1.环境准备
[root@CentOS 7 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@CentOS 7 ~]# uname -r
3.10.0-327.el7.x86_64
[root@CentOS 7 ~]# getenforce
Disabled
[root@CentOS 7 ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
[root@CentOS 7 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.201 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::20c:29ff:fe40:1a4e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:40:1a:4e txqueuelen 1000 (Ethernet)
RX packets 79743 bytes 65986287 (62.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 54690 bytes 70448334 (67.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.1.201 netmask 255.255.255.0 broadcast 172.16.1.255
inet6 fe80::20c:29ff:fe40:1a58 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:40:1a:58 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
TX packets 10 bytes 744 (744.0 B)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
TX packets 0 bytes 0 (0.0 B)
2.查看SSH端口
[root@CentOS 7 ~]# netstat -lntup | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1518sshd
tcp6 0 0 :::22 :::* LISTEN 1518sshd
3.密钥认证
3.1创建密钥对
[root@CentOS 7 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ----密钥对保存路径
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): ----为密钥对创建密码
Enter same passphrase again: ----确认密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
7d:dc:8c:89:80:5d:79:97:6b:e4:2d:53:89:ba:d6:13 root@CentOS 7
The key's randomart image is:
+--[ RSA 2048]----+ ----加密的位数为20048
| .. ...|
| o .. ..+..|
| . o ..+ + |
| o + E* .|
| S o B.+o |
| + o |
| . . |
| |
+-----------------+
3.2分发公钥
[root@CentOS 7 .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
The authenticity of host '172.16.1.63 (172.16.1.63)' can't be established.
ECDSA key fingerprint is 0b:bf:14:a7:9e:87:69:5d:7c:a5:25:b9:65:22:35:08.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: ----第一次分发公钥,需要输入密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
3.3测试
[root@CentOS 7 ~]# ssh 172.16.1.63
Last login: Fri Mar 30 17:11:08 2018 from 10.0.0.1
[root@gitlab ~]# ifconfig
inet 10.0.0.63 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::20c:29ff:feae:fb74 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ae:fb:74 txqueuelen 1000 (Ethernet)
RX packets 9568 bytes 2809779 (2.6 MiB)
TX packets 382 bytes 30216 (29.5 KiB)
inet 172.16.1.63 netmask 255.255.255.0 broadcast 172.16.1.255
inet6 fe80::20c:29ff:feae:fb7e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ae:fb:7e txqueuelen 1000 (Ethernet)
RX packets 87 bytes 18256 (17.8 KiB)
TX packets 88 bytes 21538 (21.0 KiB)
RX packets 66294 bytes 49504554 (47.2 MiB)
TX packets 66294 bytes 49504554 (47.2 MiB)
4.认证代理
4.1管理主机创建密钥对(以上步骤)
4.2分发公钥(以上步骤)
4.3管理主机启动认证代理
[root@CentOS 7 ~]# eval `ssh-agent -s`
Agent pid 2994
4.4管理主机向agent代理服务器注册本地服务器私钥信息
[root@CentOS 7 ~]# ssh-add
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
4.5管理主机将凭证信息通过远程登陆方式给被代理主机
[root@CentOS 7 ~]# ssh -A 172.16.1.63
Last login: Fri Mar 30 20:03:21 2018 from 172.16.1.21
4.6测试
[root@gitlab ~]# ssh 172.16.1.21
Last login: Fri Mar 30 20:08:27 2018 from 172.16.1.63
5.自动创建密钥对,分发公钥(Shell脚本)
#!/bin/bash
##############################################################
# File Name: ssh_fenfa.sh
# Version: V7.4
# Author: feng yu
# Organization: http://blog.51cto.com/13520761
# Created Time : 2018-03-30 20:13:36
# Description:
fil=/root/.ssh/id_rsa*
if [ $(ls $fil|wc -l) > 0 ];then
rm -rf $fil
ssh-keygent -t rsa -f /root/.ssh/id_rsa -P "" >> /dev/null 2>&1
else
fi
if [ $(rpm -qa sshpass|wc -l) -lt 1 ];then
yum install -y sshpass &>/dev/null
for ip in 21 63
do