自动安装时进行密钥交换以允许无密码身份验证(通过 SSH)

tag-icon tag-icon ssh
自动安装时进行密钥交换以允许无密码身份验证(通过 SSH)
  • 我的系统/产品由两块电路板组成,直接联网,然后其中一块连接到第三台 Windows 调试机器(通过 SSH 连接眼睛,因为电路板没有头)
  • 我有一个 Linux 发行版(RHEL 5.3)的自动安装脚本
  • 用户每次只安装一块电路板,两块电路板都应在另一块电路板关闭的情况下进行配置/安装
  • 我希望安装完成后,两块主板之间可以建立无密码 SSH 连接

我以为我成功了

  1. 创建密钥(无密码或空密码)
    • ssh-keygen -t rsa
  2. 将自己的公钥添加/复制到 authorized_keys 中
    • cat ~/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
  3. ssh 进入其他主机,将密钥添加到known_hosts文件 中
    • ssh -o StrictHostKeyChecking=no 192.168.0.2 exit (图 1)
  4. 将这组文件复制.ssh/*到安装介质上,并将安装脚本复制到板上(两个板,每次一个)
  5. 然后可以从另一块板 ssh 进入另一块板

但它抱怨 RSA 密钥不同,我应该更新 known_hosts。

# ssh 192.168.0.2 -vv
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.0.2 [192.168.0.2] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 131/256
debug2: bits set: 490/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
8d:b5:11:e2:fd:e9:1b:4d:a2:20:3f:22:87:90:10:45.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:2
RSA host key for 192.168.0.2 has changed and you have requested strict checking.
Host key verification failed.

尝试过

rm -f /root/.ssh/known_hosts
ssh -o StrictHostKeyChecking=no 192.168.0.1 exit # (itself!)
ssh -o StrictHostKeyChecking=no 192.168.0.2 exit # might not be live/up

问题是,两台主机都必须再次启动/运行!

Warning: Permanently added '192.168.0.1' (RSA) to the list of known hosts.
ssh: connect to host 192.168.0.2 port 22: No route to host

我不明白的是当我rm -f /root/.ssh/known_hosts和做了的时候ssh,它添加了一个新的密钥ID为known_hosts,即使id_rsa.pub相同!?

答案1

根据这篇博文,解决这个问题最快最简单的方法是指定known_hosts文件写入/dev/null

Host 192.168.0.*
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null

相关内容