掌握ssh命令的使用
文章目錄
- 掌握ssh命令的使用
- 準備工作
- 1.ssh客戶端連接服務器
- 2.ssh基於公私鑰驗證是否 是特定客戶端
- 3.開啓服務器node1, 將node3的sshd服務對應的公私鑰⽂件拷到node1節點,給node1添加⼀個node3的ip地址, 然後使⽤node2 鏈接node1,驗證⼀下登錄時是否有提⽰信息,是否需要輸⼊yes
- 4.SSH X 轉發
- 5.ssh跳轉操作
- 6.使⽤ssh命令在遠程主機上執⾏單條命令後返回結果,然後退出:
- 7.SSH基於密碼的驗證,登錄對⽅主機時需要輸⼊對⽅對應⽤戶的密碼纔可登錄
- 8.SSH基於公鑰驗證,實現免密登錄遠程主機
- 9.由於ssh基於公鑰驗證的⽅式依賴於公私鑰,因此私鑰的安全性需要的到保障,可以通過加密私鑰的⽅法提⾼安全性
- 10.個實驗總每次登錄都需要輸⼊私鑰的密碼,使⽤起來⽐較繁瑣。我們可以使⽤ ssh-agent bash 和ssh-add 對私鑰密碼在本次回話中託管。減少輸⼊私鑰密碼的次數
- 11.基於公鑰的登錄⽅式在Xshell中實現
- 12.腳本實現拷貝公鑰,登錄主機
準備工作
系統版本 ip地址 主機名
CentOS7 172.20.3.7 node2
CentOS8 172.20.3.8 node3
1.ssh客戶端連接服務器
在node2上使⽤root⽤戶登錄node3服務器
輸⼊:ssh 172.20.3.8 默認是以ssh客戶端發起者的root⽤戶⾝份,登錄遠程node3的root⽤戶
[root@centos7 ~]# ssh 172.20.3.8
The authenticity of host '172.20.3.8 (172.20.3.8)' can't be established.
ECDSA key fingerprint is SHA256:3rNeKB1lroMHCkCqY4sINNaTva4XyZhnQi3rcytyGF8.
ECDSA key fingerprint is MD5:67:cc:58:15:81:a0:e0:b4:bb:4f:15:56:63:41:0c:7a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.20.3.8' (ECDSA) to the list of known hosts.
[email protected]'s password:
Activate the web console with: systemctl enable --now cockpit.socket
Last failed login: Fri Nov 8 04:00:43 CST 2019 from 172.20.3.61 on ssh:notty
There were 18 failed login attempts since the last successful login.
Last login: Thu Nov 7 22:28:06 2019 from 172.20.1.11
ssh連接時還有其他選項,-v 顯⽰詳細登錄信息, -p 指定主機的ssh服務端端⼝號 -b指定本地的ip址
[root@centos8 ~]# ssh -p 22 -b 172.20.3.7 [email protected]
#輸入密碼登錄即可
2.ssh基於公私鑰驗證是否 是特定客戶端
使⽤node2登錄node3的root⽤戶是,第⼀次提⽰要確認對⽅是否是⾃⼰想要鏈接的主機,確認後輸⼊yes,然後輸⼊root的密碼即可登錄成功。登錄成功後會在客戶端的.ssh路徑下創建⼀個
known_hosts⽂件,內部保存着遠程主機的ip地址和對⽅ssh服務端的公鑰信息
[root@centos8 ~]# cd .ssh/
[root@centos8 .ssh]# cat known_hosts
172.20.3.111 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAm3Wpcf5VVX4wW6XPR4LZrqCODHrLdf8UVNyQGT0Qor5ysMrO8zOECpQuX5T43h3KgsJCvf4nhC3Qp0FcegH246UgHdleOll1V3mWb7vg8HU38STqn2yYOHUObgy+cYBTa2gppYnEOmn/WnLJDh5qnzChKEUiv7Zd+/02ByjRo58BoG7gUf28q4KtI/7g+itIyQTEu5wqsFWjr+37oz7egIiboTVmlPGjS6CR5DgbUUztRRIfZxXd+o7SNDhQPfwJzVfDQUkd1Wz0Bld06KTBu7w2r+SgIU9vAX2dzBX1oDLfyBd8nMxnlU87k5vCVVK5M9m+/1aYEfai56l0sxnmNQ==
查看⼀下node3 sshd服務的公鑰對⽐⼀下,應該是⼀樣的
[root@centos7 ~]# cd .ssh/
[root@centos7 .ssh]# cat known_hosts
172.20.3.8 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDaVCBIUhvzZFxAoA0nZDJ9s2Dt+cey+TqH7T8CWetjdgwI321g+xfoWN738OOoqsbx54leEpG45lYbY2yEo2Gs=
[root@centos8 ~]# cat /etc/ssh/ssh_host_ecdsa_key.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDaVCBIUhvzZFxAoA0nZDJ9s2Dt+cey+TqH7T8CWetjdgwI321g+xfoWN738OOoqsbx54leEpG45lYbY2yEo2Gs=
3.開啓服務器node1, 將node3的sshd服務對應的公私鑰⽂件拷到node1節點,給node1添加⼀個node3的ip地址, 然後使⽤node2 鏈接node1,驗證⼀下登錄時是否有提⽰信息,是否需要輸⼊yes
將node3的配置⽂件拷貝到node1的/data下,拷貝ecdsa_key 和ecdsa_key.pub就好,然後關閉node3服務器
[root@centos8 ~]# cd /etc/ssh/
[root@centos8 ~]# scp ssh_host_ecdsa_key 172.20.3.6:/data/
[root@centos8 ~]# scp ssh_host_ecdsa_key.pub 172.20.3.6:/data/
[root@centos8 ~]# init 0
將node1中/etc/ssh中對應的兩個公私鑰⽂件內容替換成/data路徑下node3的對應⽂件,然後給node1添加原來node3的ip地址192.168.1.128*
[root@centos6 gnupg.dir]# cat /data/gnupg.dir/ssh_host_ecdsa_key > /etc/ssh/ssh_host_ecdsa_key
[root@centos6 gnupg.dir]# cat /data/gnupg.dir/ssh_host_ecdsa_key.pub > /etc/ssh/ssh_host_ecdsa_key.pub
[root@centos6 gnupg.dir]# ip a a 172.20.3.8 dev eth0
現在使⽤node2主機連接192.168.1.128 查看是否學員驗證信息,輸⼊yes?沒有提⽰輸⼊yes,仿造node3節點成功
[root@centos7 .ssh]# ssh 172.20.3.8
Hello Nanjing_Bokebi!!!
[email protected]'s password:
Last login: Thu Nov 7 21:59:14 2019 from 172.20.3.7
[root@centos6 ~]#
4.SSH X 轉發
準備兩臺圖形界⾯的服務器
操作系統版本 Ip地址 主機名
CentOS6 192.168.26.7 node1
CentOS7 192.168.26.8 node2
在node1上使⽤終端連接node2,連接成功後執⾏gedit命令,報錯打不開
[root@centos7 ~]# ssh 192.168.26.8
The authenticity of host '192.168.26.8 (192.168.26.8)' can't be established.
ECDSA key fingerprint is SHA256:3rNeKB1lroMHCkCqY4sINNaTva4XyZhnQi3rcytyGF8.
ECDSA key fingerprint is MD5:67:cc:58:15:81:a0:e0:b4:bb:4f:15:56:63:41:0c:7a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.26.8' (ECDSA) to the list of known hosts.
[email protected]'s password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Sat Nov 9 17:26:49 2019 from 192.168.26.1
[root@centos8 ~]# gedit
Unable to init server: Could not connect: Connection refused
(gedit:1733): Gtk-WARNING **: 17:39:49.381: cannot open display:
[root@centos8 ~]#
在node1上使⽤終端 加上-X 選項 連接node2(將node2進入init3模式)
再次執⾏gedit命令,成功打開node2的圖形化界⾯gedit程
序
使⽤windows中xmanager打開node2的桌⾯系統
打開xmanager中的xstart,輸⼊node2的ip地址,選擇ssh協議,填⼊root⽤戶名
如果連接centos7
可以先進行以下設置
--------------------------------------------------
安裝包:
yum groupinstall "X Window System" -y
--------------------------------------------------
安裝 lightdm:
#增加epel 源
yum install epel-release
yum install lightdm
--------------------------------------------------
編輯配置文件:
vim /etc/lightdm/lightdm.conf
[XDMCPServer]
enabled=true
port=177
--------------------------------------------------
安裝 xfce 或者 kde :
#推薦安裝kde,界面比xfce好看
# kde
sudo yum group install "KDE Plasma Workspaces"
# xfce
sudo yum group install xfce
--------------------------------------------------
將Display Manager 切換爲 lightdm:
sudo systemctl disable gdm
sudo systemctl enable lightdm
sudo systemctl start lightdm
--------------------------------------------------
關閉防火牆 sudo systemctl stop firewalld.service :
systemctl stop firewalld.service
--------------------------------------------------
xshell啓動
#啓動xfce4-session
startxfce4
#啓動kde
startkde
--------------------------------------------------
在Xstart配置中,命令(C) 的配置如下:
# xfce
DISPLAY=$DISPLAY; /usr/bin/xfce4-session
# kde
DISPLAY=$DISPLAY; /usr/bin/startkde
連接成功,可以遠程圖形界⾯操作node2了
5.ssh跳轉操作
實驗準備
操作系統 id地址 主機名
CentOS6 192.168.26.6 node1
CentOS7 192.168.26.7 node2
CentOS8 192.168.26.8 node3
在node3的主機上添加防⽕牆規則,禁⽌node1的ssh訪問
[root@centos8 bin]# iptables -F
[root@centos8 bin]# iptables -A INPUT -s 192.168.26.6 -j REJECT
[root@centos8 bin]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 192.168.26.6 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
測試⼀下node1是否可以ping通node3, 是否可以ssh鏈接的node3
[root@centos6 ~]# ping 192.168.26.8
PING 192.168.26.8 (192.168.26.8) 56(84) bytes of data.
From 192.168.26.8 icmp_seq=1 Destination Port Unreachable
From 192.168.26.8 icmp_seq=2 Destination Port Unreachable
From 192.168.26.8 icmp_seq=3 Destination Port Unreachable
From 192.168.26.8 icmp_seq=4 Destination Port Unreachable
^C
--- 192.168.26.8 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3041ms
[root@centos6 ~]# ssh 192.168.26.8
ssh: connect to host 192.168.26.8 port 22: Connection refused
使⽤node1 鏈接node2,然後再⽤node2鏈接node3 達到從node1訪問node3的⽬的
[root@centos6 ~]# ssh 192.168.26.7
[email protected]'s password:
Last login: Sat Nov 9 11:59:52 2019 from 192.168.26.6
[root@centos7 ~]# ssh 192.168.26.8
[email protected]'s password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Sat Nov 9 18:51:02 2019 from 192.168.26.1
[root@centos8 ~]#
直接在node1上執⾏ssh命令也可以實現通過node2鏈接node3,如圖:
分別輸⼊node2,和node3的密碼即可成功登錄node3服務器
[root@centos6 ~]# ssh -t 192.168.26.7 ssh 192.168.26.8
[email protected]'s password: #輸入26.7
[email protected]'s password: #輸入26.8
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Sat Nov 9 20:00:20 2019 from 192.168.26.7
[root@centos8 ~]#
6.使⽤ssh命令在遠程主機上執⾏單條命令後返回結果,然後退出:
使⽤上個試驗的node1主機通過ssh在node2上執⾏⼀個ip a 的命令,然後退出,如圖:
[root@centos6 ~]# ssh -t 192.168.26.7 'ip a'
[email protected]'s password:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:79:c6:ce brd ff:ff:ff:ff:ff:ff
inet 172.20.3.107/16 brd 172.20.255.255 scope global noprefixroute dynamic eth0
valid_lft 2590623sec preferred_lft 2590623sec
inet6 fe80::7a63:4abc:9540:e640/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:79:c6:d8 brd ff:ff:ff:ff:ff:ff
inet 192.168.26.7/24 brd 192.168.26.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe79:c6d8/64 scope link
valid_lft forever preferred_lft forever
Connection to 192.168.26.7 closed.
7.SSH基於密碼的驗證,登錄對⽅主機時需要輸⼊對⽅對應⽤戶的密碼纔可登錄
實驗準備
操作系統 id地址 主機名
CentOS6 192.168.26.6 node1
CentOS7 192.168.26.7 node2
CentOS8 192.168.26.8 node3
實現基於密碼的登錄驗證⽅式,簡單的說就是使⽤對⽅主機⽤戶名和密碼進⾏登錄
使⽤node1 登錄node2的root賬戶,輸⼊密碼後,即可登錄node2服務器的root
[root@centos6 ~]# ssh [email protected]
[email protected]'s password:
Last failed login: Sat Nov 9 13:17:35 CST 2019 from 172.20.1.9 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Sat Nov 9 12:07:53 2019 from 192.168.26.6
[root@centos7 ~]#
8.SSH基於公鑰驗證,實現免密登錄遠程主機
在node1主機上⽣成公私鑰對,將⽣成的公鑰拷貝到node2主機上,讓後通過node1;ssh鏈接node2的對應賬戶,將不需
要輸⼊對⽅的密碼就可登錄。使⽤主機環境同上。
在node1主機上使⽤ssh-keygen -t rsa ⽣成公私鑰對,執⾏過程中直接按回車鍵使⽤默認選項即可。然後再
~/.ssh⽂件夾中查看對應的公鑰⽂件
#生成祕鑰對
[root@centos6 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
95:f2:6e:53:b1:01:fe:40:d1:23:36:61:fc:fe:b0:5a [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
| .*+ |
| +=oo |
| ..=+o. |
| + o.+ |
| S ..+ |
| . .o |
| + E+ |
| . o. . |
| .. |
+-----------------+
使⽤ssh-copy-id 命令將node1的公鑰傳送到node2的~/.ssh/authorized_keys⽂件中
[root@centos6 .ssh]# ssh-copy-id 192.168.26.7
[email protected]'s password:
Now try logging into the machine, with "ssh '192.168.26.7'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
查看⼀下node2的對應⽂件重的內容是否爲node1剛⽣產的公鑰信息,內容應該包含node1的公鑰。
在node1上使⽤ssh鏈接node2主機的root賬戶。如圖,不需要輸⼊密碼直接登錄成功,ssh基於公鑰驗證的實驗
完成
[root@centos6 .ssh]# ssh 192.168.26.7
Last login: Sat Nov 9 13:20:43 2019 from 192.168.26.6
[root@centos7 ~]# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArJM297neqsI7ZO0pEeoH0lJo8MbjJ5SssAOahnHF7fPZp8lZRR59UPGw7TYVEoskdu+NN2MowIlEQGC8HVsA5NL1cFMs/riCY8fCLs9aJpC3VwSJ9s7qNG13J/IHvO7eOTgrq86j4vgRiOZYMENRqBWOFXmWoK2D7zGoKcgqa+RFTvuVwbY7nc/LOz10LuCaQab8zCom6PPvgf7XPs5+awkXhcex6GBxAfnhNg6CXh6B+0UkJIOAvz3RW9HJK9S0ThZv6wqJ5zU7gPHCd1pw/pV8J2xMZ3xL1fICL69ZxcuTiXmiTaQqELQUiAPJfQLx7R7SXGXDYGgzKGG4KdCmMw== [email protected]
將node2中的~/.ssh/authorized_keys⽂件清空後,ssh⼜恢復到基於密碼驗證。
在node2中清空對應⽂件:
#清除密碼
[root@centos7 ~]# cd .ssh
[root@centos7 .ssh]# ll
total 8
-rw------- 1 root root 409 Nov 9 13:52 authorized_keys
-rw-r--r-- 1 root root 174 Nov 9 09:39 known_hosts
[root@centos7 .ssh]# echo > authorized_keys
#清除公鑰後登錄,顯示要輸入密碼登錄
[root@centos6 ~]# ssh 192.168.26.7
[email protected]'s password:
Last login: Sat Nov 9 13:56:26 2019 from 192.168.26.6
[root@centos7 ~]#
某些業務場景將,需要多的服務器之間相互免密登錄,則需要分別拷貝⾃⼰的公鑰到對⽅主機的授權⽂件中,實現 起來相對繁瑣。這⾥我們可以讓所有的服務器使⽤相同的公私鑰,這樣既可以減少相互拷貝公鑰的⼯作量。
在node1上使⽤ssh-keygen -t rsa⽣成公私鑰,讓後拷貝⾃⼰的公鑰到⾃⼰的authorized_keys中,最後將整個~/.shh ⽂件夾拷貝到node2和node3中。
#在node1上使用ssh -keygen -t rsa生成公私鑰
[root@centos7 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:KWaZqx66lfCDEcgicQfFTW6daPUBlo2rsorqQYPyAuQ root@centos7
The key's randomart image is:
+---[RSA 2048]----+
|. o+oo. +=. |
|.+ ....=oo.. |
|+o. = o.. |
|* . o o.. |
|+Eo *.S |
|+..=.+.o |
|..o *o. |
| o.o.+ |
|=.++o |
+----[SHA256]-----+
在node1上使⽤ssh-copy-id將公鑰拷貝到⾃⼰的authorized_keys中:
[root@centos6 .ssh]# ssh-copy-id [email protected]
The authenticity of host '192.168.26.6 (192.168.26.6)' can't be established.
RSA key fingerprint is 36:2c:35:3f:46:df:69:f2:9a:b3:32:24:ef:cd:e7:bf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.26.6' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '[email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@centos6 .ssh]#
查看⼀下node1的公鑰和authorized_keys內容是否⼀樣。
[root@centos6 .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArJM297neqsI7ZO0pEeoH0lJo8MbjJ5SssAOahnHF7fPZp8lZRR59UPGw7TYVEoskdu+NN2MowIlEQGC8HVsA5NL1cFMs/riCY8fCLs9aJpC3VwSJ9s7qNG13J/IHvO7eOTgrq86j4vgRiOZYMENRqBWOFXmWoK2D7zGoKcgqa+RFTvuVwbY7nc/LOz10LuCaQab8zCom6PPvgf7XPs5+awkXhcex6GBxAfnhNg6CXh6B+0UkJIOAvz3RW9HJK9S0ThZv6wqJ5zU7gPHCd1pw/pV8J2xMZ3xL1fICL69ZxcuTiXmiTaQqELQUiAPJfQLx7R7SXGXDYGgzKGG4KdCmMw== [email protected]
[root@centos6 .ssh]# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArJM297neqsI7ZO0pEeoH0lJo8MbjJ5SssAOahnHF7fPZp8lZRR59UPGw7TYVEoskdu+NN2MowIlEQGC8HVsA5NL1cFMs/riCY8fCLs9aJpC3VwSJ9s7qNG13J/IHvO7eOTgrq86j4vgRiOZYMENRqBWOFXmWoK2D7zGoKcgqa+RFTvuVwbY7nc/LOz10LuCaQab8zCom6PPvgf7XPs5+awkXhcex6GBxAfnhNg6CXh6B+0UkJIOAvz3RW9HJK9S0ThZv6wqJ5zU7gPHCd1pw/pV8J2xMZ3xL1fICL69ZxcuTiXmiTaQqELQUiAPJfQLx7R7SXGXDYGgzKGG4KdCmMw== [email protected]
刪除node2和node3中的.ssh ⽂件夾:
[root@centos7 ~]# rm -rf .ssh
[root@centos8 ~]# rm -rf .ssh
拷貝node1的.ssh⽂件到node2和node3的對應位置:
[root@centos6 ~]# scp -pr .ssh [email protected]:/root
[email protected]'s password:
id_rsa.pub 100% 409 0.4KB/s 00:00
known_hosts 100% 788 0.8KB/s 00:00
authorized_keys 100% 409 0.4KB/s 00:00
id_rsa 100% 1675 1.6KB/s 00:00
[root@centos6 ~]# scp -pr .ssh [email protected]:/root
[email protected]'s password:
id_rsa.pub 100% 409 0.4KB/s 00:00
known_hosts 100% 1182 1.2KB/s 00:00
authorized_keys 100% 409 0.4KB/s 00:00
id_rsa 100% 1675 1.6KB/s 00:00
使⽤node1,node2和node3的root分別登錄其他兩個服務器root賬戶,分別登錄成功:
------------------------------------------------------
#在node1上
[root@centos6 ~]# ssh 192.168.26.7
Last login: Sat Nov 9 14:28:00 2019 from 192.168.26.6
[root@centos7 ~]#
[root@centos6 ~]# ssh 192.168.26.8
Last login: Sat Nov 9 22:28:11 2019 from 192.168.26.7
[root@centos8 ~]#
------------------------------------------------------
#在node2上
[root@centos7 ~]# ssh 192.168.26.6
Last login: Sat Nov 9 14:20:54 2019 from 172.20.1.9
[root@centos6 ~]#
[root@centos7 ~]# ssh 192.168.26.8
Last login: Sat Nov 9 22:28:41 2019 from 192.168.26.6
[root@centos8 ~]#
------------------------------------------------------
#在node3上
[root@centos8 bin]# ssh 192.168.26.6
Last login: Sat Nov 9 14:28:39 2019 from 192.168.26.7
[root@centos6 ~]#
[root@centos8 bin]# ssh 192.168.26.7
Last login: Sat Nov 9 14:28:31 2019 from 192.168.26.6
[root@centos7 ~]#
9.由於ssh基於公鑰驗證的⽅式依賴於公私鑰,因此私鑰的安全性需要的到保障,可以通過加密私鑰的⽅法提⾼安全性
對已⽣成的私鑰進⾏加密,使⽤ssh-keygen -p 實現。刪除node2的.ssh⽬錄,重新拷貝node1的公鑰到node2的 authorized_keys 中,然後使⽤node1登錄node2時,需要輸⼊node1私鑰的密碼才能登錄
------------------------------------------------------
#刪除node2 .ssh目錄
[root@centos7 ~]# rm -rf .ssh
------------------------------------------------------
#在node1上使用ssh-keygen -p生成密鑰對並加密,用ssh-copy-id 發送至node2
[root@centos6 ~]# ssh-keygen -p
Enter file in which the key is (/root/.ssh/id_rsa):
Key has comment '/root/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
[root@centos6 ~]# ssh-copy-id 192.168.26.7
[email protected]'s password:
Now try logging into the machine, with "ssh '192.168.26.7'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
-------------------------------------------------------
#使用node1連接node2,需要使用給密鑰加密的密碼
[root@centos6 ~]# ssh 192.168.26.7
Enter passphrase for key '/root/.ssh/id_rsa':
Last login: Sat Nov 9 14:31:35 2019 from 192.168.26.8
[root@centos7 ~]#
10.個實驗總每次登錄都需要輸⼊私鑰的密碼,使⽤起來⽐較繁瑣。我們可以使⽤ ssh-agent bash 和ssh-add 對私鑰密碼在本次回話中託管。減少輸⼊私鑰密碼的次數
安裝psmisc軟件包,查看當前ssh回話狀態
[root@centos6 ~]# yum - install psmisc
[root@centos6 ~]# pstree | grep bash
|-sshd---sshd---bash-+-grep
然後使⽤ssh-agent bash 開啓⼀個bash:
[root@centos6 ~]# ssh-agent bash
[root@centos6 ~]# pstree | grep ssh
|-sshd---sshd---bash---bash-+-grep
| `-ssh-agent
在新開啓的bash中執⾏ssh-add 並輸⼊私鑰密碼。然後連接node2,成功連接不需要輸⼊密碼:
-------------------------------------------------------
[root@centos6 ~]# ssh-agent bash
[root@centos6 ~]# ssh-add
Enter passphrase for /root/.ssh/id_rsa: #此處輸入的是給祕鑰加密的密碼
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@centos6 ~]#
--------------------------------------------------------
[root@centos6 ~]# ssh 192.168.26.7
Last login: Sat Nov 9 16:17:53 2019 from 192.168.26.6
[root@centos7 ~]#
11.基於公鑰的登錄⽅式在Xshell中實現
在windows中使⽤Xshell客戶端⼯具⽣成公私鑰對
點擊xshell的⼯具,選擇新建⽤戶祕鑰嚮導 |
---|
在彈出的對話框中選擇rsa加密算法和祕鑰長度,點擊下⼀步 |
---|
成祕鑰後點擊下⼀步 |
---|
給祕鑰起⼀個名稱,根據需要決定是否需要設置私鑰密碼。然後點擊完成 |
---|
點擊xshell的⼯具,選擇祕鑰用戶管理者 |
---|
雙擊我們新生成的祕鑰,單擊公鑰,複製所有公鑰信息 |
---|
然後將公鑰寫⼊到node1的authorized_keys中 |
---|
#將公鑰複製進去就可以了
[root@centos6 ~]# vim .ssh/authorized_keys
在Xshell中新建⼀個連接,填寫對應的ip地址和端⼝號 |
---|
選擇⽤戶⾝份驗證,⽅法選擇publickey,然後輸⼊⽤戶名,選擇之前⽣成的⽤戶密碼,最後點擊確定 |
---|
⽣成會話後點擊連接,測試⼀下是否不需要輸⼊root密碼即可登錄成功 |
---|
Xshell基於公鑰驗證的登錄⽅式驗證成功,直接登錄上了, 不需要輸⼊root密碼 |
---|
Connecting to 192.168.26.6:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Sat Nov 9 17:29:43 2019 from 192.168.26.1
[root@centos6 ~]#
12.腳本實現拷貝公鑰,登錄主機
#存放除本機外要拷貝公鑰的電腦ip
cat ip.txt
192.168.26.7
192.168.26.8
#!/bin/bash
rpm -q expect &> /dev/null || yum -y install expect
ssh-keygen -P "" -f "/root/.ssh/id_rsa"
userpwd="123456"
while read ipaddr ; do
expect <<EOF
set timeout 10
spawn ssh-copy-id $ipaddr
expect {
"yes/no" {send "yes\n";exp_continue}
"password" {send "userpwd\n"}
}
expect eof
EOF
done < ip.txt
執⾏腳本 bash sshkeyau.sh
[root@centos6 ~]# rm -rf .ssh
[root@centos7 ~]# rm -rf .ssh
[root@centos8 ~]# rm -rf .ssh
[root@centos6 ~]# bash sshkeyau.sh
使⽤node1 鏈接node2主機,驗證腳本是否運⾏正常
[root@centos6 ~]# ssh 192.168.26.7
[root@centos7 ~]# exit