Ada*_*tan 273 ssh scripts openssh
我写了这个小实用程序脚本:
for h in $SERVER_LIST; do ssh $h "uptime"; done
将新服务器添加到 时$SERVER_LIST,脚本将停止:
The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be established.
RSA key fingerprint is a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9.
Are you sure you want to continue connecting (yes/no)?
我试过yes:
for h in $SERVER_LIST; do yes | ssh $h "uptime"; done
没有运气。
有没有办法参数化ssh以自动接受任何新密钥?
Lek*_*eyn 324
使用 StrictHostKeyChecking 选项,例如:
ssh -oStrictHostKeyChecking=no $h uptime
这个选项也可以添加到 ~/.ssh/config 中,例如:
Host somehost
Hostname 10.0.0.1
StrictHostKeyChecking no
请注意,当主机密钥发生更改时,即使使用此选项,您也会收到警告:
$ ssh -oStrictHostKeyChecking=no somehost uptime
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
31:6f:2a:d5:76:c3:1e:74:f7:73:2f:96:16:12:e0:d8.
Please contact your system administrator.
Add correct host key in /home/peter/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/peter/.ssh/known_hosts:24
remove with: ssh-keygen -f "/home/peter/.ssh/known_hosts" -R 10.0.0.1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
ash: uptime: not found
如果您的主机不经常重新安装,您可以使用该选项降低安全性(但对于经常更改的主机密钥更方便)-oUserKnownHostsFile=/dev/null。这会丢弃所有收到的主机密钥,因此它永远不会生成警告。
在 18.04 中,有一种新的可能性:StrictHostKeyChecking=accept-new. 来自man 5 ssh_config:
If this flag is set to “accept-new” then ssh will automatically
add new host keys to the user known hosts files, but will not
permit connections to hosts with changed host keys. If this flag
is set to “no” or “off”, ssh will automatically add new host keys
to the user known hosts files and allow connections to hosts with
changed hostkeys to proceed, subject to some restrictions.
mho*_*ost 143
您可以使用以下命令将服务器的指纹添加到您的 known_hosts
ssh-keyscan -H <ip-address> >> ~/.ssh/known_hosts
ssh-keyscan -H <hostname> >> ~/.ssh/known_hosts
注意:将 < ip-address > 和 < hostname > 替换为您要添加的服务器的 IP 和 dns 名称。
唯一的问题是您最终会在 known_hosts 中两次使用某些服务器。其实也没什么大不了的,顺便提一下。为确保没有重复,您可以先通过运行以下命令来删除所有服务器:
ssh-keygen -R <ip-address>
ssh-keygen -R <hostname>
所以你可以运行:
for h in $SERVER_LIST; do
ip=$(dig +search +short $h)
ssh-keygen -R $h
ssh-keygen -R $ip
ssh-keyscan -H $ip >> ~/.ssh/known_hosts
ssh-keyscan -H $h >> ~/.ssh/known_hosts
done
删除只是为了重新添加时要记住的一件事,您实际上是在删除验证指纹的安全性。因此,您绝对不想在每次执行实用程序脚本之前运行此脚本。
tin*_*ink 31
我对这个回复有点晚了,但明智的方法是在运行正常运行时间收集之前在新机器上进行 ssh-keyscan。
ssh-keyscan <newhost> >> ~/.ssh/known_hosts
为方便起见禁用健全性检查听起来是一个糟糕的计划,即使您认为自己完全控制了环境。
小智 6
将此条目添加到~/.ssh/config文件中
Host *
StrictHostKeyChecking no
如果它抱怨 的访问权限~/.ssh/config,则尝试
$ chmod 644 ~/.ssh/config