使用 pscp 自动接受 rsa 指纹
当您使用 pscp 将文件发送到单台计算机时,这并不是什么大问题,因为您将收到 rsa 指纹提示一次,之后就再也不会出现。但是如果你想连接到200台机器,你肯定不想输入“yes”200次......
我在Windows机器上使用pscp,我真的不关心指纹,我只想接受它。我正在使用 Amazon EC2,每次重新启动机器时指纹都会发生变化...
如果有办法使用 pscp 或其他工具来避免它,请告诉我!
谢谢!
When you're using pscp to send files to a single machine is not a big deal because you will get the rsa fingerprint prompt once and never again after. But if you want to connect to 200 machines, you definitely don't want to type "yes" 200 times....
I'm using pscp on a Windows machine and I really don't care about the fingerprint, I only want to accept it. I'm using Amazon EC2 and the finger print change every time i restart the machines....
If there is a way to avoid it using pscp or a different tool please let me know!!!
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
请参阅Putty 不会'在 hudson 中运行脚本时,不要缓存访问服务器的密钥
在 Windows 上,您可以在命令前面使用前缀
echo y |,这将每次盲目接受任何主机密钥。然而,更安全的解决方案是第一次以交互方式运行,或者生成可以在任何客户端计算机上运行的 .reg 文件。See Putty won't cache the keys to access a server when run script in hudson
On Windows you can use prefix
echo y |in front of your command which will blindly accept any host key every time. However, a more secure solution is to run interactively the first time, or generate a .reg file that can be run on any client machine.我不完全同意最后一个答案。第一次接受 SSH 密钥时,您对远程主机一无所知,因此自动接受它没有什么区别。
我要做的是在您第一次连接到主机时自动接受密钥。我读过类似的事情
yes yes | ssh user@host可以工作,但实际上不行,因为 SSH 不是从标准输入读取,而是从终端读取。有效的方法是在第一次连接时传递以下 ssh 选项(它适用于 scp 和 ssh:
此命令将在您第一次运行它时添加密钥,但如果,正如 Eric 所说,一旦您执行此操作接受密钥是危险的(如果我是你,我会将其添加到签入
~/.ssh/known_hosts的脚本中(如果已经有一行)。主机,在这种情况下我另一方面,如果没有线路,我会这样做;)。如果您正在处理已知主机的加密版本,请尝试使用
这是我实际使用的东西(接收以下参数的函数:用户、主机、源文件)
希望这有帮助;)
I do not completely agree with the last answer. The first time you accept an SSH key, you know nothing about the remote host, so automatically accepting it makes no difference.
What I would do is auto accept the key the first time you connect to a host. I've read that doing something like
yes yes | ssh user@hostworks, but it doesn't, because SSH does not read from stdin, but from a terminal.What does work is to pass, that first time you connect, the following ssh option (it works for both scp and ssh:
This command would add the key the first time you run it, but if, as Eric says, doing this once you have accepted the key is dangerous (man in the middle is uncool). If I were you I'd add it to a script that checked in
~/.ssh/known_hostsif there's already a line for that host, in which case I wouldn't add that option. On the other hand, if there was no line, I'd do so ;).If you are dealing with an encrypted version of known_hosts, try with
Here's something I'm actually using (function receiving the following arguments: user, host, source_file)
Hope this helped ;)
如果您只是重新启动或停止/启动实例,则主机 ssh 密钥指纹不应更改。如果是,则说明实例/AMI 未正确配置或发生其他情况(恶意?)。
良好的 EC2 AMI 设置为在首次启动时创建随机主机 ssh 密钥。大多数流行的 AMI 会将指纹输出到控制台输出。为了安全起见,您应该通过 EC2 API(命令行工具或控制台)请求实例控制台输出,并将其与 ssh 提示符中的指纹进行比较。
通过说你“不关心指纹”,你是在说你不关心加密你自己和实例之间的流量,并且你和实例之间的任何人都可以看到该通信。中间人甚至有可能接管 ssh 会话并获得控制您实例的访问权限。
使用 Linux 上的 ssh,您可以使用命令行或配置文件选项关闭 ssh 指纹检查。我犹豫是否要发布如何执行此操作,因为不建议这样做,并且会严重降低连接的安全性。
更好的选择是让您的实例将自己的主机 ssh 密钥设置为您知道的秘密值。您可以将主机 ssh 密钥的公共部分保存在已知的主机文件中。这样您的流量就会被加密且安全,并且您在连接到自己的计算机时不必不断回答有关指纹的提示。
The host ssh key fingerprint should not change if you simply reboot or stop/start an instance. If it does, then the instance/AMI is not configured correctly or something else (malicious?) is going on.
Good EC2 AMIs are set up to create a random host ssh key on first boot. Most popular AMIs will output the fingerprint to the console output. For security, you should be requesting the instance console output through the EC2 API (command line tool or console) and comparing that to the fingerprint in the ssh prompt.
By saying you "don't care about the fingerprint" you are saying that you don't care about encrypting the traffic between yourself and the instance and it's ok for anybody in between you and the instance to see that communication. It may even be possible for a man-in-the-middle to take over the ssh session and gain access to control your instance.
With ssh on Linux you can turn off the ssh fingerprint check with a command line or config file option. I hesitate to publish how to do this as it is not recommended and seriously reduces the safety of your connections.
A better option is to have your instances set up their own host ssh key to a secret value that you know. You can save the public side of the host ssh key in your known hosts file. This way your traffic is encrypted and safe, and you don't have to continually answer the prompt about the fingerprints when connecting to your own machine.
我创建了一个包含以下命令的期望文件:
spawn ssh -i ec2Key.pem ubuntu@ec2IpAddress
期待“您确定要继续连接吗(是/否)?” { 发送“是\n” }
情况
我能够在不禁用 rsa 指纹的 下通过 ssh 进入 ec2 控制台。我的机器已添加到此 ec2 的已知主机中。
我希望它有帮助。
I created a expect file with following commands in it:
spawn ssh -i ec2Key.pem ubuntu@ec2IpAddress
expect "Are you sure you want to continue connecting (yes/no)?" { send "yes\n" }
interact
I was able to ssh into the ec2 console without disabling the rsa fingerprint. My machine was added to the known hosts of this ec2.
I hope it helps.