20.1ssh批量key验证

标签: ssh

目录

ssh安装包

sshd服务

ssh客户端连接服务器

客户端ssh使用示例

ssh登录验证方法

基于key验证

 windows上的xshell连接远程主机,基于key

ssh介绍

 

ssh安装包

[[email protected]:~]# yum info openssh
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Installed Packages
Name        : openssh
Arch        : x86_64
Version     : 7.4p1
Release     : 16.el7
Size        : 1.9 M
Repo        : installed
From repo   : anaconda
Summary     : An open source implementation of SSH protocol versions 1 and 2
URL         : http://www.openssh.com/portable.html
License     : BSD
Description : SSH (Secure SHell) is a program for logging into and executing
            : commands on a remote machine. SSH is intended to replace rlogin and
            : rsh, and to provide secure encrypted communications between two
            : untrusted hosts over an insecure network. X11 connections and
            : arbitrary TCP/IP ports can also be forwarded over the secure channel.
            :
            : OpenSSH is OpenBSD's version of the last free version of SSH, bringing
            : it up to date in terms of security and features.
            :
            : This package includes the core files necessary for both the OpenSSH
            : client and server. To make this package useful, you should also
            : install openssh-clients, openssh-server, or both.

[[email protected]:~]# rpm -qa "openssh**"
openssh-7.4p1-16.el7.x86_64
openssh-server-7.4p1-16.el7.x86_64
openssh-clients-7.4p1-16.el7.x86_64

[[email protected]:~]# rpm -ql openssh
/etc/ssh
/etc/ssh/moduli
/usr/bin/ssh-keygen
/usr/libexec/openssh
/usr/libexec/openssh/ctr-cavstest
/usr/libexec/openssh/ssh-keysign


[[email protected]:~]# rpm -ql openssh-server
/etc/pam.d/sshd
/etc/ssh/sshd_config
/etc/sysconfig/sshd
/usr/lib/systemd/system/sshd-keygen.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd.socket

[[email protected]:~]# rpm -ql openssh-clients
/etc/ssh/ssh_config
/usr/bin/scp
/usr/bin/sftp
/usr/bin/slogin
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-copy-id

sshd服务

[[email protected]:~]# systemctl status sshd


[[email protected]:~]# cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

[[email protected]:~]# systemctl stop sshd  #已连接的不会断开,新的连接被拒绝

ssh客户端连接服务器

#   Port 22    

[[email protected]:~]# vim /etc/ssh/ssh_config
#服务器端的sshd服务端口,如果不是22,则客户端的配置文件端口可改为和服务器一样,
#或者每次连接加-p选项
[[email protected]:~]# vim /etc/ssh/sshd_config

#第一次连接会问是否连接 yes/no
[[email protected]:~]# ssh 192.168.14.6
The authenticity of host '192.168.14.6 (192.168.14.6)' can't be established.
RSA key fingerprint is SHA256:ldwv9HEi63iQKlkKOjUKAOovAkQgmKhkm6UjK0JoV8k.
RSA key fingerprint is MD5:24:c8:d0:86:48:c0:3b:6d:2b:8d:95:3f:93:00:61:4d.
Are you sure you want to continue connecting (yes/no)?

[[email protected]:~]# vim /etc/ssh/ssh_config
#   StrictHostKeyChecking ask  
StrictHostKeyChecking no          #改为no,第一次连接不会在询问,不建议

[[email protected]:~]# ssh 192.168.14.6
输入yes和centos6的密码,即连接上centos6,下次再连接centos6,则不会再问是否yes/no,直接输入密码即可。连接的记录文件如下
[[email protected]:.ssh]# ls
id_rsa  id_rsa.pub  known_hosts
[[email protected]:.ssh]# pwd
/root/.ssh
[[email protected]:.ssh]# cat known_hosts
192.168.14.6 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1SbTaorjFFhvaTjyac3U0pT9fhhwtWt70aQcTeUnf+8fCygCyuIQ1rw1Q7oPOF+RxTBFhSHZDmSxx4sz+ZJ7VAluosRrncKiOAqH3m3coSvRo+htboFldbP8oB8eTi5bxByLijUFiVphRJ6JUgfxugHSY0MTb3UFz+KFAAv+8KWGVTZ1UWOD3aeTAb3UOkK/7ZjWsN1AidAiEwyoNmGjgVFvOEk+3Tt7JQhufx0WnEIuMb6k2JG5LzSaoQ5akv+I5tTPJxkZjkYjF6Ktag/NJ9xzEKp9n95XHlqntCusF+TT8v4Q5jHQh8c3prmpwJcE7TQJhQl65eZj3ur5ICre9Q==
#删除文件里面的此条记录,则下次连接会当做第一次连接,任然询问是否连接(yes/no)

当centos7连接过centos6时,即centos7的家目录下/root/.ssh/known_hosts有192.168.14.6记录时,把服务器centos6(192.168.14.6)网络断开,再开启一个新的虚拟机ip配置为192.168.31.6。再次从centos7连接此ip,结果如下

[[email protected]:.ssh]# ssh 192.168.14.6
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:0w2zn5i6KOssvh7PUxCGo0/dSK77g3dihbXaQHEExDQ.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:3
RSA host key for 192.168.14.6 has changed and you have requested strict checking.
Host key verification failed.

第一次连接服务器,记录服务器的公钥信息,存放于本地/root/.ssh/known_hosts,下次连接时,服务器发送的消息时是用私钥加密的,当客户端收到私钥签名的消息时,用本地保存的服务器公钥解密,成功,则验证了身份。私钥要保护好,否则被偷走,会被冒充

[[email protected]:ssh]# ls
moduli       ssh_host_ecdsa_key      ssh_host_ed25519_key.pub
ssh_config   ssh_host_ecdsa_key.pub  ssh_host_rsa_key
sshd_config  ssh_host_ed25519_key    ssh_host_rsa_key.pub
# ssh_host_rsa_key  centos7私钥

客户端ssh使用示例

示例1、#登录远程主机执行命令后在本机显示后,退出远程主机
  

    [[email protected]:ssh]# ssh 192.168.14.6 'ip a'
    [email protected]'s password:
    /root/.bashrc: line 8: aliaz: command not found
    2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
        link/ether 00:0c:29:37:0c:a3 brd ff:ff:ff:ff:ff:ff
        inet 192.168.14.6/24 brd 192.168.14.255 scope global eth1
        inet6 fe80::20c:29ff:fe37:ca3/64 scope link
           valid_lft forever preferred_lft forever
    3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
        link/ether 00:0c:29:37:0c:ad brd ff:ff:ff:ff:ff:ff
        inet 172.18.119.213/16 brd 172.18.255.255 scope global eth0
        inet6 fe80::20c:29ff:fe37:cad/64 scope link
           valid_lft forever preferred_lft forever

示例2、#指定ip连接远程主机

    [[email protected]:ssh]# ip a a 192.168.31.27/24 dev ens33
    [[email protected]:ssh]# ip a
    2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 00:0c:29:84:9c:10 brd ff:ff:ff:ff:ff:ff
        inet 192.168.31.7/24 brd 192.168.31.255 scope global noprefixroute ens33
           valid_lft forever preferred_lft forever
        inet 192.168.31.27/24 scope global secondary ens33
           valid_lft forever preferred_lft forever
        inet6 fe80::a12f:1465:53a3:13b5/64 scope link noprefixroute
           valid_lft forever preferred_lft forever

    [[email protected]:ssh]# ssh -b 192.168.31.27 192.168.14.6
    [email protected]'s password:
    Last login: Wed Jul 18 18:00:05 2018 from 192.168.14.1
    [[email protected] ~ ]#ss -nt
    State      Recv-Q Send-Q   Local Address:Port    Peer Address:Port
    ESTAB      0      0        192.168.14.6:22       192.168.31.27:62718

 示例3、连接到远程主机后,执行一个打开图形界面的命令

    [[email protected]:ssh]# ssh -X 192.168.14.6
    [email protected]'s password:
    Last login: Wed Jul 18 18:54:34 2018 from 192.168.14.1
    [[email protected] ~ ]#system-config-users
    system-config-users requires a currently running X server.
    [[email protected] ~ ]#system-config-users
    Xlib:  extension "RANDR" missing on display "localhost:12.0"

     如图1,图2
      
      
                            图1,图2
    运行程序在centos6上,画图在centos7上,基于x11协议,不管centos6运行在哪种运行模式(init3,init5等),都可以运行图形工具在centos7上

    ------------------------------
    xshell中也有此工具,如图3,图4,图5
     
                             图3
     
                              图4
     
                          图5
            X 协议转发
    所有图形化应用程序都是X客户程序
        • 能够通过tcp/ip连接远程X服务器
        • 数据没有加密机,但是它通过ssh连接隧道安全进行
    ssh -X [email protected] gedit
            remotehost主机上的gedit工具,将会显示在本机的X服务器上
            传输的数据将通过ssh连接加密

示例3,多次跳堡垒机

    #不让centos7连接centos6,但别的机器centos7-1可以连接centos6
    [[email protected] ssh ]#iptables -A INPUT -s 192.168.31.7 -j REJECT
    [[email protected]:ssh]# ssh -t 192.168.31.17 ssh 192.168.14.6
    [[email protected]:ssh]# ssh -t 192.168.31.17 ssh -t  192.168.31.27 ssh 192.168.14.6


=================================================================
=================================================================

ssh登录验证方法

    基于用户名和口令验证登录
        1 客户端发起ssh请求,服务器会把自己的公钥发送给用户  
        2 用户会根据服务器发来的公钥对密码进行加密
         3 加密后的信息回传给服务器,服务器用自己的私钥解密,如果密码正确,则用户登录成功

    基于key验证(/root/.sshauthorized_keys)
        1 首先在客户端生成一对密钥(ssh-keygen)  
        2 并将客户端的公钥ssh-copy-id 拷贝到服务端
        前两步准备工作
        3 当客户端再次发送一个连接请求,包括ip、用户名
        4 服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP用户,就会随机生成一个字符串,例如:acdf
        5 服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端
        6 得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端
        7服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录

基于key验证

        [[email protected]:~]# ssh-keygen          #默认rsa算法生成ssh公私钥
        Generating public/private rsa key pair.
        Enter file in which to save the key (/root/.ssh/id_rsa):
        /root/.ssh/id_rsa already exists.
        Overwrite (y/n)? y
        Enter passphrase (empty for no passphrase):
        Enter same passphrase again:
        Your identification has been saved in /root/.ssh/id_rsa.
        Your public key has been saved in /root/.ssh/id_rsa.pub.
        The key fingerprint is:
        SHA256:PIyFODiX7ZmdrJ/ych1YZxukLX3EFY5+1JjYtpAfzH8 [email protected]
        The key's randomart image is:
        +---[RSA 2048]----+
        |             . oo|
        |   . + .    .*=o.|
        |  o = o .  =+oOo.|
        |   o o X .+ B+o+ |
        |      = So + =o.E|
        |       .... . . .|
        |      .  . .     |
        |      o....      |
        |       =+        |
        +----[SHA256]-----+

        #私钥权限600
        [[email protected]:.ssh]# ll
        total 12
        -rw-------. 1 root root 1679 Jul 18 18:48 id_rsa
        -rw-r--r--. 1 root root  394 Jul 18 18:48 id_rsa.pub
        -rw-r--r--. 1 root root  966 Jul 18 16:24 known_hosts

        #专门命令传公钥,如果传的是私钥,系统默认会改为公钥
        [[email protected]:.ssh]# ssh-copy-id -i id_rsa 192.168.14.6
        #[[email protected]:.ssh]# ssh-copy-id  192.168.14.6
        /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"

        #centos6上接收到的是centos7的公钥
        [[email protected] .ssh ]#pwd
        /root/.ssh
        [[email protected] .ssh ]#ls
        authorized_keys  known_hosts
        [[email protected] .ssh ]#cat authorized_keys
        ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCryPu31TT0RD6+y8uODvRRPygQNDinMW92HuOt+kZCV4S5SKReLCZ+7TvqLtJnGkofXr7AqH9VGLHVv8YxY7SOFT72brEFqAJJlbeKoQj0ZhopVkSAYms5sqcbz4OHaGHLmFZe7pN1EnbBUVnax1VsPF5jCsEKMQZeaCGHfYq+c5+kErwSnvr/5oNB66z0twSapP4gymoZML9Mas7btyuZ9QJ2wqN1dasjncPQBA7FsmNc6+EBxfEac8MdljW6MZ8M/S0y9Et6gi5en9pp8yuz96do6GifhT30UiN4QqLyPWJE8evuEjsyE+1F7I/yUSdksTbSayDrJudocnmlPJ91 [email protected]

        #此时连接,只有centos7上的root用户才可直接登录进去,无需密码
        [[email protected]:.ssh]# ssh 192.168.14.6
        Last login: Wed Jul 18 19:01:41 2018 from 192.168.14.1
        [[email protected] ~ ]#

        #普通用户生成公私钥
        [[email protected]:.ssh]# su - dhy
        Last login: Tue Jul 10 11:15:11 CST 2018 on pts/1
        [[email protected]:~]$ ssh-keygen -t dsa          #用dsa加密算法生成公私钥
        Generating public/private dsa key pair.
        Enter file in which to save the key (/home/dhy/.ssh/id_dsa):       
        Created directory '/home/dhy/.ssh'.
        Enter passphrase (empty for no passphrase):              #私钥加密,不设密码
        Enter same passphrase again:
        把生成的公钥传到远程主机

        #私钥生成后加密
        [[email protected]:.ssh]$ ssh-keygen -p
        Enter file in which the key is (/home/dhy/.ssh/id_rsa):
        #可以用-f指定要加密文件
        [[email protected]:.ssh]$ ssh-keygen -p -f id_dsa
        [[email protected]:.ssh]$ ssh-keygen --help

  ----------------------------------------

 windows上的xshell连接远程主机,基于key

        xshell自带的工具,如图6。生成后,私钥默认有xshell管理,公钥先放到桌面,再复制到远程主机,远程主机上cat xshell_pub.key >> /root/.ssh/authorized_keys
        如图7,则windows的xshell可以基于key连接远程主机上有xshell公钥的机器,
        
                            图6
        

                                 图7
启用ssh私钥口令代理
        利用centos7生成的公私钥,把公钥拷贝到其它多台机器上,此时从centos7上连接其它机器,需要输入centos7生成的私钥密码即可。不想每次输入私钥密码,可以启用代理
        [[email protected]:.ssh]$ ssh-agent bash
        [[email protected]:.ssh]$ ssh-add
        Identity added: /home/dhy/.ssh/id_dsa (/home/dhy/.ssh/id_dsa)
        [[email protected]:.ssh]$
        代理程序退出,下次再登录上去连接远程主机,则仍需要输入私钥口令


多台机器基于key可以互相连接
        可以把一对公私钥拷贝到所有机器上
        #生成公私钥,在利用ssh-copy-id生成公钥到本机
        [[email protected]:~]# ssh-keygen
        #自己连接自己,即把公钥导入自己的机器(/root/.ssh/authorized_keys)
        [[email protected]:.ssh]# ssh-copy-id  192.168.31.7
        脚本

       host.txt
        192.168.31.17 root centos
        192.168.31.27 root centos1
        192.168.31.37 root passwd

        #!/bin/bash
        #生成公私钥对
        ssh-keygen -t rsa -P '' -f /root/.ssh/id_rsa &> /dev/null &&echo "ssh key is Created"
        while read line;do
            ip=`echo $line|awk '{print $1}'`
            user=`echo $line|awk '{print $2}'`
            password=echo `$line|awk '{print $3}'`
            
            expect <<-EOF
            set timeout 10
            spawn ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]$ip
            expect{
                "yes/no" { send "yes\n";exp_continue }
                "pasword" { send "$password\n" }
            }
             EOF
            echo "$ip is finished"
        doen < hostline.txt

 

 

 


ssh介绍:

ssh代替telnet,telnet不安全,是明文传输的
ssh:secure shell

实验:ssh服务  c/s结构(client/server)
socket:标识应用唯一地址
ip+tcp/udp port
http tcp/80
ssh tcp/22

cat /etc/services

SSH
    ssh: secure shell, protocol, 22/tcp, 安全的远程登录
    具体的软件实现:
        OpenSSH: ssh协议的开源实现,CentOS默认安装
        dropbear:另一个开源实现   英文译:抛弃的狗熊
    SSH协议版本
        v1: 基于CRC-32做MAC,不安全;man-in-middle
        v2:双方主机协议选择安全的MAC方式
        基于DH算法做密钥交换,基于RSA或DSA实现身份认证
    两种方式的用户登录认证:
        基于password
        基于key


openssh软件组成
    相关包:
        openssh
        openssh-clients
        openssh-server
    工具:
        基于C/S结构
        Client: ssh, scp, sftp,slogin
            Windows客户端:
            xshell, putty, securecrt, ssh,secure,shell,client
        Server: sshd

ssh客户端
    客户端组件:
    ssh, 配置文件:/etc/ssh/ssh_config
            Host PATTERN
                 StrictHostKeyChecking no 首次登录不显示检查提示    
    格式:ssh [[email protected]]host [COMMAND]
            ssh [-l user] host [COMMAND]    
    常见选项
            -p port:远程服务器监听的端口
            -b:指定连接的源IP
            -v:调试模式
            -C:压缩方式
            -X: 支持x11转发
            -Y:支持信任x11转发
            ForwardX11Trusted yes
            -t: 强制伪tty分配
                ssh -t remoteserver1 ssh remoteserver2

    允许实现对远程系统经验证地加密安全访问
    当用户远程连接ssh服务器时,会复制ssh服务器/etc/ssh/ssh_host*key.pub  (CentOS7默认是ssh_host_ecdsa_key.pub)文件中的公钥到客户机的  ~/.ssh/know_hosts中。下次连接时,会自动匹配相应私钥,不能匹配,将拒绝连接
-----------------------------------------------------------------------

 

ssh服务登录验证
    ssh服务登录验证方式:
         用户/口令
        基于密钥
    基于用户和口令登录验证
         1 客户端发起ssh请求,服务器会把自己的公钥发送给用户  
        2 用户会根据服务器发来的公钥对密码进行加密
         3 加密后的信息回传给服务器,服务器用自己的私钥解密,如果密码正确,则用户登录成功
    基于密钥的登录方式
        1 首先在客户端生成一对密钥(ssh-keygen)  
        2 并将客户端的公钥ssh-copy-id 拷贝到服务端
        前两步准备工作
        3 当客户端再次发送一个连接请求,包括ip、用户名
        4 服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP用户,就会随机生成一个字符串,例如:acdf
        5 服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端
        6 得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端
        7服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录

基于key认证
    基于密钥的认证:
    (1) 在客户端生成密钥对
             ssh-keygen -t rsa [-P ''] [-f “~/.ssh/id_rsa"]   
    把公钥文件传输至远程服务器对应用户的家目录  
            ssh-copy-id [-i [identity_file]] [[email protected]]host   
    测试
    在SecureCRT或Xshell实现基于key验证
    在SecureCRT工具—>创建公钥—>生成Identity.pub文件
    转化为openssh兼容格式(适合SecureCRT,Xshell不需要转化格式),并复制到 需登录主机上相应文件authorized_keys中,注意权限必须为600,在需登录的ssh主机上执行:
            ssh-keygen -i -f Identity.pub >> .ssh/authorized_keys

    (5)重设私钥口令:
            ssh-keygen –p
    (6)验证代理(authentication agent)保密解密后的密钥
            • 这样口令就只需要输入一次
            • 在GNOME中,代理被自动提供给root用户
            • 否则运行ssh-agent bash
    (7)钥匙通过命令添加给代理
            ssh-add

 

版权声明:本文为csdn_immortal原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/csdn_immortal/article/details/81104935