实用key认证
ssh-copy-id -i -p port ~/.ssh/id_rsa.pub root@ip
[root@master ~]# ssh-keygen -f /root/.ssh/id_rsa -P '' Generating public/private rsa key pair. Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:bNEK2Pzah70XtL8XQ4oPmw/D0cjzVA8AM8WG0ONB9Ns root@master The key's randomart image is: +---[RSA 2048]----+ | .=*=o | | + .=+o. | | . + ...+. .. | | + oo +o.o.| | S *o+E .| | + o.oB. o | | . o o+=+ o| | . ++.. .| | .....o | +----[SHA256]-----+
[root@master ~]# sshpass -e ssh-copy-id 10.0.24.17 sshpass: -e option given but SSHPASS environment variable not set [root@master ~]# export SSHPASS=root123. [root@master ~]# sshpass -e ssh-copy-id 10.0.24.17 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys Number of key(s) added: 1 Now try logging into the machine, with: "ssh '10.0.24.17'" and check to make sure that only the key(s) you wanted were added. [root@master ~]#
加固后有需求记得用(就是sshd_config中的参数)
-o option
Can be used to give options in the format used in the configuration file. This is useful for specifying
options for which there is no separate command-line flag. For full details of the options listed below,
and their possible values, see ssh_config(5).
AddKeysToAgent
AddressFamily
BatchMode
BindAddress
CanonicalDomains
CanonicalizeFallbackLocal
CanonicalizeHostname
CanonicalizeMaxDots
CanonicalizePermittedCNAMEs
CertificateFile
ChallengeResponseAuthentication
CheckHostIP
Cipher
Ciphers
ClearAllForwardings
Compression
CompressionLevel
ConnectionAttempts
ConnectTimeout
ControlMaster
ControlPath
ControlPersist
DynamicForward
EscapeChar
ExitOnForwardFailure
FingerprintHash
ForwardAgent
ForwardX11
ForwardX11Timeout
ForwardX11Trusted
GatewayPorts
GlobalKnownHostsFile
GSSAPIAuthentication
GSSAPIKeyExchange
GSSAPIClientIdentity
GSSAPIDelegateCredentials
GSSAPIRenewalForcesRekey
GSSAPITrustDns
GSSAPIKexAlgorithms
HashKnownHosts
Host
HostbasedAuthentication
HostbasedKeyTypes
HostKeyAlgorithms
HostKeyAlias
HostName
IdentitiesOnly
IdentityAgent
IdentityFile
Include
IPQoS
KbdInteractiveAuthentication
KbdInteractiveDevices
KexAlgorithms
LocalCommand
LocalForward
LogLevel
MACs
Match
NoHostAuthenticationForLocalhost
NumberOfPasswordPrompts
PasswordAuthentication
PermitLocalCommand
PKCS11Provider
Port
PreferredAuthentications
Protocol
ProxyCommand
ProxyJump
ProxyUseFdpass
PubkeyAcceptedKeyTypes
PubkeyAuthentication
RekeyLimit
RemoteForward
RequestTTY
RhostsRSAAuthentication
RSAAuthentication
SendEnv
ServerAliveInterval
ServerAliveCountMax
StreamLocalBindMask
StreamLocalBindUnlink
StrictHostKeyChecking:
StrictHostKeyChecking=no
yes or no or ask (认证输入yes or 不输入 or 默认也就是还要输入,换端口一定会用这个如果想做无交互的密钥分发操作)
TCPKeepAlive
Tunnel
TunnelDevice
UpdateHostKeys
UsePrivilegedPort
User
UserKnownHostsFile
VerifyHostKeyDNS
VisualHostKey
XAuthLocation
