寫作背景:工作中,跨主機的文件傳輸,如果需要定時任務執行,需要解決后台執行中取消人機交互過程的動作,只能借助於密鑰對。
示例:從132.**.**.36 訪問 132.**.**.37
密鑰對是兩台主機之間設置信任,能夠免密碼登錄,避免人機交互過程。
1、進入客戶端(132.**.**.36)的路徑,在系統路徑下的.ssh下存放秘鑰配置
webusr@iomtimer1:/home/webgrp >cd $HOME
webusr@iomtimer1:/home/webgrp >ls -al
-rw------- 1 webusr webusr 9448 May 22 11:11 .sh_history
drwx------ 2 webusr webusr 256 Nov 15 2017 .ssh
-rw------- 1 webusr webusr 1364 May 18 11:10 .vi_history
2、在客戶端(132.**.**.36)的.ssh下運行ssh-keygen -t rsa,生成公鑰id_rsa.pub(如果文件已經存在的就別執行了直接copy,執行會導致文件內容重新生成,之前設置的密鑰全部失效)
webusr@iomtimer1:/home/webgrp/.ssh >cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDS1N/PlyKiSY0fRwyvcNc9lEGOCHNebyqOYk0tA2VU4tHLe1qzhmqAmGm++TWRSxQVu68LYyCCnFphIwKPf+lfpOMuNQ3ydJxzLPUI9nPqoRQB6vCY+l4GPXfTM0/KAJroI3eyD+YPjKaTRfUjGtFX4s5bAnJ5qSvod5bz/PvHZ0rVjQLsdu3bWohdGd0EsMK+jmnKIdHfmAi3Bf5f57dYBVD0ilBUWse9ie7rd7DdZEajRWTY16Hw4fYZxZORNi9DXNqOUl7cEE7FCiZOSea9kBxQ4F+WSbpaPHWtDqxwVzHAYFQEyCKXakLHmnjLDrIZp6hY2VxQQqxaPDN6DqR3 webusr@iomtimer1
3、【從客戶端(132.**.**.36)獲取id_rsa.pub】放到服務端(132.**.**.37)cat $HOME/.ssh/authorized_keys
4、在客戶端(132.**.**.36)驗證sftp webusr@132.**.**.37 date ,第一次執行需要輸入密碼
webusr@iomtimer1:/home/webgrp/.ssh >sftp webusr@132.**.**.37 date
Connected to 132.77.255.37.
sftp>
5、在客戶端(132.**.**.36)sftp登錄
webusr@iomtimer1:/home/webgrp/.ssh >sftp webusr@132.**.**.37
Connected to 132.**.**.37.
sftp>
6、第一次從客戶端登錄並輸入密碼,客戶端默認會自動生成一個私鑰,存放在cd $HOME/.ssh下的known_hosts文件中
efile92@iomitfdb2:/interface/electronic_files/data/.ssh >cat known_hosts
#132.77.74.109 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1ox85RlwxHugD6gGRjEO4ztW0iDpNoaSnaO/dGD6zpWQ+H8ifhILrMI/qKvyqjGvM27nTXDzpr29tcZezvWCSe2FxxQ30kI+2TQtE9xtur4jv9KEThFMjHkfIdQ/Laqu3EVnTwSyttvKORaALTY5ROBJv2gczlsvdiyNCy8+I763yEV8jf81nk5dT1P/6kxMEyipk7iEzzvcSrTQqljk/J12it0bS5B7D+z3xxbiMlzHQ6bMFml8JxP/ehjvUSLuf30L/50QVOZ9nB1ybv+oRfR2gHIPIeVoC3cx/bGvHkBrSJK/pNPslB/cI5A8mcFJ1hYAb0jYXzgosZ5JdLc0cQ==
132.77.138.210 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMiWbsK16NfqppENSJ9Sk/Z8S7vPgZgPxvD7fvB35xlTfnt1rImemEUzbGIyDdNAnF8x/Y4vzf+wZ/TSqt/lvEs=
efile92@iomitfdb2:/interface/electronic_files/data/.ssh >
如果這里面有對應的主機信息,且私鑰或公鑰不對,都無法用sftp登錄,會報錯:Host key verification failed.
7、注意事項
1)在shell腳本中使用sftp的免密碼訪問時,shell腳本的權限必須不能為777,否則不能登錄,建議750或700
2)兩台主機網絡要聯通
3)客戶端要具有訪問服務端的sftp權限
4)每台主機的密鑰信息可以重復生成,但是每次生成都不一樣,重新生成后,之前所有設置全部失效,需要重新配置處理。
5)傳輸文件樣例: scp test.txt ftpcrm@132.77.134.14:/crmftp。
8、客戶端通過sftp訪問服務端連接處理慢
1)步驟一:連接慢的主要原因是DNS解析導致
解決方法:
最為常見的原因是因為server的sshd會去DNS查找訪問client IP的hostname,如果DNS不可用或者沒有相關記錄,就會耗費大量時間。
1、在server上/etc/hosts文件中把你本機的IP和hostname加入 -----常見原因,這里配置客戶端的VIP地址修改為實地址即可解決。
2、在ssh服務端上更改/etc/ssh/sshd_config文件中的配置為如下內容:
UseDNS no
# GSSAPI options
GSSAPIAuthentication no
GSSAPIAuthentication參數是用於Kerberos驗證的,而對於絕大多數人來說,不可能使用這種驗證機制的,所以要注意把他們停掉。
然后,執行/etc/init.d/sshd restart重啟sshd進程使上述配置生效,在連接一般就不慢了。
2)步驟二:
如果還慢的話,檢查ssh服務端上/etc/hosts文件中,127.0.0.1對應的主機名是否和
uname -n的結果一樣,或者把本機ip和hostname(uname -n結果)加入到/etc/hosts里。
3)步驟三:
利用ssh-v的調試功能查找慢的原因
其實可以用下面的命令調試為什么慢的細節(學習這個思路很重要)。
[root@localhost ~]# ssh -v root@192.168.2.15
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.2.15 [192.168.2.15] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host '192.168.2.15 (192.168.2.15)' can't be established.
RSA key fingerprint is ca:18:42:76:0e:5a:1c:7d:ef:fc:24:75:80:11:ad:f9.
Are you sure you want to continue connecting (yes/no)? yes
=======>這里就是提示保存密鑰的交互提示。
Warning: Permanently added '192.168.2.15' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
root@192.168.2.15's password:
=======>這里就是提示輸入密碼的交互提示。
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Sep 24 10:30:02 2013 from 192.168.2.13
在遠程連接時如果慢就可以確定卡在哪了。
[root@localhost ~]# ssh -v oldboy@192.168.2.18
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.2.18 [192.168.2.18] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.2.18' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
上述配置沒配就發現卡到gssapi這。就大概知道是gssapi的問題。實際上在Linux系統優化部分就應該優化SSH服務的此處。