ssh 信任关系无密码登陆,清除公钥,批量脚本
实验机器:
主机a:192.168.2.128
主机b:192.168.2.130
实验目标: 手动建立a到b的信任关系,实现在主机a通过 ssh 192.168.2.130不用输入密码远程登陆b主机
1、a主机生成公钥
ssh-keygen -t rsa 三次回车
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)?
[root@localhost ~]# cd .ssh
[root@localhost ~]# ls –a
2、将公钥复制到b主机
[root@localhost .ssh]# scp id_rsa.pub root@192.168.255.130:/root
在b主机上将刚才传输过来的公钥文件 追加到root/.ssh/authorized_keys文件里
[root@localhost ~]# cat ~/id_ras.pub >>/root/.ssh/authorized_keys
#没有这个文件的话会自动创建
3、在b主机中设置权限:
[root@localhost ~]# chmod 700 .ssh
[root@localhost ~]# chmod 600 .ssh/authorized_keys
#注意权限必须为700和600,否则不能成功
在a主机验证:
[root@localhost .ssh]# ssh 192.168.255.130
Last login: Fri Mar 17 17:28:34 2017 from 192.168.255.128
退出:
[root@localhost ~]# exit
logout
Connection to 192.168.255.130 closed
第2步和第3步可以用下面的命令代替
ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.255.130
清除公钥信息:
ssh-keygen -R 192.168.255.130
如果主机过多,一个个敲命令肯定不现实,脚本如下,此脚本需要安装expect命令
[root@localhost ~]# rpm -qa |grep expect
[root@localhost ~]# yum install expect
[root@localhost ~]# vim install_ssh.sh
#!/bin/bash
#批量ssh认证建立
for p in $(cat /root/ip.txt) #注意ip.txt文件的绝对路径
do
ip=$(echo "$p"|cut -f1 -d":") #取ip.txt文件中的ip地址
password=$(echo "$p"|cut -f2 -d":") #取ip.txt文件中的密码
#expect自动交互开始
expect -c "
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@$ip
expect {
\"*yes/no*\" {send \"yes\r\"; exp_continue}
\"*password*\" {send \"$password\r\"; exp_continue}
\"*Password*\" {send \"$password\r\";}
}
"
done
将要建立关系的服务器ip和密码写在ip.txt里,格式如下
ip:密码
[root@localhost ~]# cat ip.txt
172.16.0.113:123456
172.16.0.114:123456
执行过程:
[root@localhost ~]# ./install_ssh.sh
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.0.113
The authenticity of host '172.16.0.113 (172.16.0.113)' can't be established.
RSA key fingerprint is 4d:24:d4:2e:85:c2:6f:73:01:d5:23:b8:50:97:f8:9c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.0.113' (RSA) to the list of known hosts.
Now try logging into the machine, with "ssh 'root@172.16.0.113'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.0.114
The authenticity of host '172.16.0.114 (172.16.0.114)' can't be established.
RSA key fingerprint is 4d:24:d4:2e:85:c2:6f:73:01:d5:23:b8:50:97:f8:9c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.0.114' (RSA) to the list of known hosts.
Now try logging into the machine, with "ssh 'root@172.16.0.114'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
验证一下:
[root@localhost ~]# ssh 172.16.0.113
Last login: Fri May 19 19:28:38 2017 from 172.16.0.111
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:3b:4b:c5 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.113/23 brd 172.16.1.255 scope global eth0
inet6 fe80::20c:29ff:fe3b:4bc5/64 scope link
valid_lft forever preferred_lft forever
好了