search

wmenjoy / awesome-knowleges

汇总有用的知识
38 stars 7 forks source link

SSH #15

Open wmenjoy opened 4 years ago

wmenjoy commented 4 years ago

1. SSH升级导致ssh 无密码登录失败

当ssh服务器升级后,使用ssh root@192.168.xxx.xx提示

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:0QN2og13zzcc3VWaIJtGdUSA9einO8szjgNQj40+S70.
Please contact your system administrator.
Add correct host key in /Users/xxx/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/xxx/.ssh/known_hosts:2
ECDSA host key for 192.168.xxx.xx has changed and you have requested strict checking.
Host key verification failed.

应该是校验规则失效,删除一下即可, 将本机.ssh/know_hosts的对应ip的记录删除即可

sed -i.bak "/192.168.xxx.xx/d"  ~/.ssh/known_hosts && rm  ~/.ssh/known_hosts.bak

如果要批量执行,如果要登录一个网段,比如192.168.118.69-192.168.118.80那么可以写成

for i in $(seq 69 80); do sed -i.bak "/192.168.118.$i/d"  ~/.ssh/known_hosts && rm  ~/.ssh/known_hosts.bak;  done
wmenjoy commented 4 years ago

使用ssh免密码登录

手动

 ssh-copy-id -f -i ~/.ssh/id_rsa.pub  192.168.xxx.xx

根据提示输入密码即可

使用expect 脚本完成批量

#file 名字为add_user_login_token.expect
set timeout 30
set identify [lindex $argv 0]
set hostInfo [lindex $argv 1]
set password [lindex $argv 2]
spawn ssh-copy-id -f -i "$identify" "$hostInfo"
expect {
        "(yes/no)?"
        {
            send "yes\n"
            expect "*assword:" { send "$password\n"}
        }
        "*assword:"
        {
            send "$password\n"
        }
}
expect eof

生成本地的公私钥(ssh-keygen),假如要登录10.92.2.145 执行完成expect add_user_login_token.expect ~/.ssh/rsa.pub root@10.92.2.145 $passwd 就可以直接 root@10.92.2.145登录 如果要登录一个网段,比如192.168.118.69-192.168.118.80那么可以写成

password=""  此处为密码
for i in $(seq 69 80); do expect ./add_user_login_token.expect ~/.ssh/id_rsa.pub root@192.168.118.$i  $password; done
wmenjoy commented 4 years ago

No Matching Cipher Found. Their offer: aes128-cbc

原因是Terminal找不到支持的密钥交换方法,因为新版Openssh中认为SHA1这种hash散列算法过于薄弱,已经不再支持,所以我们需要手动去允许对于SHA1的支持,官方对于这个问题也收到了很多讨论,click here 编辑 /etc/ssh/ssh_config 找到算法列表那行 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc 去掉注释,问题就解决了