标签:登录 eof 接收 脚本 known iptable root name 加密
1、实验:A,B,C三台主机,A通过B连接通C2、实验:用对称、非对称、哈希算法
A----->B A 发的数据只有B能解,B也知道只能是A发的
Key { data+Sa [ hash ( data ) ] } + Pb (key)
解析:
A向B发数据时,在原始数据data后加A的私钥签名,[hash(data)]为哈希算法对数据做的摘要,此串数据 data+Sa [ hash ( data ) ]用对称秘钥key加密,拿对方B的公钥把对称秘钥key加密,
B接收A的数据时,因为只有B可解,B的私钥解开对称秘钥key可得到data数据,但是数据来源不确定,就用A的公钥解开,得到的数据是一串,把前面第一个data数据用哈希算法得出结果,与后面的第二个data作比较,若结果一样,说明数据来源是A.
3、实验:在centos7 上登录centos6 不用输入用户名密码,而是基于key验证
步骤:1、先生成公私秘钥对儿
A、[root@centos7 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again: (此处三项默认回车即可)
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:OKPv+40SVvZ+6EcyyrMbKV1fQkfca03waBBl3+a816I root@centos7.localdomain
The key‘s randomart image is:
+---[RSA 2048]----+
| o+=o |
| +.++|
| . +.B|
| .o . o *.|
| +oS.. . o o|
| .o+ o+..o o|
| ...o+o =. ..o|
| ...++o o. ..|
| .++==ooE |
+----[SHA256]-----+
B、[root@centos7 ~]# cd .ssh
[root@centos7 .ssh]# ll
total 12
-rw------- 1 root root 1679 Jan 24 21:01 id_rsa
-rw-r--r-- 1 root root 406 Jan 24 21:01 id_rsa.pub
-rw-r--r-- 1 root root 396 Jan 24 15:07 known_hosts
此处生成的id_rsa 与 id_rsa.pub 为公私钥文件
C、(把公钥文件传输至远程服务器对应用户的家目录)
[root@centos7 ~]# ssh-copy-id -i /root/.ssh/id_rsa 192.168.93.253
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.93.253‘s password:
此操作是将私钥文件传给远程主机,然而本应该传送的是公钥文件,上方的需正常输入密码
D、[root@centos6 .ssh]# ll
total 8
-rw------- 1 root root 406 Jan 24 20:11 authorized_keys
-rw-r--r-- 1 root root 1188 Jan 24 16:35 known_hosts
[root@centos6 .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEMjCxmlo89MO7Vr+KcwqL//WXJV0nJ/o8AQYAIBv1E9b31e1QZUKNRCcmz+y8a6z5qN0uQM5PmdrNTtrL1/vE68Z4pcr6KzwaiD1xloaB0tIliO+gzgjOfe3jrikdzSWuV+QyYQQArYHLNPKWMbJ6PHNJCfbd/mErdUh5lxblwU62Z8GkD382tt8BdfouSjTLuYPCR0AR6NmRUPBfDF5VmvL9YUEhFUYYxflYfxHwqGN/sfLaYLfbPXowhZx65W8KldNOva5xy8RrWq2f2bSb2cQEd2/zkYlTPkF6xzsNraOEY6SfpLesZH7IQ5hqHkmhoEkAl/GkdGod+b0m16XF root@centos7.localdomain
然而,我们在centos6上面_查看 cat authorizedkeys 文件,它是公钥,而非私钥与centos7的显示一模一样 如下:
[root@centos7 ~]# cat .ssh/id_rsa.pub
ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQDEMjCxmlo89MO7Vr+KcwqL//WXJV0nJ/o8AQYAIBv1E9b31e1QZUKNRCcmz+y8a6z5qN0uQM5PmdrNTtrL1/vE68Z4pcr6KzwaiD1xloaB0tIliO+gzgjOfe3jrikdzSWuV+QyYQQArYHLNPKWMbJ6PHNJCfbd/mErdUh5lxblwU62Z8GkD382tt8BdfouSjTLuYPCR0AR6NmRUPBfDF5VmvL9YUEhFUYYxflYfxHwqGN/sfLaYLfbPXowhZx65W8KldNOva5xy8RrWq2f2bSb2cQEd2/zkYlTPkF6xzsNraOEY6SfpLesZH7IQ5hqHkmhoEkAl/GkdGod+b0m16XF root@centos7.localdomain
E、[root@centos7 ~]# ssh 192.168.93.253
Last login: Thu Jan 24 19:04:01 2019 from 192.168.93.1
此时,我们远程连接主机,实现成功登陆,我们就可以远程操作主机,例如:[root@centos7 ~]# ssh 192.168.93.253 hostname
centos6.localdomain
4、实验:使用export将100台主机批量实现key验证
实验目标:创建一个脚本,将生成的公钥传送到所有管理的主机上
准备:A、假设所有主机密码一样,把所有的口令都设为同一个,eg:echo magedu | passwd --stdin root
B、创建一个hosts.txt文件,将所管控的主机IP地址列在其中,
C、[root@centos7 ~]# cat ssh_key_push.sh
#!/bin/bash
ssh-keygen -P "" -f /root/.ssh/id_rsa (“”:设置的空口令) (此命令可一次性生成公私钥对儿)
pass=magedu
rpm -q expect &> /dev/null || yum install expect -y -q (静默安装expect)
while read ip ;do
expect <<EOF
set timeout 20
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub $ip
expect {
"yes/no" { send "yes\n";exp_continue }
"password" { send "$pass\n" }
}
expect eof
EOF
done < host.txt
D、脚本已竣工,我们将其加权限:chmod +x ssh_key_push.sh
E、./ssh_key_push.sh 运行完毕,即可连接远程主机
F、[root@centos7 ~]# ssh 192.168.93.253
Last login: Thu Jan 24 21:40:10 2019 from 192.168.93.1
[root@centos6 ~]# exit
logout
Connection to 192.168.93.253 closed.
[root@centos7 ~]# ssh 192.168.93.200
Last login: Thu Jan 24 22:41:15 2019 from 192.168.93.1
[root@centos7 ~]# exit
logout
A,B,C三台主机,A通过B连接通C;使用export将100台主机批量实现key验证;等实验
标签:登录 eof 接收 脚本 known iptable root name 加密
原文地址:http://blog.51cto.com/14128387/2346446
