网站集群批量管理-秘钥认证

一、概述

管理更加轻松:两个节点,通过秘钥形式进行访问,不需要输入密码,单向

应用场景:

一些服务在使用前要求做秘钥认证

手动写批量管理脚本

名字:秘钥认证,免密码登录,双机互信

二、原理

秘钥对:

公钥:public key 一般以.pub结尾

私钥:private key 没有特殊的结尾

[root@m01 ~]# ll .ssh

total 12

-rw------- 1 root root 1679 Feb  1 10:11 id_rsa        #私钥

-rw-r--r-- 1 root root  390 Feb  1 10:11 id_rsa.pub    #公钥

-rw-r--r-- 1 root root  686 Feb  1 11:11 known_hosts   #存放连接时是否需要输入yes or no

三、极速上手指南

角色 主机名 内网ip 公网ip
管理机 m01 172.16.1.61 10.0.0.61
被管理机 nfs 172.16.1.31 10.0.0.31
被管理机 web01 172.16.1.7 10.0.0.7
被管理机 backup 172.16.1.41 10.0.0.41

1.基本检查

#检查管理机与被管理机是否联通

#ping

[root@m01 ~]# ping 172.16.1.7

PING 172.16.1.7 (172.16.1.7) 56(84) bytes of data.

64 bytes from 172.16.1.7: icmp_seq=1 ttl=64 time=0.300 ms

64 bytes from 172.16.1.7: icmp_seq=2 ttl=64 time=0.184 ms

^C

--- 172.16.1.7 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1000ms

rtt min/avg/max/mdev = 0.184/0.242/0.300/0.058 ms

#22端口,sshd服务开启或客户访问

[root@m01 ~]# nmap -p22 172.16.1.31 172.16.1.7 172.16.1.41

Starting Nmap 6.40 ( http://nmap.org ) at 2023-02-01 15:14 CST

Nmap scan report for nfs01 (172.16.1.31)

Host is up (0.00015s latency).

PORT   STATE SERVICE

22/tcp open  ssh

MAC Address: 00:0C:29:87:19:20 (VMware)

Nmap scan report for web01 (172.16.1.7)

Host is up (0.00020s latency).

PORT   STATE SERVICE

22/tcp open  ssh

MAC Address: 00:0C:29:2A:09:7D (VMware)

Nmap scan report for backup (172.16.1.41)

Host is up (0.00018s latency).

PORT   STATE SERVICE

22/tcp open  ssh

MAC Address: 00:0C:29:DB:3F:AB (VMware)

Nmap done: 3 IP addresses (3 hosts up) scanned in 0.66 seconds

2.创建秘钥对

[root@m01 ~]# ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Created directory '/root/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:qBDXHAdOru29Wu3F7A/EphYrA+xc3HMOtgsJJltoAB0 root@m01

The key's randomart image is:

+---[RSA 2048]----+

|..E.  +..        |

| ..  * o         |

|  o . =          |

|   + = o . .     |

|  . = O S * =    |

|   o X = + #     |

|    o + B * *    |

|       . B + .   |

|      ... o ...  |

+----[SHA256]-----+

#注意创建的时候,可以不加t

#-t 指定加密的类型

#默认通过rsa方法对数据进行加密

3.分发公钥

[root@m01 ~]# ssh-copy-id -i .ssh/id_rsa.pub 172.16.1.41

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"

The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established.

ECDSA key fingerprint is SHA256:fVjvhVF2qU+PCOqsrVTrbxa/aNB4dzNmGRJTw1iIZ1s.

ECDSA key fingerprint is MD5:0f:00:32:1c:41:31:af:a2:f5:e8:64:40:2c:cf:98:98.

Are you sure you want to continue connecting (yes/no)? yes

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

root@172.16.1.41's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '172.16.1.41'"

and check to make sure that only the key(s) you wanted were added.

4.连接测试

[root@m01 ~]# ssh 172.16.1.41 hostname

backup

温馨提示:

ssh-copy-id 公钥被存放在对方服务器的用户家目录下面

名字变为了:authorized_keys

[root@backup ~]# ll .ssh

total 8

-rw------- 1 root root 390 Feb  1 15:16 authorized_keys

如果管理机的秘钥重新生成,又重新发送,那么authorized_keys中的秘钥就会变成2个

[root@nfs ~]# cat .ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEak/lEI0Aoy8MJhsYaALPAOCtmAV6l9YTZ/t9jJX+vMpC2EUuKzOuii0LwLgQ0ovqWAERJLaFpSlIHZg9jio7vLwsm8KiBtfiWVihG6NDkj8Y2LAUrNUbMFYHpO4z+jlJNbeo+0rJIAKsAoFPGMjYjmm2/oZZRz8YsHrpHsJpidXCW161v7Cn5tfJTOSEixeKoCbFKQBCcb36hHT9sqLFK9S2/PiPJZi4N8FiBcBxz4DIq9dIPgj6BCG99YqBIRtIg6dB1WdDsqKXrdDxDwmSYNWfxBKkII0DncxSM8cX8+YtAis5gRubxvsOGIpZ5LjKnpQgGWQUwNu0FaIe9AhT root@m01

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvqqbNj++CGwQROG+1kKB6uxcK54le6Pz8K+SFoq5GKspmt2pjMupzsvM0okEMhJhMRH8e/tZlfMRNOa82mF3FkKhWCBAsK+YAY5oHUzEnS7M+7V6L6JSyi8No2RG/xxC51zWiJgExAFAXTrJCcmN8npeKyGwcBHaKpDtqb3sigm6mty05rQmjKd52BBjTbu19jen9D+FxhbJHHU00uBWq0b9XrpvTqN5mp1qbIreB/U5YZg1j4skEmqtG1WzjEe6Q/oxkQbBnubZ17C7kvTt9xSre6TnLaPPb2sFDCb/6V983wxCQrkuYjTcfRkgzPZtjN/xQk+lfmFiKTdZAU8dv root@m01

四、自动化创建与分发密钥

步骤:

  1. 创建秘钥对
  2. 分发公钥的时候:yes/no (yes后会把信息保存到.ssh/known_hosts)
  3. 分发公钥的时候:输入密码

1.自动化创建密钥

[root@m01 ~]# ssh-keygen -f ~/.ssh/id_rsa -P ''

Generating public/private rsa key pair.

Created directory '/root/.ssh'.

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:UebPlzDbK0NcyDAuNoDMR0aa5jUNcwx63bF5ftW/9R4 root@m01

The key's randomart image is:

+---[RSA 2048]----+

|   o +Oo. *      |

|    +=.B.* B .  .|

|    =.+ B * * . o|

|   o o o + * * o.|

|    .   S   B = o|

|           . o .+|

|            o .E.|

|             o ..|

|                .|

+----[SHA256]-----+

-f 用于指定私钥的位置

-P 密钥短语,设置为空。就是输完ssh-keygen,需要敲的两下回车

2.自动化分发公钥(解决yes/no问题)

第1次远程的提示 yes/no,主机密钥信息检查,输入yes后存放到~/.ssh/known_hosts

解决思路:临时取消即可,连接的时候不检查主机信息

-o StrictHostKeyChecking=no 临时不检查主机信息.

#不加-o参数时

[root@m01 ~]# ssh-copy-id -i .ssh/id_rsa.pub 10.0.0.31

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"

The authenticity of host '10.0.0.31 (10.0.0.31)' can't be established.

ECDSA key fingerprint is SHA256:fVjvhVF2qU+PCOqsrVTrbxa/aNB4dzNmGRJTw1iIZ1s.

ECDSA key fingerprint is MD5:0f:00:32:1c:41:31:af:a2:f5:e8:64:40:2c:cf:98:98.

Are you sure you want to continue connecting (yes/no)? ^C

#加上-o参数时

[root@m01 ~]# ssh-copy-id -oStrictHostKeyChecking=no -i .ssh/id_rsa.pub 10.0.0.31

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

root@10.0.0.31's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '10.0.0.31'"

and check to make sure that only the key(s) you wanted were added.

3.自动化分发公钥(解决密码问题)

#安装sshpass

[root@m01 ~]# yum -y install sshpass

#基本使用

#-p指定密码

#需要回车输入密码

[root@m01 ~]# ssh 172.16.1.7 hostname

root@172.16.1.7's password:

web01

#使用sshpass不需要输入密码

[root@m01 ~]# sshpass -p1 ssh 172.16.1.7 hostname

web01

#使用sshpass 与ssh-copy-id分发公钥

[root@m01 ~]# sshpass -p1 ssh-copy-id 172.16.1.7

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '172.16.1.7'"

and check to make sure that only the key(s) you wanted were added.

[root@m01 ~]# ssh 172.16.1.7 hostname

web01

温馨提示:

sshpass 与 ssh-copy-id 的时候,如果第一次连接的时候,提示yes/no,sshpass就失效了

解决方法:

[root@m01 ~]# sshpass -p1 ssh-copy-id -i ~/.ssh/id_rsa.pub -oStrictHostKeyChecking=no  10.0.0.41

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '10.0.0.41'"

and check to make sure that only the key(s) you wanted were added.

补充:

sshpass 适用于ssh相关的命令提供密码:ssh,scp,ssh-copy-id

expect 是一门语言,用于实现非交互式判断,认证相关操作

五、自动化创建与分发脚本

#自动化分发脚本

#!/bin/bash

#author: wh

#desc: 一键创建秘钥对 分发秘钥对 

#1.vars

pass=1

ips="172.16.1.7 172.16.1.31 172.16.1.41 172.16.1.8"

. /etc/init.d/functions

#2.创建秘钥对

if [ -f ~/.ssh/id_rsa ] ;then

   echo "已经创建过秘钥对"

else

   echo "正在创建秘钥对...."

   ssh-keygen -t rsa  -f  ~/.ssh/id_rsa   -P ''  &>/dev/null

   if [ $? -eq 0 ];then

       action "密钥创建成功" /bin/true

   else

       action "密钥创建失败" /bin/false

   fi

fi

#3.通过循环发送公钥

for ip  in  $ips

do

   sshpass -p${pass} ssh-copy-id -i ~/.ssh/id_rsa.pub -oStrictHostKeyChecking=no  $ip &>/dev/null

   if [ $? -eq 0 ];then

       action "$ip 公钥分发 成功" /bin/true

   else

       action "$ip 公钥分发 失败" /bin/false

   fi

done

[root@m01 ~]# sh fenfa.sh

正在创建秘钥对....

密钥创建成功                                               [  OK  ]

172.16.1.7 公钥分发 成功                                   [  OK  ]

172.16.1.31 公钥分发 成功                                  [  OK  ]

172.16.1.41 公钥分发 成功                                  [  OK  ]

172.16.1.8 公钥分发 失败                                   [FAILED]

#自动化检查脚本

[root@m01 ~]# cat check.sh

#!/bin/bash

# author: wh

# desc: 批量在所有机器上执行命令

for   ip  in  172.16.1.7 172.16.1.31 172.16.1.41 172.16.1.8

do

    ssh  $ip   hostname

done

[root@m01 ~]# sh check.sh

web01

nfs

backup

ssh: connect to host 172.16.1.8 port 22: No route to host

Linux密钥认证的更多相关文章

  1. Linux密钥认证错误解决

    问题描述: Xshell用key认证登录,提示所选的用户密钥未在远程主机上注册 问题解决: 查看日志/var/log/secure,基本上都是用户根目录的权限问题 根据日志提示: Authentica ...

  2. 使用XShell工具密钥认证登录Linux系统

    如果你是一名Linux运维,那么Linux服务器的系统安全问题,可能是你要考虑的,而系统登录方式有两种,密码和密钥.哪一种更加安全呢? 无疑是后者! 这里我为大家分享用Xshell利器使用密钥的方式登 ...

  3. Linux之SSH密钥认证

    1.SSH协议的认识 SSH 为 Secure Shell 的缩写,由 IETF 的网络小组(Network Working Group)所制定:SSH 为建立在应用层基础上的安全协议.SSH 是目前 ...

  4. 使用密钥认证机制远程登录Linux

    密钥认证机制 创建存放key的文件 1)创建目录 /root/.ssh 并设置权限 [root@localhost ~]# mkdir /root/.ssh mkdir 命令用来创建目录,以后会详细介 ...

  5. Linux学习总结(三)之 putty,xshell远程连接及密钥认证篇

     一:putty 下载 1:认准两个地方 a. Download putty b. chiark greenend 2:下载32位的zip包,这是一个工具包合集,不单是一个终端工具 二:putty设置 ...

  6. 如何在 Linux 中配置基于密钥认证的 SSH

    什么是基于 SSH 密钥的认证? 众所周知,Secure Shell,又称 SSH,是允许你通过无安全网络(例如 Internet)和远程系统之间安全访问/通信的加密网络协议.无论何时使用 SSH 在 ...

  7. putty,xshell以及密钥认证:linux学习第二篇

    1.    Putty下载 官网:https://www.chiark.greenend.org 下载putty的zip包 2.    Putty使用 2000为可查看的文件行数,建议设置为2000 ...

  8. Linux之sshkey密钥认证实战

    在实际的生产环境中,经常会用到sshkey密钥认证实行数据分发数据等操作,还可以批量操作内网服务器,实行免密认证进行推送分发数据. 1.环境查看 分发服务器 节点服务器 2.服务器添加系统账号 3.生 ...

  9. 安全终端模拟工具Xshell 5使用密钥认证登录配置详细教程

    ▲版权声明:本文为博主原创文章,未经博主允许不得转载. Xshell支持SSH1 / SSH2协议,密码和DSA / RSA公钥用户认证方式等各种安全功能,并对各种加密算法进行加密.使用内置的Xshe ...

  10. 使用Putty和Xshell远程登录之密钥认证

    本次实验主要使用目前使用最多的Putty和Xshell工具进行实验 关于SSH密钥认证原理,请参考链接:http://www.cnblogs.com/ImJerryChan/p/6661815.htm ...

随机推荐

  1. Codeforces Round #802 (Div. 2)C. Helping the Nature(差分)

    题目链接 题目大意: 给你一个有n个元素的数组a,你可以通过一下三种操作使数组的每一个值都为0: 选择一个下标i,然后让a[1],a[2]....a[ i ] 都减一; 选择一个下标i,然后让a[i] ...

  2. 关于图计算&图学习的基础知识概览:前置知识点学习(Paddle Graph Learning (PGL))

    关于图计算&图学习的基础知识概览:前置知识点学习(Paddle Graph Learning (PGL)) 欢迎fork本项目原始链接:关于图计算&图学习的基础知识概览:前置知识点学习 ...

  3. vulnhub靶场之DRIPPING BLUES: 1

    准备: 攻击机:虚拟机kali.本机win10. 靶机:DRIPPING BLUES: 1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhu ...

  4. java学习之spring基础

    0x00前言 spring框架应用的是ioc模式,ioc模式是指控制反转模式,本质是你不去创建对象让spring框架给你创建对象你去使用对象.多种开发模式通过配置文件和注解的方式去开发的都很值得去学习 ...

  5. 嵌入式-C语言基础:理解形参和实参的区别

    #include<stdio.h> //实参:函数原型中声明函数后面带的参数 int test(int x)//函数原型 { //函数体 printf("test里面的x地址=% ...

  6. nacos集群搭建和反向代理

    搭建环境 安装ngin https://www.linuxprobe.com/linux-install-nginx.html 配置jdk1.8 https://blog.csdn.net/qq_42 ...

  7. 安卓APP和小程序渗透测试技巧总结

    安卓APP和小程序渗透测试技巧总结 免责声明: 安卓7以上抓取https流量包 证书信任 首先安装OpenSSL,此步骤不再赘述,可以参考百度. 然后安装模拟器(我使用的是夜神模拟器). 导出需要的证 ...

  8. 单例模式实现的多种方式、pickle序列化模块、选课系统需求分析等

    目录 单例模式实现的多种方式 方式一: 方式二: 方式三 方式四 pickle序列化模块 选课系统需求分析 功能提炼 选课系统架构设计 三层架构 选课系统目录搭建 选课系统功能搭建 单例模式实现的多种 ...

  9. Windows及eclipse常用快捷键-小彤在努力

    Windows快捷键 Ctrl+A:全选 Ctrl+S:保存 Ctrl+Z:撤回 Ctrl+X:剪切 Ctrl+C:复制 Ctrl+V:粘贴 Ctrl+F:查找 Windows+E:打开我的电脑 Al ...

  10. 【PostgreSQL】PG通过SQL语句读取二进制bytea类型并进行二进制和十六进制转换

    1.将二进制编码为十六进制 select encode("AUUID_0",'hex'),"AUUID_0" from wxf_test."ABANK ...