基本上對外服務的主機,ssh listen port都會改掉預設的22 port,如此一來可以減少主機被入侵的機會,更改ssh listen port是最基本的第一道防線,請將設定檔內的 Port 22 進行更改,並且重新啟動ssh的服務。
但是當您改掉ssh listen port之後,ssh-copy-id這個好用的指令將無法運用,這樣一來不是很可惜嗎?於是我們就可以對ssh-copy-id這個script進行一些修改,讓他可以指定不同的service port 。
[root@rong2 .ssh]# cp /usr/bin/ssh-copy-id /usr/bin/ssh-copy-id.new
[root@rong2 .ssh]# vim /usr/bin/ssh-copy-id.new
#!/bin/sh
# Shell script to install your identity.pub on a remote machine
# Takes the remote machine name as an argument.
# Obviously, the remote machine must accept password authentication,
# or one of the other keys in your ssh-agent, for this to work.
ID_FILE="${HOME}/.ssh/identity.pub"
while getopts ':i:p:P:h' OPTION
do
case $OPTION in
i)
if [ -n "$OPTARG" ]; then
if expr "$OPTARG" : ".*.pub" > /dev/null ; then
ID_FILE="$OPTARG"
else
ID_FILE="$OPTARG.pub"
fi
fi
;;
P|p)
PORT=$OPTARG;
;;
h)
echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
exit 1
;;
esac;
done;
shift $(($OPTIND - 1))
if [ $# -lt 1 ] && [ x$SSH_AUTH_SOCK != x ] ; then
GET_ID="$GET_ID ssh-add -L"
fi
if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
GET_ID="cat ${ID_FILE}"
fi
if [ -z "`eval $GET_ID`" ]; then
echo "$0: ERROR: No identities found" >&2
exit 1
fi
if [ -z $PORT ]; then
PORTOPTION=""
else
PORTOPTION="-p $PORT "
fi;
{ eval "$GET_ID" ; } | ssh $PORTOPTION $1 "umask 077; test -d .ssh ||
mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
cat <<EOF
Now try logging into the machine, with "ssh $PORTOPTION'$1'", and check
in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
EOF
执行带port的命令:
[root@rong2 .ssh]# ssh-copy-id.new -i id_rsa.pub -p 2222 root@192.168.0.2
The authenticity of host '192.168.0.2 (192.168.0.2)' can't be established.
RSA key fingerprint is f6:8e:f2:7c:0c:f2:33:5d:58:5e:29:0f:a5:82:8e:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.2' (RSA) to the list of known hosts.
reverse mapping checking getaddrinfo for bogon failed - POSSIBLE BREAK-IN ATTEMPT!
root@192.168.0.2's password:
Now try logging into the machine, with "ssh -p 2222 'root@192.168.0.2'", and check
in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
EOF
但是當您改掉ssh listen port之後,ssh-copy-id這個好用的指令將無法運用,這樣一來不是很可惜嗎?於是我們就可以對ssh-copy-id這個script進行一些修改,讓他可以指定不同的service port 。
[root@rong2 .ssh]# cp /usr/bin/ssh-copy-id /usr/bin/ssh-copy-id.new
[root@rong2 .ssh]# vim /usr/bin/ssh-copy-id.new
#!/bin/sh
# Shell script to install your identity.pub on a remote machine
# Takes the remote machine name as an argument.
# Obviously, the remote machine must accept password authentication,
# or one of the other keys in your ssh-agent, for this to work.
ID_FILE="${HOME}/.ssh/identity.pub"
while getopts ':i:p:P:h' OPTION
do
case $OPTION in
i)
if [ -n "$OPTARG" ]; then
if expr "$OPTARG" : ".*.pub" > /dev/null ; then
ID_FILE="$OPTARG"
else
ID_FILE="$OPTARG.pub"
fi
fi
;;
P|p)
PORT=$OPTARG;
;;
h)
echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
exit 1
;;
esac;
done;
shift $(($OPTIND - 1))
if [ $# -lt 1 ] && [ x$SSH_AUTH_SOCK != x ] ; then
GET_ID="$GET_ID ssh-add -L"
fi
if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
GET_ID="cat ${ID_FILE}"
fi
if [ -z "`eval $GET_ID`" ]; then
echo "$0: ERROR: No identities found" >&2
exit 1
fi
if [ -z $PORT ]; then
PORTOPTION=""
else
PORTOPTION="-p $PORT "
fi;
{ eval "$GET_ID" ; } | ssh $PORTOPTION $1 "umask 077; test -d .ssh ||
mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
cat <<EOF
Now try logging into the machine, with "ssh $PORTOPTION'$1'", and check
in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
EOF
执行带port的命令:
[root@rong2 .ssh]# ssh-copy-id.new -i id_rsa.pub -p 2222 root@192.168.0.2
The authenticity of host '192.168.0.2 (192.168.0.2)' can't be established.
RSA key fingerprint is f6:8e:f2:7c:0c:f2:33:5d:58:5e:29:0f:a5:82:8e:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.2' (RSA) to the list of known hosts.
reverse mapping checking getaddrinfo for bogon failed - POSSIBLE BREAK-IN ATTEMPT!
root@192.168.0.2's password:
Now try logging into the machine, with "ssh -p 2222 'root@192.168.0.2'", and check
in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
EOF
本文出自 “Mr_Z” 博客,请务必保留此出处http://zhangrong.blog.51cto.com/2196532/943173
8192
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
