ssh:自动接受密钥
我写过这个小实用程序脚本:
for h in $SERVER_LIST; do ssh $h "uptime"; done 将新服务器添加到$SERVER_LIST ,脚本将停止:
The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be established. RSA key fingerprint is a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9. Are you sure you want to continue connecting (yes/no)?
我试过yes :
for h in $SERVER_LIST; do yes | ssh $h "uptime"; done
没有运气。
有没有办法将ssh参数化以自动接受任何新密钥?
使用StrictHostKeyChecking选项,例如:
ssh -oStrictHostKeyChecking=no $h uptime
此选项也可以添加到〜/ .ssh / config,例如:
Host somehost Hostname 10.0.0.1 StrictHostKeyChecking no
请注意,当主机密钥发生更改时,即使使用此选项,也会收到警告:
$ ssh -oStrictHostKeyChecking=no somehost uptime @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is 31:6f:2a:d5:76:c3:1e:74:f7:73:2f:96:16:12:e0:d8. Please contact your system administrator. Add correct host key in /home/peter/.ssh/known_hosts to get rid of this message. Offending RSA key in /home/peter/.ssh/known_hosts:24 remove with: ssh-keygen -f "/home/peter/.ssh/known_hosts" -R 10.0.0.1 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. ash: uptime: not found
如果不经常重新安装主机,则可以使用-oUserKnownHostsFile=/dev/null选项降低安全性(但对于经常更改的主机密钥更方便)。 这将丢弃所有收到的主机密钥,因此它永远不会生成警告。
随着18.04,有一个新的可能性: StrictHostKeyChecking=accept-new 。 从man 5 ssh_config :
If this flag is set to “accept-new” then ssh will automatically add new host keys to the user known hosts files, but will not permit connections to hosts with changed host keys. If this flag is set to “no” or “off”, ssh will automatically add new host keys to the user known hosts files and allow connections to hosts with changed hostkeys to proceed, subject to some restrictions.
您可以使用以下命令将服务器的指纹添加到known_hosts
ssh-keyscan -H >> ~/.ssh/known_hosts ssh-keyscan -H >> ~/.ssh/known_hosts
注意:将
唯一的问题是,您最终会在known_hosts中使用一些服务器两次。 只是提到它并不是什么大不了的事。 为确保没有重复项,您可以先运行以下命令来删除所有服务器:
ssh-keygen -R ssh-keygen -R
所以你可以运行:
for h in $SERVER_LIST; do ip=$(dig +search +short $h) ssh-keygen -R $h ssh-keygen -R $ip ssh-keyscan -H $ip >> ~/.ssh/known_hosts ssh-keyscan -H $h >> ~/.ssh/known_hosts done
删除只是为了重新添加时要记住的一件事,实际上是删除了validation指纹的安全性。 因此,在每次执行实用程序脚本之前,您绝对不希望运行此脚本。
我对此响应有点迟了,但明智的做法是在运行正常运行时间之前在新机器上执行ssh-keyscan。
ssh-keyscan >> ~/.ssh/known_hosts
为方便起见,禁用健全检查听起来像是一个糟糕的计划,即使您认为自己完全掌控环境。
为了自动添加服务器列表,我们可以在下面执行:
在文件服务器列表中添加服务器IP
IP应以下面的格式添加。
cat servers-list输出
123.1.2.3 124.1.2.4 123.1.2.5
通过替换你的IP来改变IP。
下面的命令将添加列表中的所有服务器。
ssh-keyscan -p61 -H "`cat servers-list`" >> ~/.ssh/known_hosts