码迷,mamicode.com
首页 > 其他好文 > 详细

SSH密钥分发

时间:2018-04-08 20:17:14      阅读:194      评论:0      收藏:0      [点我收藏+]

标签:枫雨   SSH   密钥分发   

1.环境准备

[root@CentOS 7 ~]# cat /etc/redhat-release 

CentOS Linux release 7.2.1511 (Core) 

[root@CentOS 7 ~]# uname -r

3.10.0-327.el7.x86_64

[root@CentOS 7 ~]# getenforce 

Disabled

[root@CentOS 7 ~]# systemctl status firewalld.service 

● firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)

   Active: inactive (dead)

[root@CentOS 7 ~]# ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 10.0.0.201  netmask 255.255.255.0  broadcast 10.0.0.255

        inet6 fe80::20c:29ff:fe40:1a4e  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:40:1a:4e  txqueuelen 1000  (Ethernet)

        RX packets 79743  bytes 65986287 (62.9 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 54690  bytes 70448334 (67.1 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 172.16.1.201  netmask 255.255.255.0  broadcast 172.16.1.255

        inet6 fe80::20c:29ff:fe40:1a58  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:40:1a:58  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 10  bytes 744 (744.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


2.查看SSH端口

[root@CentOS 7 ~]# netstat -lntup | grep sshd

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1518sshd           

tcp6       0      0 :::22                   :::*                    LISTEN      1518sshd           


3.密钥认证


3.1创建密钥对

[root@CentOS 7 ~]# ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):           ----密钥对保存路径

Created directory '/root/.ssh'. 

Enter passphrase (empty for no passphrase):          ----为密钥对创建密码

Enter same passphrase again:                                 ----确认密码

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

7d:dc:8c:89:80:5d:79:97:6b:e4:2d:53:89:ba:d6:13 root@CentOS 7

The key's randomart image is:

+--[ RSA 2048]----+                          ----加密的位数为20048

|          ..  ...|

|       o .. ..+..|

|      . o  ..+ + |

|         o + E* .|

|        S o B.+o |

|           + o   |

|          .   .  |

|                 |

|                 |

+-----------------+


3.2分发公钥

[root@CentOS 7 .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.1.63

The authenticity of host '172.16.1.63 (172.16.1.63)' can't be established.

ECDSA key fingerprint is 0b:bf:14:a7:9e:87:69:5d:7c:a5:25:b9:65:22:35:08.

Are you sure you want to continue connecting (yes/no)? yes                 

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

root@172.16.1.63's password:             ----第一次分发公钥,需要输入密码


Number of key(s) added: 1


Now try logging into the machine, with:   "ssh 'root@172.16.1.63'"

and check to make sure that only the key(s) you wanted were added.


3.3测试

[root@CentOS 7 ~]# ssh 172.16.1.63

Last login: Fri Mar 30 17:11:08 2018 from 10.0.0.1

[root@gitlab ~]# ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 10.0.0.63  netmask 255.255.255.0  broadcast 10.0.0.255

        inet6 fe80::20c:29ff:feae:fb74  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:ae:fb:74  txqueuelen 1000  (Ethernet)

        RX packets 9568  bytes 2809779 (2.6 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 382  bytes 30216 (29.5 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 172.16.1.63  netmask 255.255.255.0  broadcast 172.16.1.255

        inet6 fe80::20c:29ff:feae:fb7e  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:ae:fb:7e  txqueuelen 1000  (Ethernet)

        RX packets 87  bytes 18256 (17.8 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 88  bytes 21538 (21.0 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 66294  bytes 49504554 (47.2 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 66294  bytes 49504554 (47.2 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


4.认证代理


4.1管理主机创建密钥对(以上步骤)


4.2分发公钥(以上步骤)


4.3管理主机启动认证代理

[root@CentOS 7 ~]# eval `ssh-agent -s`

Agent pid 2994



4.4管理主机向agent代理服务器注册本地服务器私钥信息

[root@CentOS 7 ~]# ssh-add

Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)


4.5管理主机将凭证信息通过远程登陆方式给被代理主机

[root@CentOS 7 ~]# ssh -A 172.16.1.63

Last login: Fri Mar 30 20:03:21 2018 from 172.16.1.21


4.6测试

[root@gitlab ~]# ssh 172.16.1.21

Last login: Fri Mar 30 20:08:27 2018 from 172.16.1.63


5.自动创建密钥对,分发公钥(Shell脚本)

#!/bin/bash

##############################################################

# File Name: ssh_fenfa.sh

# Version: V7.4

# Author: feng yu

# Organization: http://blog.51cto.com/13520761

# Created Time : 2018-03-30 20:13:36

# Description:

##############################################################

fil=/root/.ssh/id_rsa*

if [ $(ls $fil|wc -l) > 0 ];then

    rm -rf $fil

    ssh-keygent -t rsa -f /root/.ssh/id_rsa -P "" >> /dev/null 2>&1

else

    ssh-keygent -t rsa -f /root/.ssh/id_rsa -P "" >> /dev/null 2>&1

fi


if [ $(rpm -qa sshpass|wc -l) -lt 1 ];then

    yum install -y sshpass &>/dev/null

fi


for ip in 21 63

  do

    sshpass -p123456 ssh-copy-id -i /root/.ssh/id_rsa.pub "172.16.1.$ip -o StrictHostKeyChecking=no"

done


SSH密钥分发

标签:枫雨   SSH   密钥分发   

原文地址:http://blog.51cto.com/13520761/2095798

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!