티스토리 뷰
▶ server / node1 ~ 3 에 공통적으로 추가
[root@control ~]# useradd devops
[root@control ~]# passwd devopsecho "devops ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/devops
▶다른 컴퓨터에서 telnet 서버 다운로드
>> root 권한이 필요하다
[devops@control ~]$ ssh devops@192.168.110.20 'yum -y install telnet-server'
devops@192.168.110.20's password:
Loaded plugins: fastestmirror
You need to be root to perform this command.[devops@control ~]$ ssh devops@192.168.110.20 'sudo yum -y install telnet-server'
devops@192.168.110.20's password:
Complete!
# 같은 계정이므로 devops 빼고 가능
[devops@control ~]$ ssh 192.168.110.20 'sudo yum -y install telnet-server'
▶공개키 생성하여 반복 작업 최소화
▶devops 로그인하여 공개키 설정
(pass phrase 를 입력 안하도록 설정)
## ssh-keygen 이후는 엔터로 넘어간다
[devops@control ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/devops/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/devops/.ssh/id_rsa.
Your public key has been saved in /home/devops/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qp9nnNU+IxJffaf0IntN7QIgVSSKMr0Q/jX2iUtHEW0 devops@control.example.com
The key's randomart image is:
+---[RSA 2048]----+
| . +=o |
| . o . ..oE |
| = o =... |
| = +.=.. |
| o S.+o . .|
| o.o. + o =|
| ...= o o B.|
| . .* o = = +|
| ..oo . ..* o |
+----[SHA256]-----+
## 키로 인증이 되었다
[devops@control ~]$ cd .ssh
[devops@control .ssh]$ ls
id_rsa id_rsa.pub known_hosts
[devops@control .ssh]$ ll
total 12
-rw-------. 1 devops devops 1675 Feb 6 07:42 id_rsa
-rw-r--r--. 1 devops devops 408 Feb 6 07:42 id_rsa.pub
-rw-r--r--. 1 devops devops 176 Feb 6 07:35 known_hosts
[devops@control .ssh]$ ssh-copy-id node1.example.com
ssh-copy-id 명령어가 없을 때 사용했었던 명령어
[devops@control ~]$ scp ~/.ssh/id_rsa.pub devops@node1.example.com
:/home/devops/.ssh/authorized_keys
한개의 만든 공개키를 다 같이 쓰는 것
[devops@control .ssh]$ ssh-copy-id node2.example.com >> 실행
[devops@control .ssh]$ ssh-copy-id node3.example.com >> 실행
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/devops/.ssh/id_rsa.pub"
The authenticity of host 'node1.example.com (192.168.110.20)' can't be established.
ECDSA key fingerprint is SHA256:dJUzL1q0e45rkPCjG9Gvii2kqv9JNMsSSlSUzpoh1Ts.
ECDSA key fingerprint is MD5:90:fd:e8:8b:48:a2:74:2e:10:33:43:2f:53:1c:4a:ed.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any
that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed --
if you are prompted now it is to install the new keys
devops@node1.example.com's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'node1.example.com'"
and check to make sure that only the key(s) you wanted were added.
▷이후에는 인증없이 바로바로 가능
[devops@control .ssh]$ ssh node1.example.com 'sudo yum -y install telnet'
[devops@control .ssh]$ ssh node2.example.com 'sudo yum -y install telnet'
[devops@control .ssh]$ ssh node3.example.com 'sudo yum -y install telnet'
▶ 공개키와 개인키
| 공개키 | 개인키 |
| 누구나 받아서 사용할 수 있는 키 | 공개키로 암호화해서 보낸 메세지를 해석할 수 있는 유일한 키 |
| 서명을 해독하는 것이 공개키 | 부인 방지를 위해 사용 ( 서명 ) |
▶ 공개키
[root@control ~]# ls /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
▶FingerPrint
[root@control ~]# ls /home/vagrant/.ssh
authorized_keys known_hosts
▶과정 해설
[devops@control .ssh]$ pwd
/home/devops/.ssh
[devops@control .ssh]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/devops/.ssh/id_rsa):
/home/devops/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/devops/.ssh/id_rsa.
Your public key has been saved in /home/devops/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:A90yw9V6mwErbqQVMMmyLv0OG6OocOEJzzMhu/I/pKk devops@control.example.com
The key's randomart image is:
+---[RSA 2048]----+
| .oo .. |
| . o+.o. . |
| o. *..+ |
| . .++o o |
|o oo =S. . + |
| B.++ . o. o |
|o O=+. . |
|o+o+.=. |
|Eoo.oo. |
+----[SHA256]-----+
[devops@control .ssh]$ ls
id_rsa id_rsa.pub known_hosts
개인키 / 공개키 / fingerprint
known_hosts >>> finger print
접속할 때마다 상대 장비에 보내주고
비교해서 확인
[devops@control .ssh]$ ssh node1.example.com
devops@node1.example.com's password:
Last login: Tue Feb 6 09:05:35 2024 from 192.168.110.10
>>>> 정상적으로 finger print로 로그인 했다
(이전에 접속 했으면 바로 password입력)
[devops@control .ssh]$ rm known_hosts
[devops@control .ssh]$ ls
id_rsa id_rsa.pub
[devops@control .ssh]$ ssh node1.example.com
The authenticity of host 'node1.example.com (192.168.110.20)' can't be established.
ECDSA key fingerprint is SHA256:dJUzL1q0e45rkPCjG9Gvii2kqv9JNMsSSlSUzpoh1Ts.
ECDSA key fingerprint is MD5:90:fd:e8:8b:48:a2:74:2e:10:33:43:2f:53:1c:4a:ed.
Are you sure you want to continue connecting (yes/no)? yes
만약 전에 접속했었는데 또 물어본다면, 뭔가 문제가있다 ( 보안 )
▶ 아파트 들어갈 때에 카드로 들어갈 때 = 공개키 인증
▶ 비밀번호 넣고 들어갈 때 = 개인키 인증
>> 오히려 카드키로 들어가는게 더 안전할 수도 있다
https://jamesmccaffrey.wordpress.com/2020/07/29/the-diffie-hellman-key-exchange/
The Diffie–Hellman Key Exchange
One of the most fundamental ideas in computer security is called the Diffie-Hellman key exchange algorithm. Suppose you have some sort of cryptography system where two people need the same key to e…
jamesmccaffrey.wordpress.com
>> 공격자가 알 수 있는 색은 노랑과 주황 초록
>> 파랑과 빨강은 모른다
>> 최종 결과는 똑같은 색이 나오므로 그 색을 공통키로 쓴다
>>> 결국 본인들의 암호화 키를 보내주지 않아도 된다
'Ansible' 카테고리의 다른 글
| Ansible 의 기본 동작 (0) | 2024.02.07 |
|---|---|
| 공개키 옛날처럼 전달 / PGP,GPG (0) | 2024.02.07 |
| 직접 Vagrant file 만들기 (0) | 2024.02.06 |
| Ansible VM 기본 설정 (0) | 2024.02.06 |
| Ansible 이란 (0) | 2024.02.06 |