ssh-key 密钥认证

第1章 ssh-key密钥认证
1.1 第一个里程碑-创建密钥对

[root@m01 ~]# ssh-keygen -t dsa 
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
66:3a:32:5d:34:06:93:0d:b6:0e:90:f5:68:1d:a4:0c root@m01
The key's randomart image is:
+--[ DSA 1024]----+
|  Eo..B+         |
|  .+ *.=.        |
|    * + +        |
|   . o o .       |
|      . S        |
|     . =         |
|    o +          |
|     o .         |
|                 |
+-----------------+
# 创建的密钥会保存在当前创建密钥的用户的家目录下面

说明：

-t type    指定密钥的类型，这里我们使用的dsa类型
     Specifies the type of key to create.  The possible values are “rsa1” for protocol version 1 and “dsa”,
       “ecdsa” or “rsa” for protocol version 2.

1.2 第二个里程碑-分发密钥

[root@m01 ~]# ssh-copy-id -i /root/.ssh/id_dsa.pub 172.16.1.41
The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established.
RSA key fingerprint is 65:98:b9:ce:bc:38:26:2f:06:81:14:b2:f9:8c:6d:db.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.41' (RSA) to the list of known hosts.
root@172.16.1.41's password: 
Now try logging into the machine, with "ssh '172.16.1.41'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.
-i   指定密钥的位置
/root/.ssh/id_dsa.pub   当前用户的家目录下的.ssh目录中
172.16.1.41   要发送到那台主机的ip地址

1.3 第三个里程碑-检查

[root@m01 ~]# ssh 172.16.1.41 hostname      #不用密码执行命令
backup
[root@m01 ~]# ssh 172.16.1.41 uptime
 00:45:45 up 1 day, 13:28,  1 user,  load average: 2.00, 2.00, 1.91

[root@m01 ~]# ssh 172.16.1.8    #免密码登陆
Last login: Sat Aug 19 19:00:42 2017 from 10.0.0.253
[root@web01 ~]# hostname
web01

1.4 加端口号传送公钥

[root@m01 ~]# ssh-copy-id -i /root/.ssh/id_dsa.pub "-p52113 root@10.0.0.31"
The authenticity of host '[10.0.0.31 ]:52113 ([10.0.0.31 ]:52113)' can't be established.
RSA key fingerprint is dd:a0:18:d1:7e:43:9e:da:b7:32:14:f1:0c:fc:25:c8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.0.0.31 ]:52113' (RSA) to the list of known hosts.
root@10.0.0.31's password: 
Now try logging into the machine, with "ssh '-p52113 root@10.0.0.31'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.
# 当服务器的端口号发生变化时我们可以指定端口号来发送密钥

1.5 创建密钥对时免交互
1.5.1 创建秘钥对时需要进行交互问题解决

rm -f /root/.ssh/*         # 删除之前创建的密钥
ssh-keygen -t dsa -f /root/.ssh/id_dsa -P "" &>/dev/null     # 免交互创建密钥

注意：

ssh+key密钥对生成免交互方式生成
       利用ssh-keygen命令参数实现免交互方式生成
       rm -f /root/.ssh/id_dsa*
       ssh-keygen -t dsa -f /root/.ssh/id_dsa -P "" >/dev/null 2>&1   # 非交互式生成秘钥对
       ssh-keygen -t dsa -f /root/.ssh/id_dsa -N '' >/dev/null 2>&1   # 非交互式生成秘钥对
       ssh-keygen -t dsa -f ~/.ssh/id_dsa  -P '' -q

1.5.2 免密码分发公钥

sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub root@172.16.1.41    免密码发送公钥
sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no root@172.16.1.41"    免密码且不用输入yes/no发送密钥

1.6 使用脚本创建并分发密钥

[root@m01 scripts]# cat piliang.sh 
#!/bin/bash
rm -f /root/.ssh/*
ssh-keygen -t dsa -f /root/.ssh/id_dsa -P "" &>/dev/null
for ip in 41 31 8
do
   sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no root@172.16.1.$ip" >/dev/null 2>&1
   echo "172.16.1.$ip  ok"
done

1.7 使用脚本批量执行命令

[root@m01 scripts]# cat piliang_check.sh 
#!/bin/bash
CMD=$1
for ip in 31 41 8
do
  ssh 172.16.1.$ip $1
done

总结：

ssh服务分发公钥实质执行过程
   ①. 管理服务器创建私钥和公钥（密钥对）
   ②. 将公钥文件远程传送复制到被管理服务器相应用户~/.ssh/id_dsa.pub下，并修改.ssh目录权限为700
   ③. 修改公钥文件文件名称为authorized_keys，授权权限为600
   ④. 利用ssh服务配置文件的配置参数，进行识别公钥文件authorized_keys
   ⑤. 进而实现基于密钥远程登录服务器（免密码登录/非交互方式登录）