The manager asked me to plan the company's ssh management for the ssh Management of Small and Medium-Sized Enterprise Servers. I used to use passwords. Now I want to use keys, which are easy to manage and secure. So I have the following plan: www.2cto.com 1. expose the ssh service of server Pb1 to the public network as the stepping stone, and change the ssh port to 288882. the Pb1 authentication method is changed to the key authentication method, and password authentication is disabled. for other servers such as server 1, except for the Pb1 Server ip address, ssh is allowed. Password Authentication is disabled. The default port is 22. generate an ssh key pair on Pb1 and upload the user's public key to other servers. To connect to other servers, you must first connect to Pb1 and then jump to pb1. see
Operation Procedure: Take the user root as an example. Assume that Pb1: 192.168.12.83 server1: 192.168.11.78 and other users perform the same operations on www.2cto.com 1. generate a key pair in xshell in tools. The steps are not detailed. Copy the public key to the Pb1 root directory. mkdir ~ in authorized_keys under ssh ~ /. Ssh vi ~ /. Ssh/authorized_keys ssh-dss logs/SafTyWZgH41gP9U/sfqns1_n4xrdohnda0cgzo/0y0OLP + BoG/samples + samples/logs/h4lzV4q9pqN3FkyS/logs D + iEfw5qawYDG8H1XD2/release + 3r7 + IU3Yvvya0P24TZPNhuiwIlU/w ==## this is generated by xshell and copied 2. edit/etc/ssh/sshd_config in Pb1 and change the port to 28888. Disable password authentication in code authentication vi/etc/ssh/sshd_configPort 28888 PasswordAuthentication no Service sshd restart 3. connect to Pb1 to test whether ssh 192.168.12.83 4 can be normally connected. generate password on Pb1 Key pair, and copy it to the server 1 ssh-keygen-t rsa-P ""-f ~ /. Ssh/id_rsa ssh-copy-id-I ~ /. Ssh/id_rsa.pub 192.168.11.78 ssh-copy-id-I ~ /. Ssh/id_rsa.pub other server IP address 5. connect to server1 on Pb1 and test whether the connection is successful. ssh 192.168.11.78 6. disable server1 .. add iptables for Password Authentication in serverN and test vi/etc/ssh/sshd_config PasswordAuthentication no service sshd restart iptables-a input-p tcp-s again! 192.168.12.83 -- dport 22-j DROP or vi/etc/hosts. allow sshd: 192.168.1.83 vi/etc/hosts. deny sshd: ALL to prevent other servers from being normally connected after pb1 fails, it is recommended to set another server that is not in the same network or region for backup. Pb1 Script :#! /Bin/bash # Author: LaoGuang # Script Name: Pb. sh # ibuler@qq.com # Description: # Set ssh Middle Server serverip = "192.168.11.78" # one or some ip port = 28888 # Modify port and Authenticationsed-I's /#\? Port. */Port 28888/'/etc/ssh/sshd_config sed-I's/PasswordAuthentication yes/PasswordAuthentication no/'/etc/ssh/sshd_config service sshd restart &>/dev/null # Transfer keyif! [-E ~ /. Ssh/id_rsa.pub] & [-e ~ /. Ssh/id_rsa]; then ssh-keygen-t rsa-P ""-f ~ /. Ssh/id_rsa &>/dev/null fi for I in $ serverip do ssh-copy-id-I ~ /. Ssh/id_rsa.pub $ I &>/dev/null # This is actually not well written. There are also ssh $ I "echo: $ I success" done Server script :#! /Bin/bash # Author: LaoGuang # Script Name: server. sh # ibuler@qq.com # Description: # Set ssh Servers sed-I's/PasswordAuthentication yes/PasswordAuthentication no/'/etc/ssh/sshd_config service sshd restart &>/dev/null iptables-A INPUT-p tcp- s! 192.168.12.83 -- dport 22-j DROP