首页 > 系统相关 >Linux密钥认证

Linux密钥认证

时间:2023-02-01 19:35:30浏览次数:55  
标签:172.16 rsa 认证 密钥 key Linux root id ssh

网站集群批量管理-秘钥认证

一、概述

管理更加轻松:两个节点,通过秘钥形式进行访问,不需要输入密码,单向

应用场景:

一些服务在使用前要求做秘钥认证

手动写批量管理脚本

名字:秘钥认证,免密码登录,双机互信

二、原理

image

秘钥对:

公钥:public key 一般以.pub结尾

私钥:private key 没有特殊的结尾

[root@m01 ~]# ll .ssh
total 12
-rw------- 1 root root 1679 Feb  1 10:11 id_rsa        #私钥
-rw-r--r-- 1 root root  390 Feb  1 10:11 id_rsa.pub    #公钥
-rw-r--r-- 1 root root  686 Feb  1 11:11 known_hosts   #存放连接时是否需要输入yes or no

三、极速上手指南

角色 主机名 内网ip 公网ip
管理机 m01 172.16.1.61 10.0.0.61
被管理机 nfs 172.16.1.31 10.0.0.31
被管理机 web01 172.16.1.7 10.0.0.7
被管理机 backup 172.16.1.41 10.0.0.41

1.基本检查

#检查管理机与被管理机是否联通
#ping 
[root@m01 ~]# ping 172.16.1.7
PING 172.16.1.7 (172.16.1.7) 56(84) bytes of data.
64 bytes from 172.16.1.7: icmp_seq=1 ttl=64 time=0.300 ms
64 bytes from 172.16.1.7: icmp_seq=2 ttl=64 time=0.184 ms
^C
--- 172.16.1.7 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.184/0.242/0.300/0.058 ms

#22端口,sshd服务开启或客户访问
[root@m01 ~]# nmap -p22 172.16.1.31 172.16.1.7 172.16.1.41

Starting Nmap 6.40 ( http://nmap.org ) at 2023-02-01 15:14 CST
Nmap scan report for nfs01 (172.16.1.31)
Host is up (0.00015s latency).
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:87:19:20 (VMware)

Nmap scan report for web01 (172.16.1.7)
Host is up (0.00020s latency).
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:2A:09:7D (VMware)

Nmap scan report for backup (172.16.1.41)
Host is up (0.00018s latency).
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:DB:3F:AB (VMware)

Nmap done: 3 IP addresses (3 hosts up) scanned in 0.66 seconds

2.创建秘钥对

[root@m01 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qBDXHAdOru29Wu3F7A/EphYrA+xc3HMOtgsJJltoAB0 root@m01
The key's randomart image is:
+---[RSA 2048]----+
|..E.  +..        |
| ..  * o         |
|  o . =          |
|   + = o . .     |
|  . = O S * =    |
|   o X = + #     |
|    o + B * *    |
|       . B + .   |
|      ... o ...  |
+----[SHA256]-----+

#注意创建的时候,可以不加t
#-t 指定加密的类型
#默认通过rsa方法对数据进行加密

3.分发公钥

[root@m01 ~]# ssh-copy-id -i .ssh/id_rsa.pub 172.16.1.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established.
ECDSA key fingerprint is SHA256:fVjvhVF2qU+PCOqsrVTrbxa/aNB4dzNmGRJTw1iIZ1s.
ECDSA key fingerprint is MD5:0f:00:32:1c:41:31:af:a2:f5:e8:64:40:2c:cf:98:98.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.

4.连接测试

[root@m01 ~]# ssh 172.16.1.41 hostname
backup

温馨提示:

ssh-copy-id 公钥被存放在对方服务器的用户家目录下面

名字变为了:authorized_keys

[root@backup ~]# ll .ssh
total 8
-rw------- 1 root root 390 Feb  1 15:16 authorized_keys

如果管理机的秘钥重新生成,又重新发送,那么authorized_keys中的秘钥就会变成2个

[root@nfs ~]# cat .ssh/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEak/lEI0Aoy8MJhsYaALPAOCtmAV6l9YTZ/t9jJX+vMpC2EUuKzOuii0LwLgQ0ovqWAERJLaFpSlIHZg9jio7vLwsm8KiBtfiWVihG6NDkj8Y2LAUrNUbMFYHpO4z+jlJNbeo+0rJIAKsAoFPGMjYjmm2/oZZRz8YsHrpHsJpidXCW161v7Cn5tfJTOSEixeKoCbFKQBCcb36hHT9sqLFK9S2/PiPJZi4N8FiBcBxz4DIq9dIPgj6BCG99YqBIRtIg6dB1WdDsqKXrdDxDwmSYNWfxBKkII0DncxSM8cX8+YtAis5gRubxvsOGIpZ5LjKnpQgGWQUwNu0FaIe9AhT root@m01
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvqqbNj++CGwQROG+1kKB6uxcK54le6Pz8K+SFoq5GKspmt2pjMupzsvM0okEMhJhMRH8e/tZlfMRNOa82mF3FkKhWCBAsK+YAY5oHUzEnS7M+7V6L6JSyi8No2RG/xxC51zWiJgExAFAXTrJCcmN8npeKyGwcBHaKpDtqb3sigm6mty05rQmjKd52BBjTbu19jen9D+FxhbJHHU00uBWq0b9XrpvTqN5mp1qbIreB/U5YZg1j4skEmqtG1WzjEe6Q/oxkQbBnubZ17C7kvTt9xSre6TnLaPPb2sFDCb/6V983wxCQrkuYjTcfRkgzPZtjN/xQk+lfmFiKTdZAU8dv root@m01

四、自动化创建与分发密钥

步骤:

  1. 创建秘钥对
  2. 分发公钥的时候:yes/no (yes后会把信息保存到.ssh/known_hosts)
  3. 分发公钥的时候:输入密码

1.自动化创建密钥

[root@m01 ~]# ssh-keygen -f ~/.ssh/id_rsa -P ''
Generating public/private rsa key pair.
Created directory '/root/.ssh'.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:UebPlzDbK0NcyDAuNoDMR0aa5jUNcwx63bF5ftW/9R4 root@m01
The key's randomart image is:
+---[RSA 2048]----+
|   o +Oo. *      |
|    +=.B.* B .  .|
|    =.+ B * * . o|
|   o o o + * * o.|
|    .   S   B = o|
|           . o .+|
|            o .E.|
|             o ..|
|                .|
+----[SHA256]-----+

-f 用于指定私钥的位置
-P 密钥短语,设置为空。就是输完ssh-keygen,需要敲的两下回车

2.自动化分发公钥(解决yes/no问题)

第1次远程的提示 yes/no,主机密钥信息检查,输入yes后存放到~/.ssh/known_hosts

解决思路:临时取消即可,连接的时候不检查主机信息

-o StrictHostKeyChecking=no 临时不检查主机信息.

#不加-o参数时
[root@m01 ~]# ssh-copy-id -i .ssh/id_rsa.pub 10.0.0.31   
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
The authenticity of host '10.0.0.31 (10.0.0.31)' can't be established.
ECDSA key fingerprint is SHA256:fVjvhVF2qU+PCOqsrVTrbxa/aNB4dzNmGRJTw1iIZ1s.
ECDSA key fingerprint is MD5:0f:00:32:1c:41:31:af:a2:f5:e8:64:40:2c:cf:98:98.
Are you sure you want to continue connecting (yes/no)? ^C 
#加上-o参数时
[root@m01 ~]# ssh-copy-id -oStrictHostKeyChecking=no -i .ssh/id_rsa.pub 10.0.0.31
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '10.0.0.31'"
and check to make sure that only the key(s) you wanted were added.

3.自动化分发公钥(解决密码问题)

#安装sshpass
[root@m01 ~]# yum -y install sshpass

#基本使用
#-p指定密码
#需要回车输入密码
[root@m01 ~]# ssh 172.16.1.7 hostname
[email protected]'s password: 
web01
#使用sshpass不需要输入密码
[root@m01 ~]# sshpass -p1 ssh 172.16.1.7 hostname
web01

#使用sshpass 与ssh-copy-id分发公钥
[root@m01 ~]# sshpass -p1 ssh-copy-id 172.16.1.7
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '172.16.1.7'"
and check to make sure that only the key(s) you wanted were added.
[root@m01 ~]# ssh 172.16.1.7 hostname
web01

温馨提示:

sshpass 与 ssh-copy-id 的时候,如果第一次连接的时候,提示yes/no,sshpass就失效了

解决方法:

[root@m01 ~]# sshpass -p1 ssh-copy-id -i ~/.ssh/id_rsa.pub -oStrictHostKeyChecking=no  10.0.0.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '10.0.0.41'"
and check to make sure that only the key(s) you wanted were added.

补充:

sshpass 适用于ssh相关的命令提供密码:ssh,scp,ssh-copy-id

expect 是一门语言,用于实现非交互式判断,认证相关操作

五、自动化创建与分发脚本

#自动化分发脚本
#!/bin/bash
#author: wh 
#desc: 一键创建秘钥对 分发秘钥对 

#1.vars
pass=1
ips="172.16.1.7 172.16.1.31 172.16.1.41 172.16.1.8"
. /etc/init.d/functions

#2.创建秘钥对
if [ -f ~/.ssh/id_rsa ] ;then
   echo "已经创建过秘钥对"
else
   echo "正在创建秘钥对...."
   ssh-keygen -t rsa  -f  ~/.ssh/id_rsa   -P ''  &>/dev/null
   if [ $? -eq 0 ];then
       action "密钥创建成功" /bin/true
   else
       action "密钥创建失败" /bin/false
   fi
fi

#3.通过循环发送公钥
for ip  in  $ips 
do 
   sshpass -p${pass} ssh-copy-id -i ~/.ssh/id_rsa.pub -oStrictHostKeyChecking=no  $ip &>/dev/null
   if [ $? -eq 0 ];then
       action "$ip 公钥分发 成功" /bin/true
   else
       action "$ip 公钥分发 失败" /bin/false
   fi
done

[root@m01 ~]# sh fenfa.sh 
正在创建秘钥对....
密钥创建成功                                               [  OK  ]
172.16.1.7 公钥分发 成功                                   [  OK  ]
172.16.1.31 公钥分发 成功                                  [  OK  ]
172.16.1.41 公钥分发 成功                                  [  OK  ]
172.16.1.8 公钥分发 失败                                   [FAILED]

#自动化检查脚本
[root@m01 ~]# cat check.sh 
#!/bin/bash
# author: wh
# desc: 批量在所有机器上执行命令
for   ip  in  172.16.1.7 172.16.1.31 172.16.1.41 172.16.1.8
do
    ssh  $ip   hostname
done
[root@m01 ~]# sh check.sh 
web01
nfs
backup
ssh: connect to host 172.16.1.8 port 22: No route to host

标签:172.16,rsa,认证,密钥,key,Linux,root,id,ssh
From: https://www.cnblogs.com/world-of-yuan/p/17083939.html

相关文章

  • Linux实时同步
    实时同步一、概述背景:以前,通过rsync+定时任务实现对文件的定时备份/同步现在,对于NFS来说,需要进行实时同步选择:分布式存储使用实时同步服务+NFS选择公有云对象......
  • linux离线部署python项目
    离线部署直接在内网隔离的环境中。不能直接pipinstall或者apt-getinstall(Ubuntu、Debain)准备:与离线环境相同版本的服务器Python(web)项目依赖pipwheel强大的pip命......
  • linux 操作系统升级 Python 3
    #进入python官网下载对应版本,比如:Python-3.7.12[root@localhost~]#wget​​https://www.python.org/ftp/python/3.7.12/Python-3.7.12.tgz​​#安装依赖包[root@localh......
  • 盘点HTTP的四种认证方式
    HTTP/1.1使用的认证方式有下面四种。1、BASIC认证BASIC认证(基本认证)是从HTTP/1.0就定义的认证方式。即便是现在仍有一部分的网站会使用这种认证方式。是Web服务器与通信客户......
  • linux 安装 elasticsearch
    下载#注意下载版本cd/usr/local/srcwgethttps://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.0.tar.gz2、安装cd/usr/local/srctar-xvfelastics......
  • linux查看进程号、端口号、服务名互查信息
    1、已知程序名称查看进程号ps-ef|grep程序名称##或者ps-aux|grep程序名称pgrep-l程序名称......
  • 车载吸尘器欧盟亚马逊CE认证EN50498检测报告办理
    车载吸尘器的风机叶轮在电动机高速驱动下,将叶轮中的空气高速排出风机,同时使吸尘部分内空气不断地补充进风机。这样就与外界形成较高的压差。吸嘴的尘埃、脏物随空气被吸入吸......
  • linux 安装 RocketMQ
    参考: ​​https://blog.csdn.net/wsjzzcbq/article/details/125562966​​1、下载安装包后,将安装包上传到linux2、创建RocketMQ安装目录mkdir-p/usr/local/rocketmq3......
  • 亚马逊儿童文具书包CPC认证CPSIA检测
    新学期开始了,学习文具都准备好了吗?学生安全是大家关注的问题,尤其是与学生每日接触的学生用品的安全,更加重要。针对儿童学习文具,各国都有相应的检测标准。儿童文具分类:小学生......
  • 用Linux系统设置共享上网
    环境:一台Linux机器单网卡,一台window机器单网卡,一个四口集线器。背景:房东只提供了一条上网线,并且限定了只能用一个网卡上网(就是我的Linux机器的网卡)。目的:通过Linux共......