1. DAS认证
多 年前telnet 当道,但在安全意识渐渐浮上台面之后,telnet 在登入时的安全就被大家质疑,后来ssh (Secure Shell) 出现时,改变了当初的习惯,大家在管理Linux 时,现在都使用ssh来登入,而ssh 好处我在这也不再多做说明,因为他还可以配合rsync 做出远端备份,一旦设定好ssh 之后,还会有scp 可以使用! 这样就可以在不同电脑间copy 档案,并且为传输的资料加密了!
Shell Script & ssh
自 动化的工作可以让管理员有效率的完成目标,也不用浪费人力和时间做同样的事情,在无人职守的情况下,要让script 自动连入远端系统做事是件有些麻烦的事,因为您必需登入系统才可以继续工作,为了不略过登入系统这个步骤,我们可以制做一个public key 让远端的机器信任我们,如此就只要直接连入就可以,而不用再输入帐号和密码。
制作public keys & private keys
利用ssh-keygen 来做出公用和私有钥匙,并传送public key 到远端机器使其信任本机登入。
[steven@cute steven]$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/steven/.ssh/id_dsa): Enter passphrase (empty for no passphrase): <- 不用输入 Enter same passphrase again: <- 不用输入 Your identification has been saved in /home/steven/.ssh/id_dsa. Your public key has been saved in /home/steven/.ssh/id_dsa.pub. The key fingerprint is: fa:c9:a9:e4:d5:70:52:88:cc:f3:25:fd:68:ae:c4:4b [email protected] [steven@cute steven]$
接着,再到/home/steven/.ssh 里看看,会多出id_dsa 和id_dsa.pub 这两个档案。
[steven@cute steven]$ cd .ssh [steven@cute .ssh]$ ls id_dsa id_dsa.pub known_hosts [steven@cute .ssh]$
现在我们要使远端机器mirror.abc.com,使用sandy 登入时不用输入密码,因为,我们应该复制一份id_dsa.pub 到[email protected] 去,并加入到authorized_keys。
[steven@cute .ssh]$ scp id_dsa.pub [email protected]:~/id_dsa_steven.pub [email protected]'s password: id_dsa.pub 100% |*****************************| 607 00:00 [steven@cute .ssh]$
[steven@cute .ssh]$ ssh [email protected] [email protected]'s password: -bash-2.05b$ ls id_dsa_steven.pub id_dsa_steven.pub -bash-2.05b$ cat id_dsa_steven.pub >> .ssh/authorized_keys -bash-2.05b$ exit
完成后离开,回到本机,再做一次ssh 到mirror.abc.com
[steven@cute .ssh]$ ssh [email protected] -bash-2.05b$
如此就不用输入密码就直接登入了!
保护你的私有金匙
在制做dsa key时,会有一份私有和一份公有金匙,实务上会保留起来,并做备份,因为当ssh在登入时,会使用id_dsa.pub和本机的id_dsa 做确认,因此如果这两者比对不成功时就会再次要求输入密码。
来源: http://ms.ntcb.edu.tw/~steven/article/ssh-keygen.htm
2. RAS认证
1. ssh to server1
Connect to server1 and generate a public/private key pair.
ssh myusername@server1
password:
ssh-keygen -t rsa
When you run this command you will be prompted to answer several questions. Just hit enter each time until you are returned to a prompt.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/local/myusername/.ssh/id_rsa):
Created directory '/home/local/myusername/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/local/myusername/.ssh/id_rsa.
Your public key has been saved in /home/local/myusername/.ssh/id_rsa.pub.
The key fingerprint is:
15:68:47:67:0d:40:e1:7c:9a:1c:25:18:be:ab:f1:3a myusername@server1
The key's randomart image is:
+--[ RSA 2048]----+
| .*Bo=o |
| .+o.* . |
| ...= . |
| + = |
| S + |
| . |
| . . |
| E+ |
| oo. |
+-----------------+
Now you will need to copy the public key you just generated and save it somewhere, you will need it later. Also ensure when you copy the key that the text is all on one line, if there are line breaks in the text, it will cause problems later when you try and use the key.
cd .ssh
cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyFS7YkakcjdyCDOKpE4RrBecRUWShgmwWnxhbVNHmDtJtK
PqdiLcsVG5PO94hv3A0QqlB1MX33vnP6HzPPS7L4Bq+5plSTyNHiDBIqmZqVVxRbRUKbP44BaA9RsW2ROu
8qdzmXRPupkyFBBOLa23RJJojBieFGygR2OwjS8cq0kpZh1I3c1fbU9I5j38baUK0naTBe2v7s/C8allnJ
hwkfds+Q9/kjaV55pMZIh+9jhoA8acCA6B55DYrgPSycW6fEyV/1PIER+a5lOXp1QCn0U+XFTb85dp5fW0
/rUnu0F9nBJFlo7Rvc1cMuSUiul/wvJ8tzlOhU8FUlHvHqoUUw== myusername@server1
2. ssh to server2
Now we will copy the public key from server1 to server2.
ssh myusername@server2
password:
mkdir .ssh
cd .ssh
vi authorized_keys
# paste the public key
chmod 600 authorized_keys
3. Test that your setup is working
ssh myusername@server1
password:
ssh myusername@server2
# you should not be prompted for a password!
That is all!