ssh 认证

ssh 秘钥认证流程

 

ssh配置认证

基于口令(密码)的安全验证

[root@m01 ~]# ssh 10.0.0.41 hostname
root@10.0.0.41's password:
backup
[root@m01 ~]# ssh 10.0.0.41 whoami
root@10.0.0.41's password:
root
[root@m01 ~]# ssh lewen@10.0.0.41 whoami
lewen@10.0.0.41's password:
lewen

基于秘钥的认证

1.生成钥匙和锁头

[root@m01 ~]# hostname
m01
[root@m01 ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):　　　　　　　　　　　　# 给秘钥加密码
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
29:37:1b:e1:9f:0a:ab:77:a0:fc:60:41:2d:bc:85:dd root@m01
The key's randomart image is:
+--[ DSA 1024]----+
| |
| . + . |
| = + E |
| . + . o |
| o . S |
| ..o = . |
| .o.... o |
| .o..o.. |
| .+o.. |
+-----------------+

2.把锁头发送到目标机器

发送到 backup
[root@m01 ~]# ssh-copy-id -i /root/.ssh/id_dsa.pub root@172.16.1.41
The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established.
RSA key fingerprint is ac:0f:aa:d2:5b:ff:cf:ac:f0:76:37:a6:be:31:b9:f9.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '172.16.1.41' (RSA) to the list of known hosts.
root@172.16.1.41's password:
Now try logging into the machine, with "ssh 'root@172.16.1.41'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@m01 ~]# ssh 10.0.0.41 hostname
backup
​
​
#nfs01
[root@m01 ~]# ssh-copy-id -i /root/.ssh/id_dsa.pub root@172.16.1.31
The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
RSA key fingerprint is ac:0f:aa:d2:5b:ff:cf:ac:f0:76:37:a6:be:31:b9:f9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.31' (RSA) to the list of known hosts.
root@172.16.1.31's password:
Now try logging into the machine, with "ssh 'root@172.16.1.31'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@m01 ~]# ssh 172.16.1.31 hostname
nfs01

3.免密发送

sshpass 软件
yum install sshpass -y

#sshpass 给ssh类提供密码
[root@m01 ~]# sshpass -p123456 ssh 172.16.1.41 hostname
backup
sshpass -p123456 ssh -o StrictHostKeyChecking=no 172.16.1.41 hostname
backup

 

 

非交互式建立 钥匙锁头

  [root@m01 ~]# ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa 

非交互式 分发公钥

不用输入密码将公钥发送到目的机器

[root@m01 ~]# sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no root@172.16.1.41"
Now try logging into the machine, with "ssh '-o StrictHostKeyChecking=no root@172.16.1.41'",
and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
​
​
[root@m01 ~]# sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no root@172.16.1.31"
Now try logging into the machine, with "ssh '-o StrictHostKeyChecking=no root@172.16.1.31'",
and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
​

[root@m01 ~]# ssh 172.16.1.41 hostname
backup
[root@m01 ~]# ssh 172.16.1.31 hostname
nfs01

 

 

Usage: /usr/bin/ssh-copy-id [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname
    -f: force mode -- copy keys without trying to check if they are already installed
    -n: dry run    -- no keys are actually copied