SSH 登录问题 (生成RSA Key,无密码登录,root SSH登录,etc.)

先让root能ssh登录一台机器:

update_ini('/etc/ssh/sshd_config', 'PermitRootLogin', 'yes')
update_ini('/etc/ssh/sshd_config', 'PasswordAuthentication', pwauth)
update_ini('/etc/ssh/sshd_config', 'ChallengeResponseAuthentication', 'no')

就是修改/etc/ssh/sshd_config 中的3个值.


关于不用密码从一台linux机器登录另外一台机器:


1:用ssh-keygen 生成一个用户的RSA key

一路默认,这样可以得到两个文件 id_ras 和id_ras.pub

和一个像是这样的fingerprints

e9:37:e4:48:1f:96:f3:3a:1a:ac:57:cc:85:39:bb:6f mac@ngmp-master


[mac@ngmp-master .ssh]$ ll
total 16
-rw------- 1 mac mac 1675 May 24 10:33 id_rsa
-rw-r--r-- 1 mac mac  397 May 24 10:33 id_rsa.pub
[mac@ngmp-master .ssh]$ pwd
/home/mac/.ssh


2: 用ssh-copy-id user@host 把你刚刚创建的SSH公钥传到host机器上

或者, 自己拷贝 id_ras.pub 文件内容到目标机器的 .ssh/authorized_keys2 文件中就好了


3:从A机器ssh去B机器,A机器上你的帐号下~/.ssh/known_hosts文件中多了一行,关于B机器的记录,看起来像是:

10.36.126.32 ssh-rsa AAAAB3NzaC1yc2EAAAQEAqB1PcXHO7....yDZGvKqYJIYluKQ==

不是密钥,是B机器的fingerpringts, (应该是base64编码过的)

如果B机器重新安装了,要从A的known_hosts文件中把B的记录删除掉


多台相互信任机器的SSH设置:

1: 在其中一台机器上的root下用 ssh-keygen生成key

2: 把文件id_rsa 和 id_ras.pub 拷贝到各台信任的机器上 /root/.ssh/

3: 在authorized_keys2文件中加入一行:

from="server1, server2, server3, ...." ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtSVYgX8z5WiHpaKpb9eYQ+Ubytap34tcKbhTW7Pw69I9OVFcGtrPhc35o4OO4aPb47MKBlnq/bVOMzKginDOGnw== root@master.server

格式是 from="server, .... server list" ssh-ras ASSDFA(公用的pub秘钥)aASDFASDFAf <user>@<server>


用于做这件事情的ruby script:

#!/usr/bin/ruby

IMHT_ROOT = "/opt/trend/imht"

require 'central_config'  
require 'tempfile'

def update_ini(fn, kw, value)
  f = Tempfile.new(File.basename(fn))
  f.close
  system("awk \"BEGIN {i=0} {if (/^#?#{kw}[ \t]+.*/) {if(i == 0) print \\\"#{kw} #{value}\\\"; i++} else print}\" #{fn} > #{f.path}")
  system("cp -f #{f.path} #{fn}")
  f.unlink
end

# Push our hosts's public key to the master
cfg = CentralConfig.new
myhost = cfg.get_my_host()
master = cfg.get_hosts_by_role_dc_pod('slack-master', myhost.dc, myhost.pod)[0]

key = IO.read('/etc/ssh/ssh_host_rsa_key.pub')
myentry = "#{myhost.host},#{myhost.host}.#{cfg.get_domain_by_datacenter_pod(myhost.dc, myhost.pod)},#{cfg.get_host_ip(myhost)} #{key}"

f = Tempfile.new('known_hosts')
f.write(myentry)
f.close
system("rsync #{f.path} #{master.host}::imht/ssh-config/#{myhost.host}.pub")
f.unlink

# Install the known-hosts file
system("cp -f #{IMHT_ROOT}/setup/ssh-config/ssh_known_hosts /etc/ssh")

# Install roots's ssh key pair 
system("mkdir -p /root/.ssh")
system("cp -f #{IMHT_ROOT}/setup/ssh-config/id_rsa /root/.ssh")
system("chmod 600 /root/.ssh/id_rsa")
system("cp -f #{IMHT_ROOT}/setup/ssh-config/id_rsa.pub /root/.ssh")
system("chmod 644 /root/.ssh/id_rsa.pub")
system("cp -f #{IMHT_ROOT}/setup/ssh-config/id_rsa.pub /root/.ssh")

# Allow root acceess only from nodes within the pod
hosts =  cfg.get_hosts_by_datacenter_pod(myhost.dc, myhost.pod)
domain = cfg.get_domain_by_datacenter_pod(myhost.dc, myhost.pod)
from = 'from="'
hosts.each do |h|
  from << "#{h.host}.#{domain},"
end
extra = cfg.get_pod_parameter(myhost.dc, myhost.pod, 'ssh.authkeys.extra_ips')
if extra
  from << extra.split(/ *, */).join(',') + ','
end

from[from.length-1] = '" '
f = Tempfile.new('auth_keys_from')
f.write(from)
f.close
system("cat /root/.ssh/id_rsa.pub >> #{f.path}")
system("cat #{f.path} >> /root/.ssh/authorized_keys2") if !File.exist?('/root/.ssh/authorized_keys2') || !system("grep -q -f #{f.path} /root/.ssh/authorized_keys2")
system("chmod 644 /root/.ssh/authorized_keys2")
f.unlink

# Check if PasswordAuthentication is allowed
autodeploy = cfg.get_my_parameter('autodeploy')
autodeploy_opts = autodeploy ?  autodeploy.split(/ *, */) : []
pwauth = (autodeploy_opts.include?('+sshdpwauth')) ? 'yes' : 'no'

# Enable root login. Disable password authentication
update_ini('/etc/ssh/sshd_config', 'PermitRootLogin', 'yes')
update_ini('/etc/ssh/sshd_config', 'PasswordAuthentication', pwauth)
update_ini('/etc/ssh/sshd_config', 'ChallengeResponseAuthentication', 'no')

# Restart sshd
if cfg.get_host_os(myhost) == 'ubuntu'
  system("/etc/init.d/ssh restart")
else
  system("/etc/init.d/sshd restart")
end



  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值