ssh-keygen与ssh-copy-id的使用与22端口的修改

ssh-copy-id的使用

      ssh-copy-id是ssh client套件內一個預設的指令，簡單的來說他只是一個script，當你在本機電腦已經有產生了RSA or DSA
      authentication，可以透過ssh-copy-id的指令將認證傳送到遠端主機。

      如何建立RSA or DSA authentication？

      $ ssh-keygen -t dsa (ssh-keygen -t rsa)
      Generating public/private dsa key pair.
      Enter file in which to save the key (/root/.ssh/id_dsa)
      RSA與DSA的差異

      ssh-keygen can create RSA keys for use by SSH protocol version 1 and

      RSA  or DSA keys for use by SSH protocol version 2

 

      簡單來說，若您只使用SSH protocol version 2，建議使用DSA來建立authentication。

============================================================================================     

      ssh-copy-id的運用

      $ ssh-copy-id.orig -i ~/.ssh/id_dsa.pub wawa@remotehost

      wawa@remotehost's password: (需要輸入一次密碼)
      Now try logging into the machine, with "ssh 'wawa@remotehost'", and check
      in:

        .ssh/authorized_keys

      to make sure we haven't added extra keys that you weren't expecting.

     

     簡單的執行 ssh-copy-id.orig -i 認證檔案 帳號@主機

 

     就可以完成認證，之後就可以直接不敲密碼就ssh連線到遠端主機

 

===========================================================================================

 

      基本上對外服務的主機，ssh listen port都會改掉預設的22 port，如此一來可以減少主機被入侵的機會，更改ssh listen
      port是最基本的第一道防線，請將設定檔內的 Port 22 進行更改，並且重新啟動ssh的服務。

      但是當您改掉ssh listen
      port之後，ssh-copy-id這個好用的指令將無法運用，這樣一來不是很可惜嗎？於是我們就可以對ssh-copy-id這個script進行一些修改，讓他可以
      支援指定不同的service port 。

      更改ssh-copy-id

      $ cp /usr/bin/ssh-copy-id /usr/bin/ssh-copy-id.orig
      $ vi /usr/bin/ssh-copy-id

      #!/bin/sh
      
      # Shell script to install your identity.pub on a remote machine
      # Takes the remote machine name as an argument.
      # Obviously, the remote machine must accept password authentication,
      # or one of the other keys in your ssh-agent, for this to work.
      
      ID_FILE="${HOME}/.ssh/identity.pub"
      
      while getopts ':i:p:P:h' OPTION
      do
          case $OPTION in
              i)
              if [ -n "$OPTARG" ]; then
                  if expr "$OPTARG" : ".*.pub" > /dev/null ; then
                      ID_FILE="$OPTARG"
                  else
                      ID_FILE="$OPTARG.pub"
                  fi
              fi
              ;;
              P|p)
                  PORT=$OPTARG;
              ;;
              h)
                  echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
                  exit 1
              ;;
          esac;
      done;
      
      shift $(($OPTIND - 1))
      
      if [ $# -lt 1 ] && [ x$SSH_AUTH_SOCK != x ] ; then
         GET_ID="$GET_ID ssh-add -L"
      fi
      
      if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
        GET_ID="cat ${ID_FILE}"
      fi
      
      if [ -z "`eval $GET_ID`" ]; then
        echo "$0: ERROR: No identities found" >&2
        exit 1
      fi
      
      if [ -z $PORT ]; then
          PORTOPTION=""
      else
          PORTOPTION="-p $PORT "
      fi;
      
      { eval "$GET_ID" ; } | ssh $PORTOPTION $1 "umask 077; test -d .ssh ||
      mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
      
      cat <<EOF
      Now try logging into the machine, with "ssh $PORTOPTION'$1'", and check
in:
      
        .ssh/authorized_keys
      
      to make sure we haven't added extra keys that you weren't expecting.
      
      EOF

      主要是增加了port的設定進去，建議可以直接複製貼上取代即可。
      以上script參考來源：http://blog.vieth.biz/2009/03/23/ssh-copy-id-with-port/

      ssh-copy-id with port的運用

      $ ssh-copy-id -i ~/.ssh/id_dsa.pub -p 1234 wawa@remotehost
      wawa@remotehost's password: (需要輸入一次密碼)
      Now try logging into the machine, with "ssh -p 1234 'wawa@remotehost'",
      and check in:
      
        .ssh/authorized_keys
      
      to make sure we haven't added extra keys that you weren't expecting.

      ssh-copy-id with port的認證就完成囉！