ssh的小绝招，一般人我不告诉他！ssh免密登陆和第三方踏板登陆内网

SSH免密登陆

SSH免密登陆是一种通过密钥对认证来实现无密码登录SSH服务器的方法，增强了安全性，避免了密码泄露的风险。其实现步骤大致如下：

 1、生成密钥对

使用命令ssh-keygen ，一般除非新机器，密钥对都生成好了

2、将公钥添加到服务器

使用命令ssh-copy-id username@hostname_or_ip

如：

ssh-copy-id 192.168.1.5

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/sky/.ssh/id_rsa.pub"



/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

(sky@192.168.1.5) Password for sky@fb5:



Number of key(s) added:        1



Now try logging into the machine, with:   "ssh '192.168.1.5'"

and check to make sure that only the key(s) you wanted were added.

这样下次再登陆就可以免密登陆了。

ssh 192.168.1.5
Last login: Wed Sep  4 10:07:06 2024 from 192.168.1.2
FreeBSD 14.1-BETA3 (GENERIC) releng/14.1-n267636-2a964a7fc34e

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List:        https://www.FreeBSD.org/lists/questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

To change this login announcement, see motd(5).
To search for files that match a particular name, use find(1); for example

	find / -name "*GENERIC*" -ls

will search '/', and all subdirectories, for files with 'GENERIC' in the name.
      	--  Stephen Hilton <nospam@hiltonbsd.com>

设置ssh中继跳转登陆

比如一些机器在内网，只能通过一台固定的中继机器登陆，如果每次都登中继再转登，耗时耗力，这时候就可以使用ssh中继跳转

修改.ssh/config文件，在其中加入下面内容：

Host Jumper
	Hostname 192.168.1.5 
	User sky

Host Server*
	User sky
	ProxyJump Jumper
	ServerAliveInterval 180

Host Server1
	Hostname 192.168.1.12

Host Server2
	Hostname 192.168.1.13

Host Server3
	Hostname 10.0.0.12

登陆试试

ssh Server3

The authenticity of host '10.0.0.12 (<no hostip for proxy command>)' can't be established.

ED25519 key fingerprint is SHA256:8zJ8LonnuaRgeecGsoHwD4xJ9KBI/ADvqSmexyZiyJA.

This key is not known by any other names

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added '10.0.0.12' (ED25519) to the list of known hosts.

sky@10.0.0.12's password:



* Documentation:  https://help.ubuntu.com

* Management:     https://landscape.canonical.com

* Support:        https://ubuntu.com/pro

Last login: Tue Sep  3 02:09:43 2024 from 10.0.0.1



------------------: System Data :-------------------------------

Hostname:     ub12 (10.0.0.12 )

Kernel:       5.15.0-119-generic (Ubuntu 22.04.4 LTS)

Uptime:       02:13:14 up 6 days,  1:17,  2 users,  load average: 0.03, 0.02, 0.00

CPU:          Intel(R) Celeron(R) CPU @ 1.99GHz  (4 cores)

Memory(Mb):   3 Gb total / 362 Mb free

Env info:     

------------------------: Logged as: [sky]  ------------------------------

可以看到10.0.0.12网段原来是不通的，现在一条命令就可以ssh登陆了。

同样，所有ssh可以到的地方，scp都可以到

scp installfile Server3:/tmp/

sky@10.0.0.12's password:

installfile                          100%    0     0.0KB/s   00:00

 这样scp东西再也不用周转了。

ssh的config文件里面也可以使用Include，把配置写到其它文件里，比如文件名叫config-jump

config文件中写入：

Include ~/.ssh/config-jump

然后创建config-jump文件，里面写入：

Host Jumper
    Hostname 192.168.1.5
    User skywalk

Host Server*
    User skywalk
    ProxyJump Jumper
    ServerAliveInterval 180

Host Server1
    Hostname 192.168.1.12

Host Server2
    Hostname 192.168.1.13

Host Server3
    Hostname 10.0.0.12

但是这种写Include的方法，在MAC上测试失败，在Ubuntu下测试通过！

现在问题来了，使用踏板可以免密码吗？ 

答案是可以！也是用ssh-copy-id命令即可

ssh中继跳转免密

ssh-copy-id Server3

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/sky/.ssh/id_rsa.pub"

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

sky@10.0.0.12's password:



Number of key(s) added:        1



Now try logging into the machine, with:   "ssh 'Server3'"

and check to make sure that only the key(s) you wanted were added.

好了，我们试试ssh完全的免密三方踏板登陆吧：

ssh Server3

ssh Server3

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro
Last login: Tue Sep  3 02:19:37 2024 from 10.0.0.1

------------------: System Data :-------------------------------
Hostname:     ub12 (10.0.0.12 )
Kernel:       5.15.0-119-generic (Ubuntu 22.04.4 LTS)
Uptime:       03:09:23 up 6 days,  2:25,  1 user,  load average: 0.08, 0.02, 0.01
CPU:          Intel(R) Celeron(R) CPU @ 1.99GHz  (4 cores)
Memory(Mb):   3 Gb total / 335 Mb free
Env info:     
------------------------: Logged as: [sky]  ------------------------------


  This image was created for ClonOS/CBSD/MyBee Project.
  Please Support Us:      https://www.patreon.com/clonos

(base) sky@ub12:~$ 

当然scp也是一样可以一步到位！

scp install.sh Server3:/tmp/

install.sh                       100% 7351     1.0MB/s   00:00

这样每日的工作就轻松很多啦！

总结：

使用命令ssh-copy-id 跟主机名或ip，可以使该主机或ip免密登陆

在.ssh/config文件中加入如下语句，可以通过192.168.1.5登陆到原来不通的地方：

Host Jumper
    Hostname 192.168.1.5 
    User sky

Host Server*
    User sky
    ProxyJump Jumper
    ServerAliveInterval 180

Host Server1
    Hostname 10.0.0.12

Host Server2
    Hostname 10.0.0.13

再执行命令ssh-copy-id Server1 ，即可实现通过第三方免密登陆内网10.0.0.12