ssh 信任关系无密码登陆，清除公钥，批量脚本

实验机器：

主机a：192.168.2.128

主机b：192.168.2.130

实验目标： 手动建立a到b的信任关系，实现在主机a通过 ssh 192.168.2.130不用输入密码远程登陆b主机

1、a主机生成公钥

ssh-keygen -t rsa 三次回车

[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)?

[root@localhost ~]# cd .ssh
[root@localhost ~]# ls –a

2、将公钥复制到b主机

[root@localhost .ssh]# scp id_rsa.pub root@192.168.255.130:/root

在b主机上将刚才传输过来的公钥文件 追加到root/.ssh/authorized_keys文件里

[root@localhost ~]# cat ~/id_ras.pub >>/root/.ssh/authorized_keys
#没有这个文件的话会自动创建

3、在b主机中设置权限：

[root@localhost ~]# chmod 700 .ssh
[root@localhost ~]# chmod 600 .ssh/authorized_keys
 #注意权限必须为700和600，否则不能成功

在a主机验证：

[root@localhost .ssh]# ssh 192.168.255.130
Last login: Fri Mar 17 17:28:34 2017 from 192.168.255.128

退出：

[root@localhost ~]# exit
logout
Connection to 192.168.255.130 closed

第2步和第3步可以用下面的命令代替

ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.255.130

清除公钥信息：

ssh-keygen -R 192.168.255.130

如果主机过多，一个个敲命令肯定不现实，脚本如下，此脚本需要安装expect命令

[root@localhost ~]# rpm -qa |grep expect
[root@localhost ~]# yum install expect
[root@localhost ~]# vim install_ssh.sh

#!/bin/bash
#批量ssh认证建立  

for p in $(cat /root/ip.txt)  #注意ip.txt文件的绝对路径
do
ip=$(echo "$p"|cut -f1 -d":")       #取ip.txt文件中的ip地址
password=$(echo "$p"|cut -f2 -d":") #取ip.txt文件中的密码  

#expect自动交互开始
expect -c "
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@$ip
        expect {
                \"*yes/no*\" {send \"yes\r\"; exp_continue}
                \"*password*\" {send \"$password\r\"; exp_continue}
                \"*Password*\" {send \"$password\r\";}
        }
"
done

将要建立关系的服务器ip和密码写在ip.txt里，格式如下

ip:密码

[root@localhost ~]# cat ip.txt
172.16.0.113:123456
172.16.0.114:123456

执行过程：

[root@localhost ~]# ./install_ssh.sh
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.0.113
The authenticity of host '172.16.0.113 (172.16.0.113)' can't be established.
RSA key fingerprint is 4d:24:d4:2e:85:c2:6f:73:01:d5:23:b8:50:97:f8:9c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.0.113' (RSA) to the list of known hosts.
Now try logging into the machine, with "ssh 'root@172.16.0.113'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.0.114
The authenticity of host '172.16.0.114 (172.16.0.114)' can't be established.
RSA key fingerprint is 4d:24:d4:2e:85:c2:6f:73:01:d5:23:b8:50:97:f8:9c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.0.114' (RSA) to the list of known hosts.
Now try logging into the machine, with "ssh 'root@172.16.0.114'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

验证一下：

[root@localhost ~]# ssh 172.16.0.113
Last login: Fri May 19 19:28:38 2017 from 172.16.0.111
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:3b:4b:c5 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.113/23 brd 172.16.1.255 scope global eth0
    inet6 fe80::20c:29ff:fe3b:4bc5/64 scope link
       valid_lft forever preferred_lft forever

好了