SSH密钥分发

1.环境准备

[root@CentOS 7 ~]# cat /etc/redhat-release 

CentOS Linux release 7.2.1511 (Core) 

[root@CentOS 7 ~]# uname -r

3.10.0-327.el7.x86_64

[root@CentOS 7 ~]# getenforce 

Disabled

[root@CentOS 7 ~]# systemctl status firewalld.service 

● firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)

   Active: inactive (dead)

[root@CentOS 7 ~]# ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 10.0.0.201  netmask 255.255.255.0  broadcast 10.0.0.255

        inet6 fe80::20c:29ff:fe40:1a4e  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:40:1a:4e  txqueuelen 1000  (Ethernet)

        RX packets 79743  bytes 65986287 (62.9 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 54690  bytes 70448334 (67.1 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 172.16.1.201  netmask 255.255.255.0  broadcast 172.16.1.255

        inet6 fe80::20c:29ff:fe40:1a58  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:40:1a:58  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        TX packets 10  bytes 744 (744.0 B)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        TX packets 0  bytes 0 (0.0 B)

2.查看SSH端口

[root@CentOS 7 ~]# netstat -lntup | grep sshd

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1518sshd           

tcp6       0      0 :::22                   :::*                    LISTEN      1518sshd           

3.密钥认证

3.1创建密钥对

[root@CentOS 7 ~]# ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):           ----密钥对保存路径

Created directory '/root/.ssh'. 

Enter passphrase (empty for no passphrase):          ----为密钥对创建密码

Enter same passphrase again:                                 ----确认密码

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

7d:dc:8c:89:80:5d:79:97:6b:e4:2d:53:89:ba:d6:13 root@CentOS 7

The key's randomart image is:

+--[ RSA 2048]----+                          ----加密的位数为20048

|          ..  ...|

|       o .. ..+..|

|      . o  ..+ + |

|         o + E* .|

|        S o B.+o |

|           + o   |

|          .   .  |

|                 |

+-----------------+

3.2分发公钥

[root@CentOS 7 .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]

The authenticity of host '172.16.1.63 (172.16.1.63)' can't be established.

ECDSA key fingerprint is 0b:bf:14:a7:9e:87:69:5d:7c:a5:25:b9:65:22:35:08.

Are you sure you want to continue connecting (yes/no)? yes                 

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

[email protected]'s password:             ----第一次分发公钥，需要输入密码

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"

and check to make sure that only the key(s) you wanted were added.

3.3测试

[root@CentOS 7 ~]# ssh 172.16.1.63

Last login: Fri Mar 30 17:11:08 2018 from 10.0.0.1

[root@gitlab ~]# ifconfig

        inet 10.0.0.63  netmask 255.255.255.0  broadcast 10.0.0.255

        inet6 fe80::20c:29ff:feae:fb74  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:ae:fb:74  txqueuelen 1000  (Ethernet)

        RX packets 9568  bytes 2809779 (2.6 MiB)

        TX packets 382  bytes 30216 (29.5 KiB)

        inet 172.16.1.63  netmask 255.255.255.0  broadcast 172.16.1.255

        inet6 fe80::20c:29ff:feae:fb7e  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:ae:fb:7e  txqueuelen 1000  (Ethernet)

        RX packets 87  bytes 18256 (17.8 KiB)

        TX packets 88  bytes 21538 (21.0 KiB)

        RX packets 66294  bytes 49504554 (47.2 MiB)

        TX packets 66294  bytes 49504554 (47.2 MiB)

4.认证代理

4.1管理主机创建密钥对（以上步骤）

4.2分发公钥（以上步骤）

4.3管理主机启动认证代理

[root@CentOS 7 ~]# eval `ssh-agent -s`

Agent pid 2994

4.4管理主机向agent代理服务器注册本地服务器私钥信息

[root@CentOS 7 ~]# ssh-add

Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)

4.5管理主机将凭证信息通过远程登陆方式给被代理主机

[root@CentOS 7 ~]# ssh -A 172.16.1.63

Last login: Fri Mar 30 20:03:21 2018 from 172.16.1.21

4.6测试

[root@gitlab ~]# ssh 172.16.1.21

Last login: Fri Mar 30 20:08:27 2018 from 172.16.1.63

5.自动创建密钥对，分发公钥（Shell脚本）

#!/bin/bash

##############################################################

# File Name: ssh_fenfa.sh

# Version: V7.4

# Author: feng yu

# Organization: http://blog.51cto.com/13520761

# Created Time : 2018-03-30 20:13:36

# Description:

fil=/root/.ssh/id_rsa*

if [ $(ls $fil|wc -l) > 0 ];then

    rm -rf $fil

    ssh-keygent -t rsa -f /root/.ssh/id_rsa -P "" >> /dev/null 2>&1

else

fi

if [ $(rpm -qa sshpass|wc -l) -lt 1 ];then

    yum install -y sshpass &>/dev/null

for ip in 21 63

  do