Using shell script to write SSH directly modify the password of the target server and SSH application

1. In the build environment, the server's password is often modified to ensure security and can be scripted with the shell.

Using SSH to directly modify the password of the other server can be implemented with the SSH username @ login IP followed command, but requires the administrator to enter a password to operate, in order not to let the administrator manually input so solve this scenario with expect, because expect is a separate command in/bin/ Bash is not available, so it must be nested using the,<< for what end, EOF is the end of EOF, Spawn enters the command line for login, expect is expecting to ask what, send represents the required content, \ r is a carriage return.

1 ways to change passwords on a server

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/10/wKiom1YR1WTjswIaAAHPvRavt-s682.jpg "title=" Qq20151005094320.png "alt=" Wkiom1yr1wtjswiaaahpvravt-s682.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/0D/wKioL1YR1dCAaAnDAAEodpDm_MQ600.jpg "title=" Qq20151005094450.png "alt=" Wkiol1yr1dcaaandaaeodpdm_mq600.jpg "/>

Multiple servers and IP addresses across the country are different password modifications that specifically write the file that holds the IP address, and then invoke the file in the script.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/10/wKiom1YR3_3DldItAAL45I8UOwE817.jpg "title=" Qq20151005102829.png "alt=" Wkiom1yr3_3dlditaal45i8uowe817.jpg "/>

2.SSH input When an error occurred, unable to SSH login to the server side, prompted as follows, indicating that the authentication of the end server was deleted.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/11/wKiom1YSN9uxPU6-AAQo9yYQz6M711.jpg "title=" Qq20151005164305.png "alt=" Wkiom1ysn9uxpu6-aaqo9yyqz6m711.jpg "/>

Methods for server-side Delete validation

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/11/wKiom1YSON7ylSb0AAJPzlnL7HQ261.jpg "title=" Qq20151005164748.png "alt=" Wkiom1yson7ylsb0aajpzlnl7hq261.jpg "/>

Solutions for server-side solutions

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/0E/wKioL1YSOSOCvQaoAAD18tf2ayY945.jpg "title=" Qq20151005164837.png "alt=" Wkiol1ysosocvqaoaad18tf2ayy945.jpg "/>

Fixed an error when resolving ssh input, delete the native known_hosts file

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/11/wKiom1YSOjDSKyDwAABJkWZGutE851.jpg "title=" Qq20151005165313.png "alt=" Wkiom1ysojdskydwaabjkwzgute851.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/11/wKiom1YSRLLg3pPRAAH6BSogKyI245.jpg "title=" Qq20151005173719.png "alt=" Wkiom1ysrllg3ppraah6bsogkyi245.jpg "/>

SSH secret key authentication method: Generate a secret key pair on the local machine, put the generated public key on the server side, so that users can log in without entering a password.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/11/wKiom1YSRXLyl4J7AALIPPI7SC4229.jpg "title=" Qq20151005174002.png "alt=" Wkiom1ysrxlyl4j7aalippi7sc4229.jpg "/>

To view the generated public and private keys

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/0F/wKioL1YSRc2wXJVYAACW4Pv8guw491.jpg "title=" Qq20151005174218.png "alt=" Wkiol1ysrc2wxjvyaacw4pv8guw491.jpg "/>

Upload the generated public key to the server side

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/0F/wKioL1YSRqzD76ePAAHdqzZ-dxc094.jpg "title=" Qq20151005174556.png "alt=" Wkiol1ysrqzd76epaahdqzz-dxc094.jpg "/>

3. add a user to the remote server as FANLJ, but do not log on to the remote host.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/0F/wKioL1YSSZuwMeT0AABQyPW6_TU114.jpg "title=" Qq20151005175853.png "alt=" Wkiol1ysszuwmet0aabqypw6_tu114.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/11/wKiom1YSSgHy9Jd8AACAbJr5Ge4228.jpg "title=" Qq20151005180007.png "alt=" Wkiom1yssghy9jd8aacabjr5ge4228.jpg "/>

SSH to a remote host, you can invoke the remote host's X window

Ssh-x 192.168.1.30

sshd configuration file parsing

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/0F/wKioL1YSSvHB_HtKAAHcJ3oUAn8914.jpg "title=" Qq20151005180416.png "alt=" Wkiol1yssvhb_htkaahcj3ouan8914.jpg "/>

# Vim/etc/ssh/sshd_config

Port 3389// Modify port number, modify client login ssh-p 3389 x.x.x.x

Protocol 2

ListenAddress 192.168.168.174//Do not listen on all IP addresses, only the specified IP address

Permitrootlogin No// does not allow the root user to log on SSH

Permitemptypasswords No// no blank password allowed

Usedns No// do not perform DNS reverse Solution

Logingracetime 2m// login limit ( grace period ), if client exceeds this time (default 2 minutes)

The server will be actively disconnected if not logged in successfully

Strictmodes Yes// strict mode, this mode will check the user home directory and KeyStore before allowing login

file permissions, attribution, if there is an exception (others can write) refused to log in

Maxauthtries 6// per connection allows the maximum number of authentication logins, if this number is exceeded

The server will be actively disconnected if the login is still not successful

4. blacklist / Whitelist implementation

Add two users to LJ and Jim, respectively.

(1) only use blacklist, other default full permission, or only use whitelist, default other full Deny

(2) allow Tom users to use ssh, only allow the root user to use ssh on 192.168.1.30, all other deny

# Vim/etc/ssh/sshd_config

Allowusers Tom [email protected]

Configuring 192.168.1.30 on the server side

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/12/wKiom1YSVPWAd3vfAAFkKfyOqK0219.jpg "title=" Qq20151005184734.png "alt=" Wkiom1ysvpwad3vfaafkkfyoqk0219.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/0F/wKioL1YSVTuCZUVmAACEkcji51o354.jpg "title=" Qq20151005184827.png "alt=" Wkiol1ysvtuczuvmaacekcji51o354.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/0F/wKioL1YSVijBghNcAAAv5jYNyUM822.jpg "title=" Qq20151005185208.png "alt=" Wkiol1ysvijbghncaaav5jynyum822.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/12/wKiom1YSVh_i0Y81AADBA41AfaE281.jpg "title=" Qq20151005185219.png "alt=" Wkiom1ysvh_i0y81aadba41afae281.jpg "/>

Testing on the client

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/12/wKiom1YSVXeT6jIEAACZRlR6ekc235.jpg "title=" Qq20151005184919.png "alt=" Wkiom1ysvxet6jieaaczrlr6ekc235.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/0F/wKioL1YSVlKBQhPRAACvm-rcmvc383.jpg "title=" Qq20151005185308.png "alt=" Wkiol1ysvlkbqhpraacvm-rcmvc383.jpg "/>

This article is from the "Down to earth" blog, make sure to keep this source http://343614597.blog.51cto.com/7056394/1700270

Using shell script to write SSH directly modify the password of the target server and SSH application