ssh黄金参数
ssh -o ConnectTimeout=3 -o ConnectionAttempts=5 -o PasswordAuthentication=no -o StrictHostKeyChecking=no $ip "command"
1.ConnectTimeout=3 连接时超时时间,3秒
2.ConnectionAttempts=5 连接失败后重试次数,5次
3.PasswordAuthentication=no 是否使用密码认证,(在遇到没做信任关系时非常有用,不然会卡在那里)
4.StrictHostKeyChecking=no 第一次登陆服务器时自动拉取key文件,(跟上面一样,并且在第一次ssh登陆时,自动应答yes)
下面举例验证:
ssh遇到一个不存在的IP耗时将近1分多钟
[root@test ~]# time ssh 192.168.1.222
ssh: connect to host 192.168.1.222 port 22: Connection timed out
real 1m3.010s
user 0m0.004s
sys 0m0.006s
指定参数后,3秒自动退出
[root@test ~]# time ssh -o ConnectTimeout=3 192.168.1.222
ssh: connect to host 192.168.1.222 port 22: Connection timed out
real 0m3.011s
user 0m0.004s
sys 0m0.004s
一直卡这不动
[root@test ~]# ssh 10.1.1.86
root@10.1.1.86's password:
不使用密码认证后,立马就出结果了
[root@test ~]# ssh -o PasswordAuthentication=no 10.1.1.86
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
普通的登录操作会要求输入yes
[root@test ~]# ssh 10.1.1.86
The authenticity of host '10.1.1.86 (10.1.1.86)' can't be established.
RSA key fingerprint is d0:ed:c7:e2:7c:71:93:0c:3a:2c:ba:50:b1:25:7b:ff.
Are you sure you want to continue connecting (yes/no)?
自动拉取公钥后就直接到输入密码这一步了
[root@test ~]# ssh -o StrictHostKeyChecking=no 10.1.1.86
Warning: Permanently added '10.1.1.86' (RSA) to the list of known hosts.
root@10.1.1.86's password:
known_hosts文件里可以看到10.1.1.86公钥已经被保存下来了
[root@test ~]# cat ~/.ssh/known_hosts |grep 10.1.1.86
10.1.1.86 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1DS0+9YrulOOHZtoQ+ZQEBXsprDgKo7zrT5YsGrWvhfOISAAq2KKOVu6zBiGaxfI/KJcDEw6hi2v9ONlM1guvsxZtrfm0L5trs/1QffTssmtLxYAbfoXImM2PHGikHqmtaspxziNjQzp+Fpn9VgdBJXdmeF1uKePsGPZJrktg+xWpFQ2ufnUY4LVzQxLYD6pOiDMEy5IWT11Ej49v74zaglSmTW02iZfH2vgyoBOe6I0U8K1WnJ9x1eicnXpWtA5L7h9wJ+PkYUWVJE4KPY3kBH9+sSZebcdwihwPKxszNR1iENtnXHTR3SSU60L/HWihTkV45i7GT9csCteItgpXQ==
删除该公钥,你会发现普通的ssh又需要输入yes了
[root@test ~]# sed -i '/10\.1\.1\.86/d' ~/.ssh/known_hosts
[root@test ~]# ssh 10.1.1.86
The authenticity of host '10.1.1.86 (10.1.1.86)' can't be established.
RSA key fingerprint is d0:ed:c7:e2:7c:71:93:0c:3a:2c:ba:50:b1:25:7b:ff.
Are you sure you want to continue connecting (yes/no)?
最后PasswordAuthentication StrictHostKeyChecking这几个参数最好一起使用
没有拉取公钥之前,单独用PasswordAuthentication=no参数时你会发现它首先还是去拉取公钥的结果又卡在yes/no那不动了
[root@test ~]# ssh -o PasswordAuthentication=no 10.1.1.86
The authenticity of host '10.1.1.86 (10.1.1.86)' can't be established.
RSA key fingerprint is d0:ed:c7:e2:7c:71:93:0c:3a:2c:ba:50:b1:25:7b:ff.
Are you sure you want to continue connecting (yes/no)?
两个一起用才能得到一预想的结果
[root@test ~]# ssh -o PasswordAuthentication=no -o StrictHostKeyChecking=no 10.1.1.86
Warning: Permanently added '10.1.1.86' (RSA) to the list of known hosts.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
可能有的ssh版本不同,我在另外一台机器上测试-o PasswordAuthentication=no时发现还是提示输入密码
[root@server9-50 ~]# ssh -o PasswordAuthentication=no 172.16.1.134
Password:
用-vvv保存结果和正常的对比
左边是加了-o PasswordAuthentication=no的-vvv结果,右边是没加的
可以发现了加了参数的只是把password这个鉴权方法可去掉了,可是keyboard-interactive还是要求输入密码
于是想能不能把keyboard-interactive也给disble掉,man ssh 后发现KbdInteractiveDevices这个可能跟keyboard-interactive相关
于是尝试加参数-o KbdInteractiveDevices=no
[root@server9-50 ~]# ssh -o PasswordAuthentication=no -o KbdInteractiveDevices=no 172.16.1.134
Permission denied (publickey,keyboard-interactive).
成功了,yes!
