In the process of daily development and operation and maintenance, I usually use Xshell tools to operate on linux servers. Let me tell you about the background of my writing this article: Party A has given a springboard machine that can be accessed through VPN because of security needs, and through this springboard machine to operate more than ten other application servers, then the ssh command must be used to jump to the target server.
# 在跳板机执行ssh命令到目标服务器,执行完后需要输入root密码
ssh [email protected]
In general, use the above command directly, enter the password and jump to the target server, so that you can perform the desired operation on the target server. But it is a bit troublesome to enter the password every time. As a lazy person, you must be able to type fewer commands and type less.
-
First optimization, using keys for authentication
Authenticating with an SSH key pair increases your security and saves you the hassle of entering your password every time you connect. After generating an SSH key pair on your local computer, you can copy the public key to a remote server and use the private key for authentication.
When connecting using SSH, the private key file is usually used for authentication so that you can connect to the target server. Here are some common ways to obtain the private key file needed for SSH connections:
#首先进入到这个目录下 cd /root/.ssh #创建一个文件名,因为我的ip结尾是154,所以这么命名 touch 154_rsa #这个命令将会生成一个新的RSA密钥对,包括公钥和私钥。你可以选择在默认路径上保存密钥对(`~/.ssh/id_rsa`和`~/.ssh/id_rsa.pub`),或者选择自定义路径。 ssh-keygen -t rsa -b 4096After executing ssh-keygen -t rsa -b 4096, you will be prompted to save the path and enter the password. When entering the password, press Enter directly. It is recommended not to use the password. as the picture shows:
![[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-uBn96fK6-1689314874080)(imags/image-20230714114532068.png)]](https://img-blog.csdnimg.cn/e319d57720e846d09d08378ed46e96d9.png)
This will generate two files 154_rsa and 154_rsa.pub in the /root/.ssh directory, we need to move 154_rsa to the 154 server
[root@localhost .ssh]# scp 154_rsa [email protected]:/root/.ssh 154_rsa 100% 3326 4.4MB/s 00:00 [root@localhost .ssh]# ssh [email protected] Last login: Fri Jul 14 11:31:33 2023 from 192.168.17.154 [root@localhost ~]#In this way, direct ssh can jump directly without entering a password.
But I still feel that this is not enough, because I still need to remember the ip, and I have to check the ip of a certain server every time I jump, which is very troublesome, so I started to do the second optimization.
-
Second optimization
What I want to achieve: directly enter ssh 153 to jump to the 153 server, or ssh order to jump directly to the 153 server.
Use the SSH configuration file to realize the operation of connecting to the target server directly through the IP tail number on the local machine. The following are the specific steps:
#首先进入到这个目录下 cd /root/.ssh #创建一个文件名,config,用来配置信息 touch config #生成153。 ssh-keygen -t rsa -b 4096![[External link image transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the image and upload it directly (img-HtAJckci-1689314874082)(imags/image-20230714135959938.png)]](https://img-blog.csdnimg.cn/65bc909dc08e4e54a584621b0be493c7.png)
The private key of 153_rsa and the public key of 153_rsa.pub are generated. Configure config file
Host 153 #别名可以设置为153或者order等你想要的别名 HostName 192.168.X.153 # 目标服务器的IP地址 User username # 目标服务器的用户名 Port 22 # 目标服务器的SSH端口号 IdentityFile ~/.ssh/153_rsa # 身份验证文件的路径After saving, you need to increase the permission of 153_rsa, because the permission setting of this file is too loose and you will not be able to access the specified private key file
chmod 600 /root/.ssh/153_rsaAdd
153_rsa.pubthe public key file of the springboard server toauthorized_keysthe filessh-copy-id -i ~/.ssh/153_rsa.pub root@跳板机ip![[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-IqXYfwGG-1689314874082)(imags/image-20230714140611276.png)]](https://img-blog.csdnimg.cn/9b6bbbba491048248c0dc8c82fd10a5c.png)
Perform the same operation on another server, so that you can switch back and forth between 153 and 154 as shown above.
SCP:
After the above configuration is completed, you can directly use the command: scp /usr/local/qhyu 154:/usr/local to directly copy the qhyu file on 153 to the specified directory of 154.
scp /path/to/local/file <hostname>:/path/to/remote/directory
hint:
If a prompt similar to "Enter passphrase for key" appears when using the private key to connect to the target server, it means that the private key file is set with a password protection, and the password needs to be entered to use the private key for authentication.
If you set a private key password and forget it, you cannot use that private key for authentication. You can try to check the password of the private key file with the following command:
ssh-keygen -y -f ~/.ssh/154_rsa
This command will display the public key using the specified private key file path ( ~/.ssh/154_rsa), while prompting you for the passphrase. If you entered the correct password, the public key will be displayed. If you enter an incorrect password, an error message will be displayed.
If you want to remove the password protection of the private key file, use the following command:
ssh-keygen -p -f ~/.ssh/154_rsa
This command will remove the password protection using the specified private key file path ( ~/.ssh/154_rsa) and prompt you for a new password. If you don't want to set a new password, you can press Enter to skip this step.
If you have successfully removed the password protection of the private key file, you can use the private key file to connect to the target server without entering the password for authentication.