ssh-copy-id是ssh client套件內一个预设的指令,简单的来说他只是一个script,当你在本地主机已经产生了RSA /DSA和authentication,可以通过ssh-copy-id的指令将认证傳送到远端主机。
如何建立RSA /DSA和authentication?
$ ssh-keygen -t dsa 或者ssh-keygen -t rsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa)
RSA与DSA的差别
ssh-keygen can create RSA keys for use by SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2
简单来说,若您只使用SSH protocol version 2,建议使用DSA來建立authentication。
使用下例中ssk-keygen和ssh-copy-id,仅需通过3个步骤的简单设置而无需输入密码就能登录远程Linux主机。
ssh-keygen 创建公钥和密钥。ssh-copy-id 把本地主机的公钥复制到远程主机的authorized_keys文件上。
ssh-copy-id 也会给远程主机的用户主目录(home)和~/.ssh, 和~/.ssh/authorized_keys设置合适的权限 。
步骤1: 用 ssh-key-gen 在本地主机上创建公钥和密钥
ligh@local-host$ ssh-keygen -t rsa
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):[Enter key]
Enter passphrase (empty for no passphrase): [Press enter key]
Enter same passphrase again: [Pess enter key]
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
The key fingerprint is: 33:b3:fe:af:95:95:18:11:31:d5:de:96:2f:f2:35:f9
ligh@local-host
步骤2: 用 ssh-copy-id 把公钥复制到远程主机上(ssh-copy-id -i 认证档案 用户名@主机)
ligh@local-host$ ssh-copy-id -i ~/.ssh/id_rsa.pub boon@211.87.227.248
ligh@remote-host‘s password:
Now try logging into the machine, with ―ssh ?remote-host‘‖, and check in:
.ssh/authorized_keys to make sure we haven‘t added extra keys that you weren‘t expecting.
[注: ssh-copy-id 把密钥追加到远程主机的 .ssh/authorized_key 上.]
步骤3: 直接登录远程主机
ligh@local-host$ ssh remote-host
Last login: Sun Nov 16 17:22:33 2008 from 192.168.1.2
[注: SSH 不会询问密码.]
ligh@remote-host$
对22端口的修改问题:
基本上對外服務的主機,ssh listen port都會改掉預設的22 port,如此一來可以減少主機被入侵的機會,更改ssh listen port是最基本的第一道防線,請將設定檔內的 Port 22 進行更改,並且重新啟動ssh的服務。
但是當您改掉ssh listen port之後,ssh-copy-id這個好用的指令將無法運用,這樣一來不是很可惜嗎?於是我們就可以對ssh-copy-id這個script進行一些修改,讓他可以支援指定不同的service port 。
更改ssh-copy-id
$ cp /usr/bin/ssh-copy-id /usr/bin/ssh-copy-id.orig
$ vi /usr/bin/ssh-copy-id
#!/bin/sh
# Shell script to install your identity.pub on a remote machine
# Takes the remote machine name as an argument.
# Obviously, the remote machine must accept password authentication,
# or one of the other keys in your ssh-agent, for this to work.
ID_FILE="${HOME}/.ssh/identity.pub"
while getopts ':i:p:P:h' OPTION
do
case $OPTION in
i)
if [ -n "$OPTARG" ]; then
if expr "$OPTARG" : ".*.pub" > /dev/null ; then
ID_FILE="$OPTARG"
else
ID_FILE="$OPTARG.pub"
fi
fi
;;
P|p)
PORT=$OPTARG;
;;
h)
echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
exit 1
;;
esac;
done;
shift $(($OPTIND - 1))
if [ $# -lt 1 ] && [ x$SSH_AUTH_SOCK != x ] ; then
GET_ID="$GET_ID ssh-add -L"
fi
if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
GET_ID="cat ${ID_FILE}"
fi
if [ -z "`eval $GET_ID`" ]; then
echo "$0: ERROR: No identities found" >&2
exit 1
fi
if [ -z $PORT ]; then
PORTOPTION=""
else
PORTOPTION="-p $PORT "
fi;
{ eval "$GET_ID" ; } | ssh $PORTOPTION $1 "umask 077; test -d .ssh ||
mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
cat <<EOF
Now try logging into the machine, with "ssh $PORTOPTION'$1'", and check
in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
EOF
主要是增加了port的設定進去,建議可以直接複製貼上取代即可。
以上script參考來源:http://blog.vieth.biz/2009/03/23/ssh-copy-id-with-port/
ssh-copy-id with port的運用
$ ssh-copy-id -i ~/.ssh/id_dsa.pub -p 1234 boon@tunnel.sdboon
wawa@remotehost's password: (需要輸入一次密碼)
Now try logging into the machine, with "ssh -p 22222 'boon@tunnel.sdboon'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
ssh-copy-id with port的認證就完成囉!
扫一扫
421
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
