SSH免密登錄
1.簡介
SSH是一種網絡協議,用於計算機之間的加密登錄.
本文針對的實現是OpenSSH,它是自由軟件,應用非常廣泛。
2.初始化公鑰私鑰
有rsa,dsa兩種加密方式,生成的公鑰私鑰都存放在當前用戶的ssh目錄下(即~/.ssh/)
rsa
ssh-keygen -t rsa
3.~/.ssh目錄解析
3.1 id_rsa
私鑰
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwFBsjOKcmz8Hhz7ig+6XZjIakDgqoo4l3U0BIJQjvLRrIBrP
c3NYeqkn5MQ1oQjvzdOgx3exzIs3cCD2cBcYMg4zlHLfrT90g9TV8TA7KvI74YSp
zTqIJaADMpQ/gG9HMg+zFWGj+rd4Jhc1gx8COs7Um+9vxDAmA473++97NnV/MAvq
QQkjWr7Pb9u3r+vfV4F1RkWa8QzJAo3rquCmUVvlge2GhV5PWJr0vTbotdU0hZt5
KjzaYGjIMAmgk6StJPUu+bUhe2fqPj2LDUpf8OqjIeEuRHO1cYlajQoXxbr90GHu
iS/JzUGaLfQmx4wy7HLN+EsE5wAO75vDyy9VqwIDAQABAoIBAGpBhVhqNMEKGCy/
sAPZJcmPUWHxxoy+IWmejErlzsEKpk28wnY1euN65tHdHwx0lZqRnTnYhmJPYTgQ
3licSgAOHK2esrtUXhog1HxIe8iEwlUeKXt9JZA0Us/1XQincxzT08yygBmcmUPi
euyRi3fWo13s80HgoIBC0/1dGiTB3GW522L1ipS0U2BtP722VWpCNXjWwq4CaBru
YGazVQu6Icv2nTn5ms++odcIojdLCkPymqqJxyMNpSBQV4VwED5eUOLzeJ4r3Lzs
+ExelibTMSmTQOl9FGU+ST0C4MYisr/r7ZOMeK5QLqT/0IfZQUFMjqASYV9ghLTw
5+FU1oECgYEA8yyxY9uFVyw9KwtPefnNEP0Apb9s6W1pQz5ivnJC6SN1inijcLFP
4I5cH1zhrtO6A8ZN6ndHtPFyjeBgucjV26OafiWsPGwG1T2Se6fzF5TDWdbm7Sxv
EsAGExbWRy9er/no2PeCaXMhkykQAzH+2yHO8rmZ39b7S0eZzympliECgYEAynUF
bJXzdl2n8jZraEsjdtanGlxpVQyL0tGDXvUHtDiqfcbmgTrKM/WLlkJEuvcmwoVh
ZCFfJ3a0csy6wt1ctoJsx9348rxY5yCyYDkpgjW2T1M7cvzbEMTdg/wa3BNm6q9/
wwLEPRw6t2sMLAOL8w5e6V21G5rUR00T5KMhGksCgYBuc0NTLtcepBpYXbfImDyb
Vb8giZTnZWmlQEXLaMyZZiCyN19NBUxZm2+eUyqypLpdkom7UFhCiFRWuq5UVDNG
osW+PFBB1XM5EdFh1wPkFw6v1Jto6IC+zHc13m6PQKXKWkF3otwaF1ANrl32hZPT
ZkTAHKsWb2gOZkQnQy4i4QKBgCC3vpOou/qR8hUrhDoLgoSu9bxF2OPcri/4mdFb
qc4PJkZDQXb66DhzYwZ6WR8Z19KxuWZ0GiuHfGvc+AWLvnLkKu41ygh4NanMV+dC
9ZlMUtUI71+Ky2AvYFj3AeQ04nnkuLHsHYh+qmJ/0yy9uf0igmYWNbFrWQjYxPE7
B5t3AoGBALgt3IvOYXWwFcH3QHWK//a6YtA5ViCPaNcaCQYUSF5ZdwUIDrudTzU/
/LNy2TA58LwoWD5C0ydVnfoxV251V1WPbMEI8U0uUPZa3huLHS7RURSnNvSpCC6Y
NeV41WisQBmKk+R41yVmmLDOwseZKtYjOtSYB5g30C7a19/nhx7Q
-----END RSA PRIVATE KEY-----
3.2 id_rsa.pub
公鑰: 可用於gitlab, github的ssh clone
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAUGyM4pybPweHPuKD7pdmMhqQOCqijiXdTQEglCO8tGsgGs9zc1h6qSfkxDWhCO/N06DHd7HMizdwIPZwFxgyDjOUct+tP3SD1NXxMDsq8jvhhKnNOogloAMylD+Ab0cyD7MVYaP6t3gmFzWDHwI6ztSb72/EMCYDjvf773s2dX8wC+pBCSNavs9v27ev699XgXVGRZrxDMkCjeuq4KZRW+WB7YaFXk9YmvS9Nui11TSFm3kqPNpgaMgwCaCTpK0k9S75tSF7Z+o+PYsNSl/w6qMh4S5Ec7VxiVqNChfFuv3QYe6JL8nNQZot9CbHjDLscs34SwTnAA7vm8PLL1Wr linxiaojun@linxiaojun-XPS-13-9350
3.3 authorized_keys
存儲其它服務器(包括自身)的公鑰,用於免密登錄
ssh-copy-id user@ip 就是把id_rsa.pub拷貝到這個文件
3.4 known_hosts
存放被信任的主機
4.案例
假設本機ip為192.168.100.101, 用戶為test101, 密碼為123
目標主機ip為192.168.100.102, 用戶為test102, 密碼為123
# 分別在101, 102生成公鑰私鑰
# 101
ssh-keygen -t rsa
輸入3次回車,即采用默認配置
ssh
# 102
ssh-keygen -t rsa
輸入3次回車,即采用默認配置
# 將id_rsa.pub拷貝到101
ssh-copy-id test101@192.168.100.101
# 回到101,將id_rsa.pub拷貝到102
ssh-copy-id test102@192.168.100.102
# 接下來可以在101,102之間進行免密登錄
5.一鍵自動化實現
5.1 expect淺析
expect是一個免費的編程工具語言,用來實現自動和交互式任務進行通信,而無需人的干預。
expect是不斷發展的,隨着時間的流逝,其功能越來越強大,已經成為系統管理員的的一個強大助手。
expect需要Tcl編程語言的支持,要在系統上運行expect必須首先安裝Tcl
5.2 expect安裝
wget http://sourceforge.net/projects/expect/files/Expect/5.45/expect5.45.tar.gz/download
tar xzvf expect5.45.tar.gz
cd expect5.45
./configure --prefix=/usr/expect --with-tcl=/usr/tcl/lib --with-tclinclude=../tcl8.4.11/generic
make
make install
5.2 實現腳本
假設目標主機ip為192.168.100.101, 用戶為test, 密碼為123
#!/bin/bash
set -x
dst_ip=192.168.100.101
dst_user=test
dst_passwd=123
expect -c "set timeout 30;
spawn ssh $dst_user@$dst_ip;
expect {
\"*(yes/no)?*\" { send \"yes\r\";exp_continue }
\"*password:*\" { send \"$dst_passwd\r\" }
}
expect \"]*\"
send \"ssh-keygen -t rsa\r\";
expect \"*(/home/$dst_user/.ssh/id_rsa):*\";
send \"\r\";
expect {
\"*(y/n)*\" { send \"y\r\";exp_continue }
\"*(empty for no passphrase):*\" { send \"\r\" }
}
expect \"*passphrase again:*\";
send \"\r\";
expect eof
";
參考網站
http://www.ruanyifeng.com/blog/2011/12/ssh_remote_login.html
https://blog.csdn.net/leexide/article/details/17485451