SSH Secure Automatic Logon
A is a local host (that is, a machine used to control other hosts);
b is a remote host (that is, a controlled machine server), if IP is 172.24.253.2;
Both A and B systems are Linux.
The command on a:
The code is as follows |
Copy Code |
# ssh-keygen-t RSA (three consecutive returns, that is, the public and private keys are generated locally, no password is set) # SSH root@172.24.253.2 "mkdir. Ssh;chmod 0700. SSH" (password required) # SCP ~/.ssh/id_rsa.pub root@172.24.253.2:.ssh/id_rsa.pub (need to enter password) |
The Order on B:
The code is as follows |
Copy Code |
# TOUCH/ROOT/.SSH/AUTHORIZED_KEYS2 (If this file is already present, skip this one) # cat/root/.ssh/id_rsa.pub >>/root/.ssh/authorized_keys2 (append id_rsa.pub content to Authorized_keys2) |
Back to a machine:
The code is as follows |
Copy Code |
# SSH root@172.24.253.2 (no password required, login successful) |
If you can protect your private key, this method is relative to the shell to enter a password, to be safe
Instance
Task Description:
Log on to the remote server using a shell script and execute the command: Add the reverse proxy site. The Windows user approach is shown at the end of this article.
The features of the sample code:
Log on to a remote Linux server and return to the current Linux host after executing commands on the top, executing a command to add a reverse proxy site on the remote server. Add a site need to know the domain name, so this script has a parameter, this parameter is the domain name.
Use of sample code:
code is as follows |
copy code |
raps.sh xxxxx.com raps.sh code: #!/usr/bin/expect # Name: Remote Add proxy site, ^_^ # Description: Automatically board a remote server and add a reverse proxy station Point (Configuration built-in) # Note: You need to pass a domain name parameter, the Proxysiteadd in the script is the Add Site tool on the remote server # Usage: raps xxxx.com # 2012-11-02 08:55:21 # configuration Set user Upall Set passwd upall@remote Set server 158.164.198.210 Set port 2222 Set DN [lindex $ARGV 0] # Login and execute command Spawn ssh $user @ $server-P $port Expect "password:" Send "${passwd}n" Expect "]#" Send Proxysiteadd ${dn}n Expect "]#" Exit |
Add:
1, "expect"]# "" for receiving terminal output, if the output of the "]#" flag down to continue the execution of the command; Send is used to execute commands on the remote server.
2, pass the parameter cannot use "$", "$" directly, "set DN [lindex $argv 0]" will assign the No. 0 parameter to $DN, if "Set DN [lindex $argv 2]" will assign the 3rd parameter to $DN.
The code is as follows |
Copy Code |
#!/bin/bash httpd_conf= "/etc/httpd/conf/vhosts.conf" # Generate Apache Virtual Host configuration file (reverse proxy) echo "<virtualhost *:80>" >> $HTTPD _conf echo "ServerName www.$1" >> $HTTPD _conf echo "Serveralias $" >> $HTTPD _conf echo "proxyrequests off" >> $HTTPD _conf echo "<proxy *>" >> $HTTPD _conf echo "Order Deny,allow" >> $HTTPD _conf echo "Allow from all" >> $HTTPD _conf echo "</Proxy>" >> $HTTPD _conf echo "proxypass/http://$1.demo.upall.cn/" >> $HTTPD _conf echo "proxypassreverse/http://$1.demo.upall.cn/" >> $HTTPD _conf echo "</VirtualHost>" >> $HTTPD _conf echo "CONF:" $HTTPD _conf The following code is a jump switch, if you do not want to use the reverse proxy can be replaced by the bottom of the code above the # Generate Apache Virtual host configuration file (jump) #echo "<virtualhost *:80>" >> $HTTPD _conf #echo "ServerName www.$1" >> $HTTPD _conf #echo "Serveralias $" >> $HTTPD _conf #echo "redirect/http://$1.demo.upall.cn/" >> $HTTPD _conf #echo "</VirtualHost>" >> $HTTPD _conf |
Solutions for Windows users
You can use Plink.exe to implement this feature, examples:
The code is as follows |
Copy Code |
1 PLINK-PW yourpassword root@123.123.123.123-p dosomething.sh |
Finish >
This feature will be added to this script here:.
A little deeper:
On the surface, simply understand the login process,
First SSH-KEYGEN-T the RSA command generates a key and a public key, and the key can set its own password
The key can be understood as a key, and the public key is understood to be the lock corresponding to the key.
Put the lock (public key) on the server you want to control, lock the server, only the person with the key (key) can open the lock, enter the server and control
For the person who owns the key, it is necessary to know the key's password in order to use the key (unless the key has not been set), so that the key can be prevented from being matched (the private key is copied)
Of course, this example is just easy to understand,
The person with the root password is certainly not locked, and there is not necessarily only one lock (public key), but if any lock is opened with its corresponding key (private key), the server can be controlled by that person.
So, as long as you know the server's root password, and will have the root of the public key to the above, you can use the public key corresponding to the private key "open" server, and then log in as root, even if the root password has been changed!
If you want to control n machines, you need n pairs of keys (keys and public keys), the Ssh-keygen command can change the name of the key pair arbitrarily, for example:
The code is as follows |
Copy Code |
[Root@wwy. ssh]# ssh-keygen-t RSA Generating public/private RSA key pair. Enter file in which to save the key (/ROOT/.SSH/ID_RSA):/root/.ssh/id_rsa_192.168.102.12 ...... |
This is the name of the private key and the public key, respectively:
Id_rsa_192.168.102.12 and Id_rsa_192.168.102.12.pub
The contents of the Id_rsa_192.168.102.12.pub file are then appended to the sever ~/.ssh/authorized_keys2 file,
Finally, the local key is specified locally with the-I parameter of the SSH command and logged in:
# ssh-i/root/.ssh/id_rsa_192.168.102.12 192.168.102.12
If the key is set with a password, log in with the key password, and then log in directly without setting the password.
The SCP is the same.
Such as:
Scp-i/root/.ssh/id_rsa./xxx 192.168.102.158:/home/wwy/bak
This is not a password-insecure, see below a more secure
A new SSH key pair is generated first
The code is as follows |
Copy Code |
[Guo@guo zuo]$ ssh-keygen-f id_ras-t RSA Generating public/private RSA key pair. Enter passphrase (empty for no passphrase): Enter same Passphrase again: Your identification has been saved in Id_ras. Your public key has been saved in id_ras.pub. The key fingerprint is: 17:ca:c3:37:8f:60:86:42:d0:0d:b7:4d:70:a1:b2:a3 Guo@guo The key ' s Randomart image is: +--[RSA 2048]----+ | ... oo.+. | | ....* | | o O. . | | . O +. . | | + . S + | | . o O = + | | E. . | | | | | +-----------------+ |
When the program asks the password, press "Enter" to indicate that no password is set, the private key is generated in the working directory, the password file name is Is_rsa, and the public key file id_psa.pub.
[Guo@guo zuo]$ ls id*
Id_ras id_ras.pub
Next, copy a public key to the remote host
The code is as follows |
Copy Code |
[Guo@guo zuo]$ Ssh-copy-id root@222.24.21.61 root@222.24.21.61 ' s Password: Now try logging to the machine, with SSH ' root@222.24.21.61 ', and check in: . Ssh/authorized_keys To make sure we haven ' t added extra keys this you weren ' t expecting. This time you need to enter a password. But you won't have to enter the password again. [Guo@guo zuo]$ Ssh-copy-id root@222.24.21.61 root@222.24.21.61 ' s Password: Now try logging to the machine, with SSH ' root@222.24.21.61 ', and check in: . Ssh/authorized_keys To make sure we haven ' t added extra keys this you weren ' t expecting. Next, execute the script. [Guo@guo zuo]$ Cat guossh.sh #!/bin/sh SSH root@222.24.21.61 [Guo@guo zuo]$ SH guossh.sh Last Login:sun Nov 20:28:30 from 222.24.21.61 [Root@guo ~]# |
It's already logged on.