Total Pageviews

Saturday, 16 March 2013

ssh-copy-id 快速的與遠端主機建立ssh認證(包含非22 port)

ssh-copy-id是ssh client套件內一個預設的指令,簡單的來說他只是一個script,當你在本機電腦已經有產生了RSA or DSA authentication,可以透過ssh-copy-id的指令將認證傳送到遠端主機。

如何建立RSA or DSA authentication?
$ ssh-keygen -t dsa (ssh-keygen -t rsa)
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
--:--:--:--:--:--:--:--:--:--:--:--:--:--:--:-- root@localhost
id_dsa.pub或id_rsa.pub預設將會處出在 使用者家目錄/.ssh/,若要與遠端主機建立認證,則需要將此檔案內容附加到遠端主機的使用者家目錄 ~/.ssh/authorized_keys

RSA與DSA的差異
ssh-keygen can create RSA keys for use by SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2

簡單來說,若您只使用SSH protocol version 2,建議使用DSA來建立authentication。

ssh-copy-id的運用
$ ssh-copy-id.orig -i ~/.ssh/id_dsa.pub wawa@remotehost.com
或者ssh-copy-id -i ~/.ssh/id_dsa.pub wawa@remotehost.com

wawa@remotehost's password: (需要輸入一次密碼)
Now try logging into the machine, with "ssh 'wawa@remotehost'", and check in:
  .ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

簡單的執行 ssh-copy-id.orig -i 認證檔案 帳號@主機 就可以完成認證,之後就可以直接不敲密碼就ssh連線到遠端主機

基本上對外服務的主機,ssh listen port都會改掉預設的22 port,如此一來可以減少主機被入侵的機會,更改ssh listen port是最基本的第一道防線,請將設定檔內的 Port 22 進行更改,並且重新啟動ssh的服務。

但是當您改掉ssh listen port之後,ssh-copy-id這個好用的指令將無法運用,這樣一來不是很可惜嗎?於是我們就可以對ssh-copy-id這個script進行一些修改,讓他可以支援指定不同的service port。

更改ssh-copy-id
$ cp /usr/bin/ssh-copy-id /usr/bin/ssh-copy-id.orig
$ vi /usr/bin/ssh-copy-id
#!/bin/sh

# Shell script to install your identity.pub on a remote machine
# Takes the remote machine name as an argument.
# Obviously, the remote machine must accept password authentication,
# or one of the other keys in your ssh-agent, for this to work.

ID_FILE="${HOME}/.ssh/identity.pub"

while getopts ':i:p:P:h' OPTION
do
    case $OPTION in
        i)
        if [ -n "$OPTARG" ]; then
            if expr "$OPTARG" : ".*.pub" > /dev/null ; then
                ID_FILE="$OPTARG"
            else
                ID_FILE="$OPTARG.pub"
            fi
        fi
        ;;
        P|p)
            PORT=$OPTARG;
        ;;
        h)
            echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
            exit 1
        ;;
    esac;
done;

shift $(($OPTIND - 1))

if [ $# -lt 1 ] && [ x$SSH_AUTH_SOCK != x ] ; then
   GET_ID="$GET_ID ssh-add -L"
fi

if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
  GET_ID="cat ${ID_FILE}"
fi

if [ -z "`eval $GET_ID`" ]; then
  echo "$0: ERROR: No identities found" >&2
  exit 1
fi

if [ -z $PORT ]; then
    PORTOPTION=""
else
    PORTOPTION="-p $PORT "
fi;

{ eval "$GET_ID" ; } | ssh $PORTOPTION $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1

cat <<EOF
Now try logging into the machine, with "ssh $PORTOPTION'$1'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

EOF

主要是增加了port的設定進去,建議可以直接複製貼上取代即可。

ssh-copy-id with port的運用
$ ssh-copy-id -i ~/.ssh/id_dsa.pub -p 1234 wawa@remotehost.com
wawa@remotehost.com's password: (需要輸入一次密碼)
Now try logging into the machine, with "ssh -p 1234 'wawa@remotehost'", and check in:
  .ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

ssh-copy-id with port的認證就完成囉!

以前建立ssh的認證老是很麻煩,自己先讀取一下本機pub檔案的內容,之後連到遠端主機,再自己貼上,有時候還會遇到目錄檔案權限的問題無法順利完成認證,認識ssh-copy-id這個指令,一切更方便了,希望對於常常管理主機的您也有幫助唷.
----------------------------------------------

scp, ssh 等命令不使用密码的解决方法

    对于习惯使用命令行的朋友来说,ssh, scp 应该是能够频繁接触到的吧。这里就介绍一个不输入密码来远程拷贝文件的方法。
   目的:主机1 用 scp 拷贝文件到主机 2 时,不需要密码
    主机1:192.168.0.1
    主机2:192.168.0.2


    首先,在两台主机上都运行以下命令:
   # ssh-keygen -t rsa
    一路回车就好.
    然后,在主机 1 上运行:
    # ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.0.2