SSH安全+不输入密码
登陆Linux服务器,四种方法
管理机:10.8.8.160
远程主机:10.8.8.161、10.8.8.162
一、用户名+密码
[10.8.8.160]$ssh [email protected]输入密码
[10.8.8.160]$ssh [email protected]输入密码
二、密钥认证
需要管理几台就需要创建多少对密钥公钥,为了便于管理,针对每台主机建立不同名的密钥
[10.8.8.160]$mkdir .ssh
[10.8.8.160]$ssh-keygen �Ct rsa �Cf /home/yuchunyun/.ssh/id_rsa.161密钥为空直接回车
[10.8.8.160]$ssh-keygen �Ct rsa �Cf /home/yuchunyun/.ssh/id_rsa.162密钥为空直接回车
-t 指定密钥对类型
-f 指定密钥对存放路径(建议使用绝对路径)。
会在.ssh/文件夹下生成id_rsa.161(密钥)、id_rsa.161.pub(公钥)id_rsa.162(密钥)、id_rsa.162.pub(公钥)
[10.8.8.160]$scp .ssh/id_rsa.161.pub [email protected]
[10.8.8.160]$scp .ssh/id_rsa.162.pub [email protected]
在被管理的主机上
mkdir .ssh
cat id_rsa.161.pub >> .ssh/authorized_keys
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
必须使用此权限,否则公钥不生效
vi /etc/ssh/sshd_config(注释去掉)
PubkeyAuthenticationyes
AuthorizedKeysFile.ssh/authorized_keys
/etc/init.d/sshdrestart
然后在管理机上:ssh �Ci ./ssh/ id_rsa.161 [email protected]不用输入密码
ssh �Ci ./ssh/ id_rsa.162 [email protected]不用输入密码
三、密钥+密钥密码认证
在二步骤过程中,创建密钥对时输入密码即可,可以为每台远程主机创建不同的密钥密码,也可以使用同一个密钥密码
在管理机上:ssh �Ci ./ssh/ id_rsa.161 [email protected]输入对应的密钥密码
ssh �Ci ./ssh/ id_rsa.162 [email protected]
四、SSH代理:密钥+密钥密码(但不用输入密码)
通过ssh-agent进程暂时把密钥密码保存在内存中,后期再ssh就不用输入密钥密码了
被管理机上
vi/etc/sss/sshd_config(注释去掉)
AllowAgentForwardingyes
/etc/init.d/sshdrestart
在管理机上
启动ssh-agent守护进程命令:
[10.8.8.160]$ssh-agent bash
SSH_AUTH_SOCK=/tmp/ssh-lFDTy14894/agent.14894;export SSH_AUTH_SOCK;
SSH_AGENT_PID=14895;export SSH_AGENT_PID;
echo Agentpid 14895;
[10.8.8.160]$ps �Cef | grepssh
这样就启动了ssh认证代理。认证代理产生UNIX套接字,该套接字被存放在/tmp/ssh-username/agent-socket-processID中。套接字名定位在环境变量SSH_AUTH_SOCK中。Secure Shell为维护认证代理安全性所做的一件事是使它只能被用户自身访问。然而,超级用户可以访问它,并且如果同一个用户启动另外的ssh-agent进程,这可能产生问题。注意记住,运行ssh-agent将不会把你的密钥载入内存。你必须用ssh-add命令自己把密钥载入内存。
[10.8.8.160]$ssh-add ~/.ssh/id_rsa.161(输入密钥密码)
[10.8.8.160]$ssh-add ~/.ssh/id_rsa.162(输入密钥密码)
[10.8.8.160]$ssh-add �Cl(列出所有存储在认证代理中的当前身份)
-h(可以查看帮助)-d (移除身份)
停止ssh-agent
[10.8.8.160]$kill -9 $SSH_AGENT_PID或者
[10.8.8.160]$ssh-agent -k
五、ssh-agent结合keychain
由于ssh-agent是通过ssh-add把解密过的密钥进行高速缓存,如果ssh-agent进程kill之后、或者重新登录shell,那么密钥密码就从缓存中清除了,需要再把每一个远程主机的密钥密码ssh-add一次
通过keychain,可自动调用ssh-agent守护进程和加载密钥密码
下载keychain-2.6.9.tar.bz2
tar jxvf keychain-2.6.9.tar.bz2
cd keychain-2.6.9
sh keychain.sh
make
先确保ssh-agent进程不存在
cat key.sh
#!/bin/bash
/home/yuchunyun/keychain-2.6.9/keychain~/.ssh/id_rsa.161
/home/yuchunyun/keychain-2.6.9/keychain~/.ssh/id_rsa.162
/home/yuchunyun/keychain-2.6.9/keychain~/.ssh/id_rsa.163
/home/yuchunyun/keychain-2.6.9/keychain~/.ssh/id_rsa.141
/home/yuchunyun/keychain-2.6.9/keychain~/.ssh/id_rsa.156
sh key.sh (依次输入每一个密钥密码)
ps -ef | grep ssh (ssh-agent进程已启动)
echo $SSH_AGENT_PID (空)
ssh-add �Cl (空)
. ~/.keychain/t17.wq-sh
ssh-add �Cl (key.sh中定义的密钥都已被加入缓存中)
echo $SSH_AGENT_PID (ssh-agent的进程号变量)
ssh [email protected](不用输入密码)
退出shell,重新登录
会发现ssh-agent进程依然存在,但echo $SSH_AGENT_PID为空,ssh-add �Cl为空
只需要再执行. ~/.keychain/t17.wq-sh即可
ssh-add
-l 列出当前已缓存的密钥
-L 列出当前已缓存的公钥
-d /home/yuchunyun/.ssh/id_rsa.161删除某一条缓存中的密钥
-D 删除所有缓存中的密钥
-x 锁定agent,需要设置“锁密码”(跟之前的密钥密码不同),锁定之后缓存中的密钥都失效
-X 解除agent锁定,需要输入“锁密码”
批量管理的脚本
#cd /home/yuchunyun/shell && cat clientset.sh
#!/bin/bash
#ps -ef | grep ssh-agent | grep -v "grep" | awk -F " " '{print $2}' | xargs kill -9#确保aah-agent进程不存在
pid=`ps -ef | grep ssh-agent | grep -v "grep" | awk -F " " '{print $2}'`
if [ -n "$pid" ];then
kill -9 $pid
elif [ -z "$pid" ];then
continue
else
exit 0
fi
read -p "please set your pubkey passwd:" keypasswd#为密钥设置密码,全部都一样
read -p "please input your passwd for distance host:" passwd
for host in `cat /home/yuchunyun/host.txt`
do
#生成密钥对
/usr/bin/expect <<-EOF
spawn ssh-keygen -t rsa -f /home/yuchunyun/.ssh/id_rsa.$host
expect "Enter passphrase (empty for no passphrase):"
send "$keypasswd\r"
expect "Enter same passphrase again:"
send "$keypasswd\r"
expect eof
EOF
if [ $? -eq 0 ];then
#把公钥和客户端配置的脚本拷贝给客户端
/usr/bin/expect <<-EOF
spawn scp /home/yuchunyun/shell/clientset.sh /home/yuchunyun/.ssh/id_rsa.$host.pub yuchunyun@$host:/home/yuchunyun/
expect "Are you sure you want to continue connecting (yes/no)? "
send "yes\r"
expect "yuchunyun@$host's password:"
send "$passwd\r"
expect eof
EOF
if [ $? -eq 0 ];then
#客户端执行脚本,完成ssh配置
/usr/bin/expect <<-EOF
spawn ssh -t yuchunyun@$host sudo sh /home/yuchunyun/clientset.sh
expect "yuchunyun@$host's password:"
send "$passwd\r"
expect eof
EOF
if [ $? -eq 0 ];then
#将密钥用keychain添加到ssh-add中保存
/usr/bin/expect <<-EOF
spawn /home/yuchunyun/keychain-2.6.9/keychain /home/yuchunyun/.ssh/id_rsa.$host
expect "Enter passphrase for /home/yuchunyun/.ssh/id_rsa.$host:"
send "$keypasswd\r"
expect eof
EOF
else
break
fi
else
break
fi
else
break
fi
done
客户端设置的脚本
#cd /home/yuchunyun/shell && cat clientset.sh
#!/bin/bash date=`date +%Y-%m-%d` sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$date sudo cat << EOF >> /etc/ssh/sshd_config PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys EOF sudo /etc/init.d/sshd reload cd /home/yuchunyun/ rm -fr .ssh mkdir .ssh cat ./id_rsa* >> .ssh/authorized_keys sudo rm -fr ./id_rsa* sudo chown yuchunyun:yuchunyun .ssh/ -R sudo chmod 700 .ssh sudo chmod 600 .ssh/authorized_keys sudo rm -fr clientset.sh
被连接的端的IP存放在host.txt
#cd /home/yuchunyun && cat host.txt
10.8.8.140
10.8.8.141
10.8.8.144
#. .keychain/t10.wq-sh
#ssh-add -l 即可发现密钥保存起来了