概述
- 实现批量管理的前提就是需要免交互登录维护系统
安全设置
/etc/ssh/sshd_config 配置文件
| 配置项 | 说明 |
| ClientAliveInterval 600 | 大概在112行位置,默认是0 类型:SSH 空闲超时时间检测 |
/etc/security/pwquality.conf 配置文件
| 配置项 | 说明 |
| minclass=3 | 类型:SSH密码复杂度检查 风险描述:【/etc/security/pwquality.conf】文件中把minclass设置置为3或者4 解决方案:1、【/etc/security/pwquality.conf】 把minclass(至少包含小写字母、大写字母、数字、特殊字符等4类字符中等3类或4类)设置为3或4。如:minclass=3 |
创建秘钥对
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:XdZjgxKyFHW14/uze8MXOxGVdQhMAPxCaGiL5bNZmJU root@m01
The key's randomart image is:
+---[RSA 2048]----+
| . +=++++o..=|
| + E.oo o.o.oo|
| = * .... + B .|
| . * . ...+ o = |
| = S.. . .|
| o + |
| o +|
| Bo|
| oX|
+----[SHA256]-----+拷贝公钥到被管理端
ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.1.11
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '172.16.1.11 (172.16.1.11)' can't be established.
ECDSA key fingerprint is SHA256:4/rqQ7bxJpagLBhy07XmOI0oe1ywlFa67jCLdug8JfU.
ECDSA key fingerprint is MD5:92:ae:6f:d0:74:57:5f:34:74:ab:96:f0:66:a3:d0:43.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.11's password: <- 输入被管理端服务器密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@172.16.1.11'"
and check to make sure that only the key(s) you wanted were added.检查被管理端服务器是否已传输公钥
ll .ssh/authorized_keys
-rw------- 1 root root 390 Mar 19 12:09 .ssh/authorized_keys我这里已传输完成!
提示:
对端服务器上的名称为
authorized_keys测试
[root@m01 ~] $ ssh root@172.16.1.11
Last login: Sun Mar 19 12:08:52 2023 from 172.16.1.1
[root@backup01 ~] 经测试,管理端登录被管理的服务器不需要密码可以直接登录系统!
使用免交互方式分发秘钥
安装软件
yum install -y sshpass屏蔽yes/no提示消息,如下方的提示
ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.1.11
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '172.16.1.11 (172.16.1.11)' can't be established.
ECDSA key fingerprint is SHA256:4/rqQ7bxJpagLBhy07XmOI0oe1ywlFa67jCLdug8JfU.
ECDSA key fingerprint is MD5:92:ae:6f:d0:74:57:5f:34:74:ab:96:f0:66:a3:d0:43.
Are you sure you want to continue connecting (yes/no)?加上 -o StrictHostKeyChecking=no 取消,看下方例子
ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.1.11 "-o StrictHostKeyChecking=no"
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.11's password:使用 sshpass 取消输入密码提示
sshpass -p123 ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.1.11 "-o StrictHostKeyChecking=no"
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -o ' StrictHostKeyChecking=no' 'root@172.16.1.11'"
and check to make sure that only the key(s) you wanted were added.完整命令如下
sshpass -p123 ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.1.11 "-o StrictHostKeyChecking=no"提示:
如果被控端的ssh服务端口号修改了,不是默认22端口的话,可以使用下面方式
sshpass -p123 ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.1.11 -p 22 "-o StrictHostKeyChecking=no"