16.67.201 closed.

[root@localhost ~]#

##### STEP 2 : mussh 安裝：

wget http://softlayer-dal.dl.sourceforge.net/project/mussh/mussh/1.0/mussh-1.0.tgz

解壓即可使用

tar zxvf mussh-1.0.tgz

##=========== mussh 執行命令 ==================

[root@localhost mussh]# cat ./hosts

[email protected]

[root@localhost mussh]#

#### -H <file> [file ..] : 指定包含目標主機的文件，可以有多個.

[root@localhost mussh]# ./mussh -H ./hosts -c 'hostname'

[email protected]: vm1.untx.com

[email protected]: vm2.untx.com

[email protected]: vm3.untx.com

[email protected]: vm4.untx.com

[email protected]: vm5.untx.com

[root@localhost mussh]#

##=========== mussh 執行本地腳本文件 ===============

# iptables.sh 配置iptables腳本

[root@localhost mussh]# ./mussh -H ./hosts -C /root/scripts/iptables.sh

[email protected]: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

[root@localhost mussh]#

[root@vm1 ~]#

##============= 若目標主機ssh使用其它端口，需要使用 -o 傳遞ssh配置參數 =========

[root@localhost mussh]# ./mussh -o "Port=58022" -h [email protected] -C '/root/scripts/iptables.sh'

[email protected]: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

[root@localhost mussh]#

##============= mussh 執行python, 可用 -s 指定shell路徑

[root@localhost mussh]# ./mussh -H ./hosts -s /usr/bin/python -C '/root/scripts/nod32/3.py'

[email protected]: Traceback (most recent call last): # 因爲目標機沒有安裝BeautifulSoup，報錯是正常的，證明python文件正確執行了

[email protected]: File "<stdin>", line 4, in <module>