1、服务端端口号变化了,如何基于秘钥连接

1.1 环境准备

实验环境:

  1. [root@test ~]# cat /etc/redhat-release
  2. CentOS release 6.9 (Final)

将一台服务器的ssh服务端口修改为63389

  1. [root@test ~]# netstat -lntup|grep sshd
  2. tcp 0 0 0.0.0.0:63389 0.0.0.0:* LISTEN 5083/sshd
  3. tcp 0 0 :::63389 :::* LISTEN 5083/sshd

1.2 通过另外一台服务器创建并分发密钥

第一个里程碑: 现创建密钥使用 ssh-keygen

  1. [root@backup ~]# ssh-keygen -t rsa
  2. Generating public/private rsa key pair.
  3. Enter file in which to save the key (/root/.ssh/id_rsa): #指定密钥对的保存路径
  4. Enter passphrase (empty for no passphrase): #为密钥对创建密码
  5. Enter same passphrase again: #确认为密钥对创建的密码
  6. Your identification has been saved in /root/.ssh/id_rsa.
  7. Your public key has been saved in /root/.ssh/id_rsa.pub.
  8. The key fingerprint is:
  9. 72:48:65:1d:25:69:e1:4c:ae:2b:6f:a5:aa:70:96:1e root@backup
  10. The key's randomart image is:
  11. +--[ RSA 2048]----+ #2048表示加密的位数为2048位
  12. | o.==. |
  13. | o =+. |
  14. | . .+ |
  15. | . . . |
  16. | o S |
  17. | . o .. |
  18. | . E . .o |
  19. | = . oo |
  20. | o..o. |
  21. +-----------------+

第二个里程碑:分发密钥,注意ssh的端口

  1. [root@backup ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub "-p63389 172.16.1.250"
  2. The authenticity of host '[172.16.1.250]:63389 ([172.16.1.250]:63389)' can't be established.
  3. RSA key fingerprint is d3:41:bb:0d:43:88:da:a3:2c:e8:36:91:11:c9:e4:9c.
  4. Are you sure you want to continue connecting (yes/no)? yes
  5. Warning: Permanently added '[172.16.1.250]:63389' (RSA) to the list of known hosts.
  6. root@172.16.1.250's password:
  7. Now try logging into the machine, with "ssh '-p63389 172.16.1.250'", and check in:
  8. .ssh/authorized_keys #分发到对端服务器后进行改名
  9. to make sure we haven't added extra keys that you weren't expecting.

说明:
通过 man 手册找到密钥分发的命令格式。
-i 参数指定 公钥文件的存放位置
[use@]表示使用的用户,默认使用当前登陆的用户
-p 指定端口,主要要在双引号之间(通过cat which ssh-copy-id 命令脚本内容得知)

[root@backup ~]# man ssh-copy-id Formatting page, please wait… SSH-COPY-ID(1) SSH-COPY-ID(1) NAME ssh-copy-id - install your public key in a remote machine’s autho- rized_keys SYNOPSIS

第三个里程碑: 测试密钥登陆

  1. [root@backup ~]# ssh 172.16.1.250 -p 63389
  2. Last login: Wed Oct 18 15:42:05 2017 from 10.0.0.41
  3. [root@test ~]#

2、如何实现自动创建秘钥对,同时分发公钥(编写脚本实现)

脚本内容:

  1. [root@m01 ~]# vim /server/scripts/piliang_fenfa.sh
  2. #!/bin/bash
  3. #make key
  4. \rm -f /root/.ssh/id_dsa
  5. ssh-keygen -t dsa -f /root/.ssh/id_dsa -P "" -q
  6. #fengfagongyao
  7. for ip in 8 31 41
  8. do
  9. echo ====fenfa key to host 172.16.1.$ip====
  10. sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no root@172.16.1.$ip"
  11. echo ===============fenfa end==============
  12. echo ""
  13. done

脚本说明:

  1. ssh-keygen -t dsa -f /root/.ssh/id_dsa -P "" -q

创建密钥,-f指定存放位置,-P 密钥加密的密码 -q 减少信息输出

  1. sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no root@172.16.1.$ip"

这里需要安装一个软件 yum install sshpass -y 用来提供中户密码
ssh-copy-id 命令来分发密钥 -i 指定密钥本地存放的路径
-o StrictHostKeyChecking=no 在登陆其他服务器是不选择yes/no

  1. for ip in 8 31 41

这里使用for循环来对ip地址进行变化。

附录:CentOS 7密钥分发脚本

  1. #!/bin/bash
  2. . /etc/rc.d/init.d/functions
  3. yum install sshpass -y >/dev/null
  4. # 创建密钥
  5. \rm ~/.ssh/id_rsa* -f
  6. ssh-keygen -t rsa -f ~/.ssh/id_rsa -N "" -q
  7. # 分发公钥
  8. for ip in 61 21 51 31 41 8 7 9 5 6
  9. do
  10. sshpass -p123456 ssh-copy-id -o "StrictHostKeyChecking no" -i /root/.ssh/id_rsa.pub 172.16.1.$ip &>/dev/null
  11. if [ $? -eq 0 ];then
  12. action "fenfa 172.16.1.$ip" /bin/true
  13. else
  14. action "fenfa 172.16.1.$ip" /bin/false
  15. fi
  16. echo ""
  17. done