@[TOC](第十九章 加密与安全(二))
实验一:建立一个私有CA,为用户颁发证书
证书申请过程
前提
可以连接网络
目的
CentOS7建立私有CA、颁发给用户CentOS6
1.建立CA
CentOS7
[root@centos7 ~]# tree /etc/pki/CA #私钥必须放在此路径下
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@centos7 ~]# cd /etc/pki/CA
#生成私钥文件、私钥在private/cakey.pem下,位数4096
[root@centos7 CA]# (umask 077;openssl genrsa -out private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.........................................++
.......++
e is 65537 (0x10001)
[root@centos7 CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem ##刚刚生成的私钥
4 directories, 1 file
生成自签名证书
#生成自签名证书 有效时长3650天
[root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
输入:(国家代码)CN
输入:(州或省名)beijing
输入:(所在城市)beijing
输入:(公司名称)magedu
输入:(部门名称)M35
输入:(用户名或主机名)www.magedu.com
输入:(邮箱地址)可留空,直接回车
根据提示,输入相应信息即可。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:mage
Organizational Unit Name (eg, section) []:M35
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:
选项说明:
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
[root@centos7 CA]# tree
.
├── cacert.pem #自签证书
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 2 files
查看⾃签证书详细内容
[root@centos7 CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e4:93:6d:7e:b0:b2:d7:4d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=gongsi, OU=bumen, CN=www.baidu.com/emailAddress=admin@qq.com
Validity
Not Before: Mar 22 22:04:44 2022 GMT
Not After : Mar 19 22:04:44 2032 GMT
Subject: C=CN, ST=beijing, L=beijing, O=gongsi, OU=bumen, CN=www.baidu.com/emailAddress=admin@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:e0:4d:48:9d:ba:1c:4e:b1:52:0c:55:71:03:44:
24:e5:ea:a5:c2:eb:e9:26:08:1e:f1:8f:f5:c4:79:
06:65:79:04:58:0d:ba:a8:0c:3b:ae:db:82:39:1b:
47:82:51:fd:7e:7d:1b:85:b2:e8:4c:c1:b9:88:72:
3f:0a:a5:31:c3:8c:43:07:9c:df:58:e6:9b:5e:a8:
f2:4b:be:83:80:20:bc:f6:19:33:6b:54:ea:08:f9:
6f:97:2b:8f:98:76:0d:2c:5a:3e:e9:88:87:97:18:
5f:50:f9:85:da:43:fe:3a:d1:79:a7:c1:04:d2:bb:
8d:01:63:9f:7c:cb:70:bb:1c:41:05:f2:6f:12:f0:
cc:da:ed:2f:48:27:fc:f9:cd:ee:db:bd:ba:c6:74:
b9:8e:1e:aa:f9:98:53:c6:3d:da:7d:a0:f3:97:02:
18:72:2d:3c:97:73:0d:09:77:41:ab:5c:2b:cd:75:
e6:59:df:c9:63:e4:73:66:60:8c:28:2c:d0:d2:8a:
f7:c8:4d:df:00:cc:83:72:47:87:fb:f2:27:89:6c:
36:d0:5e:ae:62:b0:91:06:39:c8:e9:95:b2:d2:2c:
3c:00:c0:22:d1:2f:db:ba:e9:6a:9c:64:15:10:07:
ee:24:09:c2:f8:8d:73:9e:ac:5e:2f:f1:8a:a9:85:
67:b1:88:70:71:4a:f6:69:31:68:c8:b2:85:40:90:
a6:a4:14:51:52:42:5f:6f:17:2f:e8:25:1e:2c:d3:
37:04:c9:0f:dc:28:6b:73:28:81:9d:42:34:d8:13:
c9:3c:50:1b:c9:4b:92:a2:8c:0d:77:c2:00:6f:2a:
da:84:99:b8:68:12:24:b2:92:80:f2:99:0b:2f:0f:
41:a3:64:59:a8:18:e9:d0:a6:b0:5d:b0:59:e3:06:
4e:42:fb:90:64:61:1b:15:54:8a:ca:a6:12:f3:3c:
65:16:55:29:e8:60:96:8d:b1:2e:6e:36:74:7f:38:
97:64:83:33:22:0f:2c:9c:87:51:d7:b6:6a:94:28:
1b:4f:ab:35:29:f9:40:c1:4c:ff:f8:cb:33:44:95:
87:66:bf:ba:f5:b6:e7:3f:2e:ec:a9:22:7e:da:2f:
a9:46:6e:1d:78:37:a0:46:19:68:5c:31:c0:5a:b1:
a7:26:17:e4:c5:4a:e5:2c:c8:b0:08:e1:81:54:98:
01:5f:ca:57:7e:e4:26:65:60:4b:78:5e:70:12:ce:
50:c7:d8:cb:ea:56:ea:75:9d:49:79:6d:00:a7:fb:
ba:d0:f3:ff:df:4f:07:d2:cf:4c:47:8f:15:83:60:
c0:75:91:10:14:f0:1d:5b:e1:d6:5d:76:2d:fc:85:
21:97:39
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
7F:1E:D2:0E:15:0C:61:7D:F6:60:15:93:C5:AB:AF:DA:D2:58:4D:8F
X509v3 Authority Key Identifier:
keyid:7F:1E:D2:0E:15:0C:61:7D:F6:60:15:93:C5:AB:AF:DA:D2:58:4D:8F
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
55:34:13:16:c3:f8:cf:9e:b5:40:ab:19:95:ab:01:53:9f:3e:
fd:1b:c0:df:79:7a:e5:53:85:11:ad:15:55:fa:e7:cb:e4:61:
e5:cd:8e:eb:f3:f3:a4:e0:c9:60:ce:87:56:99:0a:27:6c:42:
c0:18:15:3b:da:0d:df:26:79:94:e8:27:84:fd:13:14:e1:e2:
67:85:91:6f:fe:cb:b2:6e:a9:76:29:e1:fe:3a:21:53:21:d1:
54:c4:b1:17:a0:68:98:03:c6:eb:11:3c:e3:24:2f:46:53:19:
74:62:13:61:81:d1:36:66:0d:9d:f2:b2:46:61:71:a5:c5:24:
4f:aa:7e:9d:8a:74:77:53:be:17:9a:e8:7c:ba:e0:7e:a1:c6:
f3:a8:43:a4:27:b3:e2:7d:bc:ae:95:6f:b7:c1:84:8c:14:4c:
2b:54:66:e8:2d:bc:5b:d7:88:ed:26:c1:08:c3:70:53:2d:e8:
b5:c7:c6:f7:ad:1b:f0:48:4f:ea:17:42:92:80:5f:bc:ea:5e:
79:10:89:3c:96:4e:46:4f:b4:3e:c8:96:38:47:a5:61:ad:b5:
d9:95:1c:95:5d:6f:57:81:11:56:9f:9f:02:84:d2:22:ec:e7:
1f:27:a9:a1:b2:ff:13:a5:fd:d2:dd:2a:da:6f:ec:91:55:2c:
3a:83:96:63:78:74:9c:24:03:fc:cd:d1:d6:98:a0:c8:56:6a:
a9:1b:92:5d:aa:76:6c:c9:fb:f6:6c:ae:a0:62:b3:6e:21:2d:
1a:48:d1:80:52:67:0a:ec:ba:4d:6c:74:8c:21:b6:91:e6:68:
7c:31:8a:43:d1:99:a7:e2:14:2c:91:23:0f:49:7b:f3:e1:41:
ac:ba:10:9b:fe:af:05:c4:01:79:3f:22:7b:f1:e4:93:31:6d:
f4:99:7d:da:4e:98:bb:32:90:d2:d0:e2:31:a1:b9:b4:83:75:
96:e5:f7:a6:16:0e:a2:f6:4a:bf:86:db:dd:07:55:d4:85:30:
47:5e:f9:94:99:ef:ac:83:61:95:ac:e3:9c:7c:16:c7:bb:57:
75:a8:88:8a:8e:f9:67:d9:28:35:80:ec:a0:12:0f:5c:9a:c7:
b0:df:92:b6:75:06:e7:7a:e7:c4:01:8e:ac:16:b9:59:47:c0:
7c:8b:94:58:ad:88:98:c3:c4:37:f7:c6:29:eb:54:00:73:89:
44:3a:0f:8d:cf:59:4c:09:35:3b:24:0d:b6:85:76:e7:83:45:
28:6d:d5:b8:3c:47:4a:a3:cc:b0:aa:43:74:54:84:47:da:ec:
35:09:b7:51:c2:ba:07:ed:d3:7a:99:45:65:78:38:17:7e:30:
e5:13:13:59:7c:9f:85:b0
查看⾃签证书简要内容,查看证书有效期
#issuer 颁发者 openssl x509 -in cacert.pem -noout -issuer #dates 有效期 openssl x509 -in cacert.pem -noout -dates
2.客户端向CA申请证书
CentOS6下
在CentOS6服务器⽣成私钥
[root@centos6 ~]# cd /etc/pki/CA
#生成私钥 名字叫app.key 位数1024
[root@centos6 CA]# (umask 066;openssl genrsa -out app.key 1024)
Generating RSA private key, 1024 bit long modulus
....................................++++++
......++++++
e is 65537 (0x10001)
[root@centos6 CA]# tree
.
├── app.key #刚刚生成的私钥
├── certs
├── crl
├── newcerts
└── private
4 directories, 1 file
在node2中利⽤私钥⽣成ca证书申请请求⽂件
[root@centos6 CA]# openssl req -new -key app.key -out app.csr
CN
beijing
beijing
magedu
M35
app.magedu.com
注意:默认要求 国家,省,公司名称三项必须和CA一致
将CentOS6的ca请求⽂件发送到CentOS7上
[root@centos6 CA]# scp app.csr 192.168.37.7:/root/
3.颁发私钥
CentOS7
在CentOS7的/etc/pki/CA/创建两⽂件:index.txt和serial[root@centos7 ~]# touch /etc/pki/CA/index.txt
#00是个十六进制数、表示从00开始颁发证书
[root@centos7 ~]# echo 00 >/etc/pki/CA/serial
[root@centos7 ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
给app.csr签署证书
[root@centos7 ~]# openssl ca -in /root/app.csr -out /etc/pki/CA/certs/app.crt -days 100
输入2次y。
签署完成
#颁发的证书信息:V表示当前证书有效、00表示证书编号
[root@centos7 CA]# cat index.txt
V 220719005427Z 00 unknown /C=CN/ST=beijing/O=magedu/OU=M35/CN=app.magedu.com
#在办法下一个证书时候的编号从之前00变成了01、也就是说下一个证书编号为01
[root@centos7 CA]# cat serial
01
#查看指定编号00证书状态
[root@centos7 CA]# openssl ca -status 00
Using configuration from /etc/pki/tls/openssl.cnf
00=Valid (V)
CenOS7
也可以在CentOS7上使⽤相同的私钥再次⽣成⼀个证书
在CentOS6中⽣成ca签署请求,并发给CentOS7
# (umask 066;openssl genrsa -out app2.key 1024)
# openssl req -new -key app2.key -out app2.csr
(输入步骤略)
#根据要求,输入相应信息即可。
scp app2.csr 192.168.37.6:/root/
在CentOS7上签署app2的证书签署请求
#颁发证书
openssl ca -in /root/app2.csr -out /etc/pki/CA/certs/app2.crt -days 100
输入2次y。
签署完成
4.吊销证书
a.在客户端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
b.在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,
吊销证书:
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
c.指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行
echo 01 > /etc/pki/CA/crlnumber
d.更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem
e.查看crl文件:
openssl crl -in /etc/pki/CA/crl.pem -noout -text
- a.在客户端获取要吊销的证书的serial openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
- b.在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,
- 吊销证书: openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
- c.指定第一个吊销证书的编号,
注意:第一次更新证书吊销列表前,才需要执行 echo 01 > /etc/pki/CA/crlnumber- d.更新证书吊销列表 openssl ca -gencrl -out /etc/pki/CA/crl.pem
- e.查看crl文件: openssl crl -in /etc/pki/CA/crl.pem -noout -text
吊销证书
[root@centos7 ~]# cat /etc/pki/CA/index.txt
V 220719005427Z 00 unknown /C=CN/ST=beijing/O=magedu/OU=M35
V 220719014201Z 01 unknown /C=CN/ST=beijing/O=magedu/OU=M35
[root@centos7 ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
#查看吊销情况
[root@centos7 ~]# cat /etc/pki/CA/index.txt
V 220719005427Z 00 unknown /C=CN/ST=beijing/O=magedu/OU=M35/CN=app.magedu.com
R 220719014201Z 220410022040Z 01 unknown /C=CN/ST=beijing/O=magedu/OU=M35/CN=cn.magedu.com
#查看指定编号01证书状态
[root@centos7 ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)
#更新证书吊销列表
[root@centos7 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140208481458064:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r')
140208481458064:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
#生成吊销证书列表
[root@centos7 ~]# echo 00 >/etc/pki/CA/crlnumber #注意:第一次更新证书吊销列表前,才需要执行
[root@centos7 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
#查看crl文件:
openssl crl -in /etc/pki/CA/crl.pem -noout -text
实验二:基于KEY的SSH验证
CentOS 7
[root@centos7 ~]# su - wang
#可以指定算法【默认为rsa、也可以指定-t dsa算法】
[wang@centos7 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wang/.ssh/id_rsa):
Created directory '/home/wang/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/wang/.ssh/id_rsa.
Your public key has been saved in /home/wang/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:z7CS8K5veyQeD+Dc1bvOaViFaW2Rmx2/mH0fej5K4HQ wang@centos7.localdomain
The key's randomart image is:
+---[RSA 2048]----+
| . |
| o . |
| . + = o |
| . . = * . .|
| o.o .S. * E+ .|
| oo=..== oo +.|
| .+*.ooo .. +|
| .o.+.o... o.|
| .++o o+ .+..|
+----[SHA256]-----+
[wang@centos7 ~]$ cd .ssh
[wang@centos7 .ssh]$ ll
total 8
-rw------- 1 wang wang 1679 Apr 10 14:01 id_rsa
-rw-r--r-- 1 wang wang 406 Apr 10 14:01 id_rsa.pub
注意:此处写的私钥文件名"/home/wang/.ssh/id_rsa"、但是不用怕可以到CentOS 6中查看一下、依旧复制过去的是公钥
#把公钥发送过去
[wang@centos7 .ssh]$ ssh-copy-id -i /home/wang/.ssh/id_rsa root@192.168.37.6
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/wang/.ssh/id_rsa.pub"
The authenticity of host '192.168.37.6 (192.168.37.6)' can't be established.
RSA key fingerprint is SHA256:Mp/PudXpjODf/xvxl5nLOGFmKNUDYWaTSCF0mRf8+PI.
RSA key fingerprint is MD5:42:ea:52:f7:e7:31:0a:4f:c8:d9:0d:11:e7:d1:0d:a2.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.37.6's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.37.6'"
and check to make sure that only the key(s) you wanted were added.
#私钥文件
[wang@centos7 .ssh]$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA37Co4avyYxTYURz6k8aufWUUFJxek90I2GwDkGNOMCHztIDD
/Rc2EBsUZb8Frt4ye1YYHEMXQjpY/teaGZDHcz7CugYCWGNZ2kwDvwX/HTESoRNI
CZ/ncQeZmWVf6vgeRsa4PorRa67FzrScgyBt4WX06HAV7xYGj1IG2pTEXt5LoD79
8jm7V6FxIR2gFIA5qZWKswwK1BWm/XJ7rOxwvLzYYa8OqHAAANxJUt8rKfy5BTBq
Osbg53O0V2xqIshmkjZOEWixG2ahSFa6mGfgjMj7aByuQH0nPKLG+hsx0tFBAFla
gN+vLEWtd1fhF5ta5JgsZiLJs7ai7u1o4mMPbwIDAQABAoIBADlWkEOgjrYlHrnU
Asskb4/G/Bm4Z2nhi6XmMhetzNn7qfuH0jUq4PnJ5zWZfHxximEhFXcRH4IjcLKK
U37gJK/+021ZovpDJUIWoBM0F0vFS3AsgBevfGT1vMKcQLT7Os+Lmqi1bq76ksvE
ciYOhvvy5Y87Q/QQIkhUj1syLQ/f0rCRl1/WTHkgbKJV5Y7QT5lcyb29x/6VaFAQ
3+7nGvmMv7vWqCx1IRKN1HfLxtTDKxJPDp4jajSw9j5G6sFqO5QHQincxbsBOSDE
Yl2Z5867UUlXAjxEH3ACA+DerGQfRtEfvmjyDKfQtPjmH8R8aME8TIIHOYmnNvHb
P7FtaxkCgYEA9AKDTrWErTcqRJuzEC7h+k5oBPDIANuvc2oyHWqq893vZYSckqP8
1JArm40p2QngDq7OIxilTGbFQiQk/aolOuXSow2wBsXHuydLtpMVqdI6d9ViEafu
mr638hUaJybZIsh5MZOVzshqPNad0MoFRMH3NNCf+Q+E92EyOIf1P5UCgYEA6q6J
mEPzZKmiIuTN6CKbTNEyr9sscBDpo7JSJvHS4ozZ9KFEtkY7ZvAmkUAmYnf65fXb
rEGhM5S7wDCcF1Nshg1L8B8fPsvUkZVPDkrGwWTZw409CJcuC3ItJ0sobjdN8e14
Y62RO0rzfYaqqYG3WXtZdFNVA1+2tnazvm5vofMCgYEAgAb5gki3TnMNWGYhM7KF
muGcrkrvhZO+oN3tYYXgIIgn3aoQxNgKBjWGy9zrQhduWgXZ3oxF3qplgWiZiAbH
9fkz5Z1+6G7JdycNEMRnr2zAhLOO+xiTltnOhdQQns5BS4DIJfz7sz1wkG9C6pO0
4/ipjiqQZQuBhpKW2RZs1WkCgYAw251xwdPORTKoKRJlHa9PUs5Gpk6eFidOGTXZ
Pcc1uzU1JM31VLHRQHYHD1/uaCQn9AOD3TX+UxyzamtUv918GxCQMSqEHFNo67jF
tPOkF6bue10ViMPhRif4YkFMkN79Wv8RYXU27ue6XmrxVzwguPlqql6skSSs4BGT
t9It2QKBgQDn07inM3aVdls3Sx3uRSA4Ms7g4NVKuX4zvxFq3aVyClp0yMFlJNk2
LrOLhgwKZGt6NQ1CPBD7u7OGM16NVLg8e6tD8LspL60iDGi40EEyMGok+gd//Gnj
7gwZ+qvr6AVSsiGA/5AEFJ4QzvaOTUzIZb6LR8eCRnVjeIH7aUfn6g==
-----END RSA PRIVATE KEY-----
#公钥文件
[wang@centos7 .ssh]$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfsKjhq/JjFNhRHPqTxq59ZRQUnF6T3QjYbAOQY04wIfO0gMP9FzYQGxRlvwWu3jJ7VhgcQxdCOlj+15oZkMdzPsK6BgJYY1naTAO/Bf8dMRKhE0gJn+dxB5mZZV/q+B5Gxrg+itFrrsXOtJyDIG3hZfTocBXvFgaPUgbalMRe3kugPv3yObtXoXEhHaAUgDmplYqzDArUFab9cnus7HC8vNhhrw6ocAAA3ElS3ysp/LkFMGo6xuDnc7RXbGoiyGaSNk4RaLEbZqFIVrqYZ+CMyPtoHK5AfSc8osb6GzHS0UEAWVqA368sRa13V+EXm1rkmCxmIsmztqLu7WjiYw9v wang@centos7.localdomain
CentOS 6
[root@centos6 ~]$ cd .ssh/
[root@centos6 .ssh]$ ll
total 8
-rw------- 1 root root 406 Apr 10 12:08 authorized_keys
-rw-r--r-- 1 root root 394 Apr 10 08:51 known_hosts
注意:可以看到依旧是把公钥复制了过来
[root@centos6 .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfsKjhq/JjFNhRHPqTxq59ZRQUnF6T3QjYbAOQY04wIfO0gMP9FzYQGxRlvwWu3jJ7VhgcQxdCOlj+15oZkMdzPsK6BgJYY1naTAO/Bf8dMRKhE0gJn+dxB5mZZV/q+B5Gxrg+itFrrsXOtJyDIG3hZfTocBXvFgaPUgbalMRe3kugPv3yObtXoXEhHaAUgDmplYqzDArUFab9cnus7HC8vNhhrw6ocAAA3ElS3ysp/LkFMGo6xuDnc7RXbGoiyGaSNk4RaLEbZqFIVrqYZ+CMyPtoHK5AfSc8osb6GzHS0UEAWVqA368sRa13V+EXm1rkmCxmIsmztqLu7WjiYw9v wang@centos7.localdomain
CentOS 7
#此时,在连接CentOS 6时,不用输入密码了
[wang@centos7 .ssh]$ ssh root@192.168.37.6
Last login: Sun Apr 10 12:08:44 2022 from 192.168.37.1
#已经登陆了CentOS 6
[root@centos6 ~]$
实验三:基于KEY的SSH验证expect脚本
前提
关闭防火墙、SELinux 主机37.7 三台客户机IP分别是
- 37.10
- 37.11
- 37.12
目的
实现免密登陆
首先把三台主机密码统一
#37.10
[root@centos10 ~]$ echo magedu | passwd --stdin root
Changing password for user root.
passwd: all authentication tokens updated successfully.
#37.11
[root@centos11 ~]# echo magedu | passwd --stdin root
Changing password for user root.
passwd: all authentication tokens updated successfully.
#37.12
[root@centos12 ~]# echo magedu | passwd --stdin root
Changing password for user root.
passwd: all authentication tokens updated successfully.
主机37.7
#把客户机IP写到文件
~]#vim hosts.txt
192.168.37.10
192.168.37.11
192.168.37.12
#如脚本不动了、请按回车
~]#vim sshkey.sh
#/bin/bash
#密码
PASS=magedu
ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa &> /dev/null && echo "ssh key is created"
#判断expect是否安装||如未安装、会安装expect
rpm -q expect &> /dev/null || yum -y install expect &> /dev/null
while read IP ;do
expect <<EOF
#超时时长20秒
set timeout 20
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@$IP
expect {
"yes/no" { send "yes\n";exp_continue }
"password" { send "$PASS\n" }
}
expect eof
EOF
echo $IP is ready
done < hosts.txt
#查看脚本语法
~]# bash -n sshkey.sh
#添加权限
~]# chmod +x sshkey.sh
#执行脚本
~]# ./sshkey.sh
#连接测试
~]# ssh 192.168.37.10
~]# exit
~]# ssh 192.168.37.11
~]# exit
~]# ssh 192.168.37.12
~]# exit
#也可直接运行命令后、自动退出
~]# ssh 192.168.37.10 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:92:97:b4 brd ff:ff:ff:ff:ff:ff
inet 192.168.37.10/24 brd 192.168.37.255 scope global eth0
inet6 fe80::20c:29ff:fe92:97b4/64 scope link
valid_lft forever preferred_lft forever
3: pan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
link/ether 4a:2c:c2:ed:89:e8 brd ff:ff:ff:ff:ff:ff
