1.环境准备git
[root@CentOS 7 ~]# cat /etc/redhat-release bash
CentOS Linux release 7.2.1511 (Core) 服务器
[root@CentOS 7 ~]# uname -rdom
3.10.0-327.el7.x86_64ssh
[root@CentOS 7 ~]# getenforce tcp
Disabledide
[root@CentOS 7 ~]# systemctl status firewalld.service oop
● firewalld.service - firewalld - dynamic firewall daemongitlab
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)测试
Active: inactive (dead)
[root@CentOS 7 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.201 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::20c:29ff:fe40:1a4e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:40:1a:4e txqueuelen 1000 (Ethernet)
RX packets 79743 bytes 65986287 (62.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 54690 bytes 70448334 (67.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.1.201 netmask 255.255.255.0 broadcast 172.16.1.255
inet6 fe80::20c:29ff:fe40:1a58 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:40:1a:58 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 744 (744.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
2.查看SSH端口
[root@CentOS 7 ~]# netstat -lntup | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1518sshd
tcp6 0 0 :::22 :::* LISTEN 1518sshd
3.密钥认证
3.1建立密钥对
[root@CentOS 7 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ----密钥对保存路径
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): ----为密钥对建立密码
Enter same passphrase again: ----确认密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
7d:dc:8c:89:80:5d:79:97:6b:e4:2d:53:89:ba:d6:13 root@CentOS 7
The key's randomart image is:
+--[ RSA 2048]----+ ----加密的位数为20048
| .. ...|
| o .. ..+..|
| . o ..+ + |
| o + E* .|
| S o B.+o |
| + o |
| . . |
| |
| |
+-----------------+
3.2分发公钥
[root@CentOS 7 .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.1.63
The authenticity of host '172.16.1.63 (172.16.1.63)' can't be established.
ECDSA key fingerprint is 0b:bf:14:a7:9e:87:69:5d:7c:a5:25:b9:65:22:35:08.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.63's password: ----第一次分发公钥,须要输入密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@172.16.1.63'"
and check to make sure that only the key(s) you wanted were added.
3.3测试
[root@CentOS 7 ~]# ssh 172.16.1.63
Last login: Fri Mar 30 17:11:08 2018 from 10.0.0.1
[root@gitlab ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.63 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::20c:29ff:feae:fb74 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ae:fb:74 txqueuelen 1000 (Ethernet)
RX packets 9568 bytes 2809779 (2.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 382 bytes 30216 (29.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.1.63 netmask 255.255.255.0 broadcast 172.16.1.255
inet6 fe80::20c:29ff:feae:fb7e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ae:fb:7e txqueuelen 1000 (Ethernet)
RX packets 87 bytes 18256 (17.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 88 bytes 21538 (21.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 66294 bytes 49504554 (47.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 66294 bytes 49504554 (47.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
4.认证代理
4.1管理主机建立密钥对(以上步骤)
4.2分发公钥(以上步骤)
4.3管理主机启动认证代理
[root@CentOS 7 ~]# eval `ssh-agent -s`
Agent pid 2994
4.4管理主机向agent代理服务器注册本地服务器私钥信息
[root@CentOS 7 ~]# ssh-add
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
4.5管理主机将凭证信息经过远程登录方式给被代理主机
[root@CentOS 7 ~]# ssh -A 172.16.1.63
Last login: Fri Mar 30 20:03:21 2018 from 172.16.1.21
4.6测试
[root@gitlab ~]# ssh 172.16.1.21
Last login: Fri Mar 30 20:08:27 2018 from 172.16.1.63
5.自动建立密钥对,分发公钥(Shell脚本)
#!/bin/bash
##############################################################
# File Name: ssh_fenfa.sh
# Version: V7.4
# Author: feng yu
# Organization: https://blog.51cto.com/13520761
# Created Time : 2018-03-30 20:13:36
# Description:
##############################################################
fil=/root/.ssh/id_rsa*
if [ $(ls $fil|wc -l) > 0 ];then
rm -rf $fil
ssh-keygent -t rsa -f /root/.ssh/id_rsa -P "" >> /dev/null 2>&1
else
ssh-keygent -t rsa -f /root/.ssh/id_rsa -P "" >> /dev/null 2>&1
fi
if [ $(rpm -qa sshpass|wc -l) -lt 1 ];then
yum install -y sshpass &>/dev/null
fi
for ip in 21 63
do
sshpass -p123456 ssh-copy-id -i /root/.ssh/id_rsa.pub "172.16.1.$ip -o StrictHostKeyChecking=no"
done