1、实验:A,B,C三台主机,A通过B连接通C A:centos7(192.168.93.254)B:centos6(192.168.93.253)C:R1(192.168.93.200) 首先假设 C主机做过防火墙策略,禁止被A直接连接通
Iptables -A INPUT -s (A的IP) -j REJECT
[root@R ~]# iptables -A INPUT -s 192.168.93.254 -j REJECT
因为A和C连接,B为跳板,无需拒绝B 此时A连接C不通,而A可以连接上B,再连接C,此过程较繁琐 我们可以ssh -t (B的IP) ssh (C的IP)
[root@centos7 .ssh]# ssh -t 192.168.93.253 ssh 192.168.93.200
[root@R ~]# ip a
输入密码即可登录C主机成功 然而此时C觉得是B在连接,而非A在连接
[root@R ~]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.93.200:22 192.168.93.253:52586
我们也可以一次性输入一条命令执行完就退出,如下:
[root@centos7 .ssh]# ssh -t 192.168.93.253 ssh 192.168.93.200 'ip a'
root@192.168.93.253's password:
root@192.168.93.200's password:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:33:b4:1a brd ff:ff:ff:ff:ff:ff
inet 192.168.93.200/24 brd 192.168.93.255 scope global noprefixroute ens33
2、实验:用对称、非对称、哈希算法
A----->B A 发的数据只有B能解,B也知道只能是A发的
Key { data+Sa [ hash ( data ) ] } + Pb (key)
解析:
A向B发数据时,在原始数据data后加A的私钥签名,[hash(data)]为哈希算法对数据做的摘要,此串数据 data+Sa [ hash ( data ) ]用对称秘钥key加密,拿对方B的公钥把对称秘钥key加密,
B接收A的数据时,因为只有B可解,B的私钥解开对称秘钥key可得到data数据,但是数据来源不确定,就用A的公钥解开,得到的数据是一串,把前面第一个data数据用哈希算法得出结果,与后面的第二个data作比较,若结果一样,说明数据来源是A.
3、实验:在centos7 上登录centos6 不用输入用户名密码,而是基于key验证 步骤:1、先生成公私秘钥对儿
A、[root@centos7 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again: (此处三项默认回车即可)
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:OKPv+40SVvZ+6EcyyrMbKV1fQkfca03waBBl3+a816I root@centos7.localdomain
The key's randomart image is:
+---[RSA 2048]----+
| o+=o |
| +.++|
| . +.B|
| .o . o *.|
| +oS.. . o o|
| .o+ o+..o o|
| ...o+o =. ..o|
| ...++o o. ..|
| .++==ooE |
+----[SHA256]-----+
B、[root@centos7 ~]# cd .ssh
[root@centos7 .ssh]# ll
total 12
-rw------- 1 root root 1679 Jan 24 21:01 id_rsa
-rw-r--r-- 1 root root 406 Jan 24 21:01 id_rsa.pub
-rw-r--r-- 1 root root 396 Jan 24 15:07 known_hosts
此处生成的id_rsa 与 id_rsa.pub 为公私钥文件
C、(把公钥文件传输至远程服务器对应用户的家目录)
[root@centos7 ~]# ssh-copy-id -i /root/.ssh/id_rsa 192.168.93.253
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.93.253's password:
此操作是将私钥文件传给远程主机,然而本应该传送的是公钥文件,上方的需正常输入密码
D、[root@centos6 .ssh]# ll
total 8
-rw------- 1 root root 406 Jan 24 20:11 authorized_keys
-rw-r--r-- 1 root root 1188 Jan 24 16:35 known_hosts
[root@centos6 .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEMjCxmlo89MO7Vr+KcwqL//WXJV0nJ/o8AQYAIBv1E9b31e1QZUKNRCcmz+y8a6z5qN0uQM5PmdrNTtrL1/vE68Z4pcr6KzwaiD1xloaB0tIliO+gzgjOfe3jrikdzSWuV+QyYQQArYHLNPKWMbJ6PHNJCfbd/mErdUh5lxblwU62Z8GkD382tt8BdfouSjTLuYPCR0AR6NmRUPBfDF5VmvL9YUEhFUYYxflYfxHwqGN/sfLaYLfbPXowhZx65W8KldNOva5xy8RrWq2f2bSb2cQEd2/zkYlTPkF6xzsNraOEY6SfpLesZH7IQ5hqHkmhoEkAl/GkdGod+b0m16XF root@centos7.localdomain
然而,我们在centos6上面_查看 cat authorizedkeys 文件,它是公钥,而非私钥与centos7的显示一模一样 如下:
[root@centos7 ~]# cat .ssh/id_rsa.pub
ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQDEMjCxmlo89MO7Vr+KcwqL//WXJV0nJ/o8AQYAIBv1E9b31e1QZUKNRCcmz+y8a6z5qN0uQM5PmdrNTtrL1/vE68Z4pcr6KzwaiD1xloaB0tIliO+gzgjOfe3jrikdzSWuV+QyYQQArYHLNPKWMbJ6PHNJCfbd/mErdUh5lxblwU62Z8GkD382tt8BdfouSjTLuYPCR0AR6NmRUPBfDF5VmvL9YUEhFUYYxflYfxHwqGN/sfLaYLfbPXowhZx65W8KldNOva5xy8RrWq2f2bSb2cQEd2/zkYlTPkF6xzsNraOEY6SfpLesZH7IQ5hqHkmhoEkAl/GkdGod+b0m16XF root@centos7.localdomain
E、[root@centos7 ~]# ssh 192.168.93.253
Last login: Thu Jan 24 19:04:01 2019 from 192.168.93.1
此时,我们远程连接主机,实现成功登陆,我们就可以远程操作主机,例如:[root@centos7 ~]# ssh 192.168.93.253 hostname
centos6.localdomain
4、实验:使用export将100台主机批量实现key验证 实验目标:创建一个脚本,将生成的公钥传送到所有管理的主机上 准备:A、假设所有主机密码一样,把所有的口令都设为同一个,eg:echo magedu | passwd --stdin root B、创建一个hosts.txt文件,将所管控的主机IP地址列在其中,
C、[root@centos7 ~]# cat ssh_key_push.sh
#!/bin/bash
ssh-keygen -P "" -f /root/.ssh/id_rsa (“”:设置的空口令) (此命令可一次性生成公私钥对儿)
pass=magedu
rpm -q expect &> /dev/null || yum install expect -y -q (静默安装expect)
while read ip ;do
expect <<EOF
set timeout 20
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub $ip
expect {
"yes/no" { send "yes\n";exp_continue }
"password" { send "$pass\n" }
}
expect eof
EOF
done < host.txt
D、脚本已竣工,我们将其加权限:chmod +x ssh_key_push.sh E、./ssh_key_push.sh 运行完毕,即可连接远程主机
F、[root@centos7 ~]# ssh 192.168.93.253
Last login: Thu Jan 24 21:40:10 2019 from 192.168.93.1
[root@centos6 ~]# exit
logout
Connection to 192.168.93.253 closed.
[root@centos7 ~]# ssh 192.168.93.200
Last login: Thu Jan 24 22:41:15 2019 from 192.168.93.1
[root@centos7 ~]# exit
logout
5、实验:编写批量修改selinux的脚本 A、编写主机列表 [root@centos7 ~]# cat host.txt 192.168.93.253 192.168.93.200 B、编写脚本
[root@centos7 ~]# vim batch_selinux.sh
#!/bin/bash
for ip in `cat hosts.txt` ;do
ssh $ip sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config
done
~
C、这时,在centos6和R1上 [root@centos6 .ssh]# cat /etc/selinux/config 即可看见修改结果。 6、实验:将三台主机生成同一个公私钥对儿
A、[root@centos7 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:QJMcF1HDmZaYPZ+y+jUDnUwKgJ+A9vnVt34veE5o8CY root@centos7.localdomain
The key's randomart image is:
+---[RSA 2048]----+
| . o=o+Oo+ |
| o o.o+o O. |
| . . +...o o.. |
| o o...o=+. |
| . .S +++. |
| . .+.. |
| .E.O.. |
| . =o++ |
| .. +.o.|
+----[SHA256]-----+
B、[root@centos7 ~]# cd .ssh
[root@centos7 .ssh]# ls
id_rsa id_rsa.pub 此时即可看到一对儿公私钥文件生成
C、[root@centos7 .ssh]# cd
[root@centos7 ~]# ssh-copy-id 192.168.93.254
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.93.254's password: (需输入口令)
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.93.254'"
and check to make sure that only the key(s) you wanted were added.
D、[root@centos7 ~]# cd .ssh
[root@centos7 .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
此时是一对儿公私钥生成。
E、[root@centos7 .ssh]# cd
[root@centos7 ~]# scp -r /root/.ssh 192.168.93.253:/root
Warning: Permanently added '192.168.93.253' (RSA) to the list of known hosts.
root@192.168.93.253's password:
id_rsa 100% 1679 2.4MB/s 00:00
id_rsa.pub 100% 406 500.9KB/s 00:00
known_hosts 100% 572 715.2KB/s 00:00
authorized_keys 100% 406 549.0KB/s 00:00
[root@centos7 ~]# scp -r /root/.ssh 192.168.93.200:/root
Warning: Permanently added '192.168.93.200' (ECDSA) to the list of known hosts.
root@192.168.93.200's password:
id_rsa 100% 1679 308.6KB/s 00:00
id_rsa.pub 100% 406 101.0KB/s 00:00
known_hosts 100% 748 480.6KB/s 00:00
authorized_keys 100% 406 11.0KB/s 00:00
此时是把整个 .ssh文件拷贝到centos6和R1上。
F、cd退出,再cd .ssh中,ls即可看到该对儿公私钥,如下:
[root@centos6 .ssh]# cd
[root@centos6 ~]# cd .ssh
[root@centos6 .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts