码迷,mamicode.com
首页 > 其他好文 > 详细

A,B,C三台主机,A通过B连接通C;使用export将100台主机批量实现key验证;等实验

时间:2019-01-25 11:34:36      阅读:230      评论:0      收藏:0      [点我收藏+]

标签:登录   eof   接收   脚本   known   iptable   root   name   加密   

1、实验:A,B,C三台主机,A通过B连接通C
A:centos7(192.168.93.254)B:centos6(192.168.93.253)C:R1(192.168.93.200)
首先假设 C主机做过防火墙策略,禁止被A直接连接通
Iptables -A INPUT -s (A的IP) -j REJECT
[root@R ~]# iptables -A INPUT -s 192.168.93.254 -j REJECT
因为A和C连接,B为跳板,无需拒绝B
此时A连接C不通,而A可以连接上B,再连接C,此过程较繁琐
我们可以ssh -t (B的IP) ssh (C的IP)
[root@centos7 .ssh]# ssh -t 192.168.93.253 ssh 192.168.93.200
[root@R ~]# ip a
输入密码即可登录C主机成功
然而此时C觉得是B在连接,而非A在连接
[root@R ~]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.93.200:22 192.168.93.253:52586
我们也可以一次性输入一条命令执行完就退出,如下:
[root@centos7 .ssh]# ssh -t 192.168.93.253 ssh 192.168.93.200 ‘ip a‘
root@192.168.93.253‘s password:
root@192.168.93.200‘s password:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:33:b4:1a brd ff:ff:ff:ff:ff:ff
inet 192.168.93.200/24 brd 192.168.93.255 scope global noprefixroute ens33

2、实验:用对称、非对称、哈希算法
A----->B A 发的数据只有B能解,B也知道只能是A发的
Key { data+Sa [ hash ( data ) ] } + Pb (key)
解析:
A向B发数据时,在原始数据data后加A的私钥签名,[hash(data)]为哈希算法对数据做的摘要,此串数据 data+Sa [ hash ( data ) ]用对称秘钥key加密,拿对方B的公钥把对称秘钥key加密,
B接收A的数据时,因为只有B可解,B的私钥解开对称秘钥key可得到data数据,但是数据来源不确定,就用A的公钥解开,得到的数据是一串,把前面第一个data数据用哈希算法得出结果,与后面的第二个data作比较,若结果一样,说明数据来源是A.
3、实验:在centos7 上登录centos6 不用输入用户名密码,而是基于key验证
步骤:1、先生成公私秘钥对儿
A、[root@centos7 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again: (此处三项默认回车即可)
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:OKPv+40SVvZ+6EcyyrMbKV1fQkfca03waBBl3+a816I root@centos7.localdomain
The key‘s randomart image is:
+---[RSA 2048]----+
| o+=o |
| +.++|
| . +.B|
| .o . o *.|
| +oS.. . o o|
| .o+ o+..o o|
| ...o+o =. ..o|
| ...++o o. ..|
| .++==ooE |
+----[SHA256]-----+
B、[root@centos7 ~]# cd .ssh
[root@centos7 .ssh]# ll
total 12
-rw------- 1 root root 1679 Jan 24 21:01 id_rsa
-rw-r--r-- 1 root root 406 Jan 24 21:01 id_rsa.pub
-rw-r--r-- 1 root root 396 Jan 24 15:07 known_hosts
此处生成的id_rsa 与 id_rsa.pub 为公私钥文件
C、(把公钥文件传输至远程服务器对应用户的家目录)
[root@centos7 ~]# ssh-copy-id -i /root/.ssh/id_rsa 192.168.93.253
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.93.253‘s password:
此操作是将私钥文件传给远程主机,然而本应该传送的是公钥文件,上方的需正常输入密码
D、[root@centos6 .ssh]# ll
total 8
-rw------- 1 root root 406 Jan 24 20:11 authorized_keys
-rw-r--r-- 1 root root 1188 Jan 24 16:35 known_hosts
[root@centos6 .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEMjCxmlo89MO7Vr+KcwqL//WXJV0nJ/o8AQYAIBv1E9b31e1QZUKNRCcmz+y8a6z5qN0uQM5PmdrNTtrL1/vE68Z4pcr6KzwaiD1xloaB0tIliO+gzgjOfe3jrikdzSWuV+QyYQQArYHLNPKWMbJ6PHNJCfbd/mErdUh5lxblwU62Z8GkD382tt8BdfouSjTLuYPCR0AR6NmRUPBfDF5VmvL9YUEhFUYYxflYfxHwqGN/sfLaYLfbPXowhZx65W8KldNOva5xy8RrWq2f2bSb2cQEd2/zkYlTPkF6xzsNraOEY6SfpLesZH7IQ5hqHkmhoEkAl/GkdGod+b0m16XF root@centos7.localdomain
然而,我们在centos6上面_查看 cat authorizedkeys 文件,它是公钥,而非私钥与centos7的显示一模一样 如下:
[root@centos7 ~]# cat .ssh/id_rsa.pub
ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQDEMjCxmlo89MO7Vr+KcwqL//WXJV0nJ/o8AQYAIBv1E9b31e1QZUKNRCcmz+y8a6z5qN0uQM5PmdrNTtrL1/vE68Z4pcr6KzwaiD1xloaB0tIliO+gzgjOfe3jrikdzSWuV+QyYQQArYHLNPKWMbJ6PHNJCfbd/mErdUh5lxblwU62Z8GkD382tt8BdfouSjTLuYPCR0AR6NmRUPBfDF5VmvL9YUEhFUYYxflYfxHwqGN/sfLaYLfbPXowhZx65W8KldNOva5xy8RrWq2f2bSb2cQEd2/zkYlTPkF6xzsNraOEY6SfpLesZH7IQ5hqHkmhoEkAl/GkdGod+b0m16XF root@centos7.localdomain
E、[root@centos7 ~]# ssh 192.168.93.253
Last login: Thu Jan 24 19:04:01 2019 from 192.168.93.1
此时,我们远程连接主机,实现成功登陆,我们就可以远程操作主机,例如:[root@centos7 ~]# ssh 192.168.93.253 hostname
centos6.localdomain
4、实验:使用export将100台主机批量实现key验证
实验目标:创建一个脚本,将生成的公钥传送到所有管理的主机上
准备:A、假设所有主机密码一样,把所有的口令都设为同一个,eg:echo magedu | passwd --stdin root
B、创建一个hosts.txt文件,将所管控的主机IP地址列在其中,
C、[root@centos7 ~]# cat ssh_key_push.sh
#!/bin/bash
ssh-keygen -P "" -f /root/.ssh/id_rsa (“”:设置的空口令) (此命令可一次性生成公私钥对儿)
pass=magedu
rpm -q expect &> /dev/null || yum install expect -y -q (静默安装expect)
while read ip ;do
expect <<EOF
set timeout 20
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub $ip
expect {
"yes/no" { send "yes\n";exp_continue }
"password" { send "$pass\n" }
}
expect eof
EOF
done < host.txt
D、脚本已竣工,我们将其加权限:chmod +x ssh_key_push.sh
E、./ssh_key_push.sh 运行完毕,即可连接远程主机
F、[root@centos7 ~]# ssh 192.168.93.253
Last login: Thu Jan 24 21:40:10 2019 from 192.168.93.1
[root@centos6 ~]# exit
logout
Connection to 192.168.93.253 closed.
[root@centos7 ~]# ssh 192.168.93.200
Last login: Thu Jan 24 22:41:15 2019 from 192.168.93.1
[root@centos7 ~]# exit
logout

A,B,C三台主机,A通过B连接通C;使用export将100台主机批量实现key验证;等实验

标签:登录   eof   接收   脚本   known   iptable   root   name   加密   

原文地址:http://blog.51cto.com/14128387/2346446

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!