ssh密钥认证与mussh简单测试

##### STEP 1 ：主机之间互相信任，密钥对认证

### mussh 主机生成密钥对：

[root@localhost ~]# ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/root/.ssh/id_dsa):

Enter passphrase (empty for no passphrase): ## 输入私钥密码

Enter same passphrase again: ## 重复私钥密码

Your identification has been saved in /root/.ssh/pri_dsa.

Your public key has been saved in /root/.ssh/pri_dsa.pub.

The key fingerprint is:

c0:06:54:98:49:5b:9f:f3:de:79:1c:0f:3f:46:ef:51 root@localhost.localdomain

The key's randomart p_w_picpath is:

+--[ DSA 1024]----+

|   o+=o          |

|    += . .       |

|    . + +        |

|     . . o       |

|        S .   o.E|

|         . . o.=o|

|          . o o++|

|             ...o|

|                .|

+-----------------+'

[root@localhost ~]# cat /root/.ssh/id_dsa.pub

ssh-dss AAAAB3NzaC1kc3MAAACBAOJ20Be45e/E/6AqlBFG89qcNPmsKqlXsWTmerf+MvY4G2qcxluGtjzCLwrGAf0JKFwEC+5OfJBU5JlUhM6HJ3+57zOyK0ZNnhv0h1ICKqF1ndRqoP3eonHD0krKySc/CYMJM2nGF5NRqMhUc+0wOLT4RmX+NB0kXH1EfTAyfSAVAAAAFQDU151234sGUKK4GAPagd87jBqXkwAAAIEA4FmcUNIZ2em2doZqg9jKeTa9GlK1vr2n2jiBTPmyxjY5BHcRb8zje4fm92e/CPTOWWC0ljKjLwzSavcLRfHg0+KU3lb5vxqHImp94HprkUW4e4T3+79h+HKlJ/TKd5UyxnEJDxUG2FNMT9mwq+T+HlMTmaEHGWxSS6ModmCruKEAAA369870bGvp7XP2WWGgclNnHO3IXPXrEuBui6CjjC1S6CdTEE6Z/BX7FarsPr5yI4wnSAHHoojbg78XcxWPlopoyXjxumvIU0WeVyVqVs4V8mgbIuGeamGjXdbeY3XxzcSURnYzZ1+hZJv70+RsS8G083gPi6if7j8vitV/4tfHHx root@localhost.localdomain

[root@localhost ~]#

### 目标主机修改 sshd 配置文件

[root@vm1 ~]# vi /etc/ssh/sshd_config

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

#### 标准教程做法，但是我试了一下注释了这两行，依然可以正常登录，sshd应该是默认打开了密钥认证，所以，除非你想关闭密钥认证，否则修改配置文件没什么意义。

[root@vm1 ~]# service sshd restart

Stopping sshd:                                             [  OK  ]

Starting sshd:                                             [  OK  ]

[root@vm1 ~]#

### 上传公钥到目标主机 vm1 - vm5 ：多种方式执行，我是用scp的。

[root@vm1 ~]# mkdir -p /root/.ssh/

# Tip: 若自行创建.ssh/目录，需要确保.ssh/目录（及其下文件）的安全上下文为 ssh_home_t ，否则公钥认证失败。

[root@vm1 ~]#  ll -dZ /root/.ssh/

drwxr-xr-x. root root system_u:object_r:ssh_home_t:s0  /root/.ssh/

[root@vm1 ~]#

# 使用restorecon 命令可以修正文件夹安全上下文：

Shell> restorecon -r -vv /root/.ssh

# 当然也可以禁用selinux，但不推荐

[root@localhost ~]# scp /root/.ssh/id_dsa.pub root@172.16.67.201:/root/.ssh/authorized_keys

[root@vm1 ~]# cat /root/.ssh/authorized_keys

ssh-dss AAAAB3NzaC1kc3MAAACBAOJ20Be45e/E/6AqlBFG89qcNPmsKqlXsWTmerf+MvY4G2qcxluGtjzCLwrGAf0JKFwEC+5OfJBU5JlUhM6HJ3+57zOyK0ZNnhv0h1ICKqF1ndRqoP3eonHD0krKySc/CYMJM2nGF5NRqMhUc+0wOLT4RmX+NB0kXH1EfTAyfSAVAAAAFQDU15fnq1sGUKK4GAPagd87jBqXkwAAAIEA4FmcUNIZ2em2doZqg9jKeTa9GlK1vr2n2jiBTPmyxjY5BHcRb8zje4fm92e/CPTOWWC0ljKjLwzSavcLRfHg0+KU3lb5vxqHImp94HprkUW4e4T3+79h+HKlJ/TKd5UyxnEJDxUG2FNMT9mwq+T+HlMTmaEHGWxSS6ModmCruKEAAACBAM6IH0bGvp7XP2WWGgclNnHO3IXPXrEuBui6CjjC1S6CdTEE6Z/BX7FarsPr5yI4wnSAHHoojbg78XcxWPlopoyXjxumvIU0WeVyVqVs4V8mgbIuGeamGjXdbeY3XxzcSURnYzZ1+hZJv70+RsS8G083gPi6if7j8vitV/4tfHHx root@localhost.localdomain

[root@vm1 ~]#  

若ssh到普通用户必须修改权限，否则认证失败, 当然，无论是用什么用户，都推荐修改。

[root@vm1 ~]# chmod 700 ~/.ssh#

[root@vm1 ~]# chmod 600 ~/.ssh/authorized_keys

[root@vm1 ~]#

# Tip：普通用户默认是不允许给ssh的, 需要将普通用户加到sshd用户组中。

# 这个是在网上看到的，我不知道其他系统是怎样的，我用CentOS6.4时，没有什么问题，普通用户不用加到sshd用户组也行，无论是ssh登录到普通用户，还是用普通用户ssh登录，不过当ssh出现问题时不访试试。

### ssh测试:

[root@localhost ~]# ssh root@172.16.67.201

The authenticity of host '172.16.67.201 (172.16.67.201)' can't be established.

RSA key fingerprint is 5d:27:0f:5c:33:f3:44:f5:b5:f2:c2:a2:5f:a3:ee:35.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.67.201' (RSA) to the list of known hosts.

Enter passphrase for key '/root/.ssh/id_dsa':

Last login: Mon Sep  2 17:11:40 2013 from 172.16.67.38'

[root@vm1 ~]# exit

logout

Connection to 172.16.67.201 closed.

### 启用ssh-agent，减少私钥密码认证次数

[root@localhost ~]# eval `ssh-agent`

Agent pid 3939

[root@localhost ~]# ssh-add

Enter passphrase for /root/.ssh/id_dsa:

Identity added: /root/.ssh/id_dsa (/root/.ssh/id_dsa)

[root@localhost ~]# ssh root@172.16.67.201

Last login: Mon Sep  2 17:12:48 2013 from 172.16.64.11

[root@vm1 ~]# exit

logout

Connection to 172.16.67.201 closed.

[root@localhost ~]#

##### STEP 2 :  mussh 安装：

wget http://softlayer-dal.dl.sourceforge.net/project/mussh/mussh/1.0/mussh-1.0.tgz

解压即可使用

tar zxvf mussh-1.0.tgz

##=========== mussh 执行命令 ==================

[root@localhost mussh]# cat ./hosts

root@172.16.67.201

root@172.16.67.202

root@172.16.67.203

root@172.16.67.204

root@172.16.67.205

[root@localhost mussh]#

#### -H <file> [file ..] : 指定包含目标主机的文件，可以有多个.

[root@localhost mussh]# ./mussh -H ./hosts -c 'hostname'

root@172.16.67.201: vm1.untx.com

root@172.16.67.202: vm2.untx.com

root@172.16.67.203: vm3.untx.com

root@172.16.67.204: vm4.untx.com

root@172.16.67.205: vm5.untx.com

[root@localhost mussh]#

##=========== mussh 执行本地脚本文件 ===============

# iptables.sh  配置iptables脚本

[root@localhost mussh]# ./mussh -H ./hosts -C /root/scripts/iptables.sh

root@172.16.67.201: iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]

root@172.16.67.202: iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]

root@172.16.67.203: iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]

root@172.16.67.204: iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]

root@172.16.67.205: iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]

[root@localhost mussh]#

[root@vm1 ~]#

##============= 若目标主机ssh使用其它端口，需要使用 -o 传递ssh配置参数 =========

[root@localhost mussh]# ./mussh -o "Port=58022" -h root@172.16.67.201 -C '/root/scripts/iptables.sh'

root@172.16.67.201: iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]

[root@localhost mussh]#

##============= mussh 执行python, 可用 -s 指定shell路径

[root@localhost mussh]# ./mussh -H ./hosts  -s /usr/bin/python -C '/root/scripts/nod32/3.py'

root@172.16.67.201: Traceback (most recent call last):    # 因为目标机没有安装BeautifulSoup，报错是正常的，证明python文件正确执行了

root@172.16.67.201: File "<stdin>", line 4, in <module>

root@172.16.67.201: ImportError: No module named BeautifulSoup

root@172.16.67.202: Traceback (most recent call last):

root@172.16.67.202: File "<stdin>", line 4, in <module>

root@172.16.67.202: ImportError: No module named BeautifulSoup

root@172.16.67.203: Traceback (most recent call last):

root@172.16.67.203: File "<stdin>", line 4, in <module>

root@172.16.67.203: ImportError: No module named BeautifulSoup

root@172.16.67.204: Traceback (most recent call last):

root@172.16.67.204: File "<stdin>", line 4, in <module>

root@172.16.67.204: ImportError: No module named BeautifulSoup

root@172.16.67.205: Traceback (most recent call last):

root@172.16.67.205: File "<stdin>", line 4, in <module>

root@172.16.67.205: ImportError: No module named BeautifulSoup

[root@localhost mussh]#