The most basic practical Ssh-key secret key scheme for small and medium-sized enterprises ssh password-free landing combat

First, the experimental environment

This experiment needs at least two machines, this article uses three machines to explain.

Server	Ip	is the distribution machine
Nfs-server	10.0.0.11	Is
web-client01	10.0.0.12	Whether
web-client02	10.0.0.13	Whether

Ii. Steps of implementation

1. Add the System account (i.e. the normal user)
Three machines were used, one for the distribution machine and the other two for the Distributor.
In the enterprise environment, many users directly with Root to operate, so good is not standardized, the permissions are very large, very insecure. Our experiment was done using ordinary users.

1) Add a regular user to each machine
Useradd Chen
ID Chen
echo "Chen" |passwd--stdin Chen
2) switch to normal user
Su-chen
3) generate the secret key on the Distributor (this step is executed under the normal user, enter the end directly)
ssh-keygen-t DSA(use more at work) or use:
ssh-keygen-t RSA
~]$ ssh-keygen-t DSA
Generating Public/private DSA key pair.
Enter file in which to save the key (/HOME/CHEN/.SSH/ID_DSA):
Created directory '/home/chen/.ssh '.
Enter passphrase (empty for no passphrase):
Enter same Passphrase again:
Your identification has been saved IN/HOME/CHEN/.SSH/ID_DSA.
Your public key has been saved in/home/chen/.ssh/id_dsa.pub.
The key fingerprint is:
DE:11:D3:01:12:78:43:52:5E:34:CF:7C:96:C1:E9:EC [email protected]
The key ' s Randomart image is:
+--[DSA 1024x768]----+
| . +=o= ... |
| . ooo *. oo |
| ... o =o+ |
| O oo |
|  S.   . |
|  . . . E |
| .      . |
| |
| |
+-----------------+
[Email protected] ~]$
~]$ LL. ssh/
-RW-------. 1 Chen Chen 668 June 9 00:02 ID_DSA (private key)
-rw-r--r--. 1 Chen Chen 605 June 9 00:02 id_dsa.pub (public key)

4) Distributing the public key to other machines
ssh-copy-id-i. ssh/id_dsa.pub [email protected]

[Email protected] ~]$ Ll-la. ssh/
Total Dosage 12
DRWX------. 2 Chen Chen 4096 June 8 18:58.
DRWX------. 4 Chen Chen 4096 June 8 18:58.
-RW-------. 1 Chen Chen 605 June 8 18:58 Authorized_keys (if the discovery switch to another user can find out when the file was generated, the distribution was successful)
[Email protected] ~]$

Special application for Ssh-copy-id: If you have modified the port, you need to add the-p parameter and enclose it in quotation marks. such as: Ssh-copy-id-i id_dsa.pub "-p 520520 [email protected]"


Password-Free Login summary:
1) password-free login is one-way.
2) User-based, preferably not across users
3) SSH Connection slow problem, modify/ect/ssh/sshd_config
4) Batch Distribution 1000 units initially, you need to enter the password once and determine it once.
The following is a simple script implementation for the required file distribution:
#!/bin/bash
File= "$"
Remotefile= "$"
. /etc/init.d/functions
If [$#-ne 2];then
echo "At least input-argus:"
Exit 1
Fi
For I in 12 13
Do
SCP-P22-RP $ [email protected] $i: ~ >/dev/null 2>&1
If [$?-eq 0];then
Action "SCP $file to $remotefile is OK"/bin/true
Else
Action "SCP $file to $remotefile is failed"/bin/false
Fi
Done

By using sudo, the normal user can copy files to a directory that does not have permissions. The script is as follows: Visudo modifies 98 lines of content. The script is as follows:
#!/bin/bash
File= "$"
#!/bin/bash
File= "$"
Remotefile= "$"
. /etc/init.d/functions

If [$#-ne 2];then
echo "At least input-argus:"
Exit 1
Fi
For I in 12 13
Do
SCP-P22-RP $ [email protected] $i: ~ >/dev/null 2>&1
ssh-p22-t [email protected] $i SUDO/BIN/CP ~/$file $remotefile &>/dev/null
If [$?-eq 0];then
Action "SCP $file to $remotefile is OK"/bin/true
Else
Action "SCP $file to $remotefile is failed"/bin/false
Fi
done                                                           ,         &N Bsp                          ,         &NB Sp                          ,         &NB Sp                          ,         &NB Sp                          ,         &NB Sp                          ,         &NB Sp                          ,         &NBsp SSH bulk distribution and Rights Management scenario summary:
1. Ssh-key Authentication with Root
Advantages: Simple and convenient
Cons: Unsafe, unable to disable root remote connection
2. Use the ordinary user to do, copy the files to be distributed to the server's normal user's home directory, and then through Sudo to the right to copy the files to the appropriate directory required.
Advantages: Safety
Cons: Complex configuration
3. Set SUID to power the fixed command

Enterprise Production scene Batch management, automated management solutions:
1.ssh-key: The simplest and most common tool
2.puppt: Portal level is more popular, complicated and cumbersome
3.saltstack: Simple and powerful but complex configuration

This article is from "Wake up your not alarm clock but dream" blog, please be sure to keep this source http://purify.blog.51cto.com/10572011/1787572

The most basic practical Ssh-key secret key scheme for small and medium-sized enterprises ssh password-free landing combat