ssh 信任关系无密码登陆，清除公钥，批量脚本

实验机器：
主机a：192.168.2.128
主机b：192.168.2.130
实验目标： 手动建立a到b的信任关系，实现在主机a通过 ssh 192.168.2.130不用输入密码远程登陆b主机

1、a主机生成公钥
ssh-keygen -t rsa 三次回车

[root@localhost ~]# ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists.Overwrite (y/n)? 

[root@localhost ~]# cd .ssh[root@localhost ~]# ls –a

2、将公钥复制到b主机

[root@localhost .ssh]# scp id_rsa.pub root@192.168.255.130:/root

在b主机上将刚才传输过来的公钥文件 追加到root/.ssh/authorized_keys文件里

[root@localhost ~]# cat ~/id_ras.pub >>/root/.ssh/authorized_keys#没有这个文件的话会自动创建

3、在b主机中设置权限：

[root@localhost ~]# chmod 700 .ssh[root@localhost ~]# chmod 600 .ssh/authorized_keys #注意权限必须为700和600，否则不能成功

在a主机验证：

[root@localhost .ssh]# ssh 192.168.255.130Last login: Fri Mar 17 17:28:34 2017 from 192.168.255.128

退出：

[root@localhost ~]# exitlogoutConnection to 192.168.255.130 closed

第2步和第3步可以用下面的命令代替

ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.255.130

清除公钥信息：

ssh-keygen -R 192.168.255.130

如果主机过多，一个个敲命令肯定不现实，脚本如下，此脚本需要安装expect命令

[root@localhost ~]# rpm -qa |grep expect[root@localhost ~]# yum install expect[root@localhost ~]# vim install_ssh.sh

#!/bin/bash#批量ssh认证建立  for p in $(cat /root/ip.txt)  #注意ip.txt文件的绝对路径  do   ip=$(echo "$p"|cut -f1 -d":")       #取ip.txt文件中的ip地址  password=$(echo "$p"|cut -f2 -d":") #取ip.txt文件中的密码  #expect自动交互开始  expect -c "   spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@$ip          expect {                   \"*yes/no*\" {send \"yes\r\"; exp_continue}                   \"*password*\" {send \"$password\r\"; exp_continue}                   \"*Password*\" {send \"$password\r\";}           }   "   done

将要建立关系的服务器ip和密码写在ip.txt里，格式如下
ip:密码

[root@localhost ~]# cat ip.txt 172.16.0.113:123456172.16.0.114:123456

执行过程：

[root@localhost ~]# ./install_ssh.sh spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.0.113The authenticity of host '172.16.0.113 (172.16.0.113)' can't be established.RSA key fingerprint is 4d:24:d4:2e:85:c2:6f:73:01:d5:23:b8:50:97:f8:9c.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '172.16.0.113' (RSA) to the list of known hosts.Now try logging into the machine, with "ssh 'root@172.16.0.113'", and check in:  .ssh/authorized_keysto make sure we haven't added extra keys that you weren't expecting.spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.0.114The authenticity of host '172.16.0.114 (172.16.0.114)' can't be established.RSA key fingerprint is 4d:24:d4:2e:85:c2:6f:73:01:d5:23:b8:50:97:f8:9c.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '172.16.0.114' (RSA) to the list of known hosts.Now try logging into the machine, with "ssh 'root@172.16.0.114'", and check in:  .ssh/authorized_keysto make sure we haven't added extra keys that you weren't expecting.

验证一下：

[root@localhost ~]# ssh 172.16.0.113Last login: Fri May 19 19:28:38 2017 from 172.16.0.111[root@localhost ~]# ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo    inet6 ::1/128 scope host        valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000    link/ether 00:0c:29:3b:4b:c5 brd ff:ff:ff:ff:ff:ff    inet 172.16.0.113/23 brd 172.16.1.255 scope global eth0    inet6 fe80::20c:29ff:fe3b:4bc5/64 scope link        valid_lft forever preferred_lft forever

好了