Ssh
如何從伺服器獲取 ssh 密鑰?
我需要通過 ssh 登錄到主機,獲取密鑰文件,關閉連接,然後使用密鑰在幾台機器上無密碼登錄。
根本問題是我需要通過 ssh 在幾台伺服器上執行測試。我已經使用 paramiko 成功編寫了程式碼,該程式碼通過正常登錄來完成。但我就是不知道 ssh 是如何工作的。
這就是我所做的一切。我在客戶端上創建密鑰並將它們複製到伺服器:
[me@localhost ~]$ ssh 192.168.122.33 me@192.168.122.33's password: Last login: Mon Apr 29 09:26:15 2019 from gateway [me@test33 ~]$ exit logout Connection to 192.168.122.33 closed. [me@localhost ~]$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/me/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/me/.ssh/id_rsa. Your public key has been saved in /home/me/.ssh/id_rsa.pub. The key fingerprint is: SHA256:CV4HoJfwABDD15AoGDtZdTgAlEWZJfP8cFW+18lk9Gg me@localhost.localdomain The key's randomart image is: +---[RSA 2048]----+ Removed +----[SHA256]-----+ [me@localhost ~]$ ssh-copy-id 192.168.122.33 /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 2 key(s) remain to be installed -- if you are prompted now it is to install the new keys me@192.168.122.33's password: Number of key(s) added: 2 Now try logging into the machine, with: "ssh '192.168.122.33'" and check to make sure that only the key(s) you wanted were added. [me@localhost ~]$ ssh 192.168.122.33 Last login: Mon Apr 29 09:27:26 2019 from gateway [me@test33 ~]$
到目前為止按預期工作。現在我可以在不提示輸入密碼的情況下登錄。但是現在有些事情我不明白。我從刪除文件
id_rsa
和客戶端開始:id_rsa.pub
[me@test33 ~]$ exit logout Connection to 192.168.122.33 closed. [me@localhost ~]$ cd .ssh/ [me@localhost .ssh]$ ls id_rsa id_rsa.pub known_hosts [me@localhost .ssh]$ mkdir ../backup [me@localhost .ssh]$ mv id* ../backup
現在,我希望沒有密碼就無法登錄,但這顯然是錯誤的。
[me@localhost .ssh]$ ssh 192.168.122.33 Last login: Mon Apr 29 09:29:20 2019 from gateway [me@test33 ~]$
所以我懷疑密鑰記憶體在某個地方,所以我嘗試重新啟動 ssh 守護程序。
[me@localhost .ssh]$ sudo service sshd restart [sudo] password for me: Redirecting to /bin/systemctl restart sshd.service [me@localhost .ssh]$ ssh 192.168.122.33 Last login: Mon Apr 29 09:38:23 2019 from gateway [me@test33 ~]$
也沒有工作。抱歉不清楚,但可能有一些我不明白的概念。我現在想做的是配置一個伺服器的過程,以便我可以使用使用者名和密碼登錄它並獲取密鑰文件。然後我想將該配置複製到許多其他伺服器。最後,我想使用我的客戶端從其中一台伺服器獲取密鑰文件,並使用它來登錄並在伺服器上執行各種命令。出於安全原因,我還需要將密鑰文件儲存在 ram 中,並且可能會以某種方式對其進行加密,但這是以後的問題。
稍後我將用 Python 編寫所有內容,但我需要解決這個問題才能開始編碼。這個偽python描述了我正在尋找的東西:
hosts=['192.168.122.' + str(i) for i in range(1,10)] key=fetch_key(hosts[0]) # Or any of the servers. for host in hosts: # This part is already done. I just need to get the key. execute_test(host, key)
伺服器正在執行 CentOS 7
我首先在 SO 上發布了這個,但它是 OT,但應評論者的要求,這是來自
ssh -vv
[me@localhost ~]$ ssh -vv 192.168.122.33 OpenSSH_7.8p1, OpenSSL 1.1.1 FIPS 11 Sep 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for * debug2: resolve_canonicalize: hostname 192.168.122.33 is address debug2: ssh_connect_direct debug1: Connecting to 192.168.122.33 [192.168.122.33] port 22. debug1: Connection established. debug1: identity file /home/me/.ssh/id_rsa type -1 debug1: identity file /home/me/.ssh/id_rsa-cert type -1 debug1: identity file /home/me/.ssh/id_dsa type -1 debug1: identity file /home/me/.ssh/id_dsa-cert type -1 debug1: identity file /home/me/.ssh/id_ecdsa type -1 debug1: identity file /home/me/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/me/.ssh/id_ed25519 type -1 debug1: identity file /home/me/.ssh/id_ed25519-cert type -1 debug1: identity file /home/me/.ssh/id_xmss type -1 debug1: identity file /home/me/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002 debug2: fd 6 setting O_NONBLOCK debug1: Authenticating to 192.168.122.33:22 as 'me' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com debug2: compression stoc: none,zlib@openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none debug1: kex: curve25519-sha256@libssh.org need=32 dh_need=32 debug1: kex: curve25519-sha256@libssh.org need=32 dh_need=32 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:tDHtYxD9gjd6WxS82Y5unZRfSTA42S0BWPQB244fP2s debug1: Host '192.168.122.33' is known and matches the ECDSA host key. debug1: Found key in /home/me/.ssh/known_hosts:1 debug2: set_newkeys: mode 1 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 4294967296 blocks debug2: key: me@localhost.localdomain (0x5620eac46f80), agent debug2: key: me@localhost.localdomain (0x5620eac4a830), agent debug2: key: /home/me/.ssh/id_rsa ((nil)) debug2: key: /home/me/.ssh/id_dsa ((nil)) debug2: key: /home/me/.ssh/id_ecdsa ((nil)) debug2: key: /home/me/.ssh/id_ed25519 ((nil)) debug2: key: /home/me/.ssh/id_xmss ((nil)) debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KCM:) debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KCM:) debug2: we did not send a packet, disable method debug1: Next authentication method: publickey debug1: Offering public key: RSA SHA256:a3sjstTdNHguzTkUQ7u/1ExNPPijAkXbNYl7CbrwCOQ me@localhost.localdomain debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg rsa-sha2-256 blen 279 debug2: input_userauth_pk_ok: fp SHA256:a3sjstTdNHguzTkUQ7u/1ExNPPijAkXbNYl7CbrwCOQ debug1: Authentication succeeded (publickey). Authenticated to 192.168.122.33 ([192.168.122.33]:22). debug1: channel 0: new [client-session] debug2: channel 0: send open debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug2: channel_input_open_confirmation: channel 0: callback start debug2: fd 6 setting TCP_NODELAY debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug1: Sending env XMODIFIERS = @im=ibus debug2: channel 0: request env confirm 0 debug2: channel 0: request shell confirm 1 debug2: channel_input_open_confirmation: channel 0: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 Last login: Mon Apr 29 10:24:40 2019 from gateway [me@test33 ~]$
您的 ssh 密鑰由您的 ssh 代理保存在記憶體中。刪除它不會阻止代理繼續使用它。您需要先停止代理(通常通過註銷工作站)。