Linux常用命令-ssh-keyscan

命令

ssh-keyscan

描述

gather ssh public keys
批量获取ssh公钥

用法

1
ssh-keyscan [-46cHv] [-f file] [-p port] [-T timeout] [-t type] [host | addrlist namelist] ...

选项

1
2
3
4
5
6
7
8
9
10
Options:
-4 使用IPv4地址
-6 使用IPv6地址
-c Request certificates from target hosts instead of plain keys
-f file 指定地址列表文件addrlist namelist,如果为-则表示从标准输入读取
-H 对主机名或IP进行hash保存,避免信息泄漏
-p 指定端口
-T 指定超时时间,默认5s
-t 指定密钥类型,可选参数为rsa,dsa,ecdsa,ed25519,可指定多个,用逗号分隔
-v 显示详情

注意

注意区分ssh-copy-id和ssh-keyscan两个命令,
ssh-copy-id是添加本地ssh密钥对中的公钥到远程主机,用于ssh免密登录,
ssh-keyscan是获取远程主机的公钥信息,用于ssh登录时的主机校验,并不能实现远程登录

注意主机名和IP地址的公钥信息需要分别添加,也可按使用需求添加
如使用ssh hostname则需要指定主机名,添加命令为ssh-keyscan node11
如使用ssh IP则需要指定IP,添加命令为ssh-keyscan 192.168.31.11

示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# 获取本机公钥,注意localhost和127.0.0.1虽然公钥信息一样,但是是两个不同的主机名,需要同时添加
$ ssh-keyscan localhost
# localhost:22 SSH-2.0-OpenSSH_7.4
localhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFvgOhbbSsK/8YQV5XcBEIJfAziEcOnW//7KLKjvX7bgdWGCsCXKtSBf28YXgMOsvSOeOJoXMrgbzsYwLLcl0Mc=
# localhost:22 SSH-2.0-OpenSSH_7.4
localhost ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9xD52NLzd0yQ9qZeAb2z56Dc+uQ1WIrrEWRB/oPc4r2QBkWOhWDrXMW3DvvdTrGfuDYvtt9DLvug4f8ZSxoCCg/6amkFjw5OfRWGLf7XCb0sv/4rV9XVGRrccaVbLnQMk5JMrk0V5LJ8WLHtis29z4RLuvBsbJCaFtSYAoo9hFXpNR2LbzD0kqYS2+Ra5Cunr5o22k6JZKz1rfzAjVmFFKsfaTg6M+aCD55GzbXe5vf2iA6DOLXbyQ4sIsRptE53FMB+7fmfKuYd/iiYrME07oN+422a5j1wXc8UY/OCxNhMuH4ZsAJMltGTRupWMNqcYTsu4Nb+KkDpsZGA46TWb
# localhost:22 SSH-2.0-OpenSSH_7.4
localhost ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIi8IpHNQujjoUULBFVwIPEEKWMI+gKjnqcxeeaiyZTw

# 追加公钥到当前用户配置,如果要添加本机公钥,localhost和127均需要添加
$ mkdri ~/.ssh
$ chmod 600 ~/.ssh
$ ssh-keyscan localhost >> ~/.ssh/known_hosts
$ ssh-keyscan 127.0.0.1 >> ~/.ssh/known_hosts

# 添加公钥前ssh提示key认证信息
$ ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can not be established.
ECDSA key fingerprint is SHA256:MkBmKcdMSh1NIhhu28+VXyqroW7AQKWfy+PXS5BdXmM.
ECDSA key fingerprint is MD5:dd:b2:8c:82:91:00:f3:3f:ea:23:93:a0:5e:13:50:18.
Are you sure you want to continue connecting (yes/no)?
# 添加之后ssh登录无提示
$ ssh localhost
Last login: Sun Feb 13 17:01:18 2022 from 127.0.0.1

# 获取远程主机的公钥
$ ssh-keyscan 192.168.31.21
# 192.168.31.21:22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
192.168.31.21 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQJEKHtwfCnO+sgbLr1wLry2TfZd5RoZfFT09hYcKjzWhREsqK+KraAK9NhW7PysLfOeK7w8yeVceTsmfxUnavu+FkOqV97sj9gaAXmZ6Qd6fzBvcffqmL66Ra6b6N6VWbhAOBmwJw/UTPaCWijFjogd8P6byuWxpp98jA6W+rIC37h17SXxcew5LAB1YiWldVOiTGstuXZSChkeLHf8+7XVdRlZes2/4N7TYlSg/2wytdWL7fPXreiAou2+iuloNx31Zl2x++Cd8Jjo+65G8eH8QiDWlkkaZFnW4quGXp2WyvvrMZfybjqV3LVd6MPsE3UYXVj6MPFzWE4G0XtBTZuOCOyq6vtb3F1IyKqWKXcqWLUPUe5UjnCDcp/hQYesXLdnF7AgBBm0Reg17gZe4dgKzu64x3xHEisuGREleUBLQ0mmY4fPCD6BnYlzHk/1D9+Gl3ZvK8FB426TzketVEA6aZS8/nfALWsyKxyJwYrsEEMbIMcsDY8VmjfUqTBWM=
# 192.168.31.21:22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
192.168.31.21 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI9vnM3jZCyV9adtajHBkqtZcUBI5h+L2uzRTyskKcZAbUtPNfYM7HExnr63TWfVQIKkrtAWlo/BExJePNyCRx4=
# 192.168.31.21:22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
192.168.31.21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIaXibXFug039KdC1XeYqYFHnT1yltCU8JQB2oskjZ2K

# -H 对主机名和IP进行hash, -t 指定密钥类型,推荐选择ecdsa密钥类型
$ ssh-keyscan -H -t ecdsa 192.168.31.21
# 192.168.31.21:22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
|1|aWikW3/lAOEE4D0rHJKRUW1ATrU=|SPhtiDlpcYVdT3tjy0hPRyjCbfo= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI9vnM3jZCyV9adtajHBkqtZcUBI5h+L2uzRTyskKcZAbUtPNfYM7HExnr63TWfVQIKkrtAWlo/BExJePNyCRx4=

# 追加公钥到当前用户配置
$ ssh-keyscan -H -t ecdsa 192.168.31.21 >> ~/.ssh/known_hosts

# 指定主机名或IP列表文件,批量添加
$ cat ip.txt
localhost
127.0.0.1
192.168.31.11
192.168.31.21
$ ssh-keyscan -f ip.txt -t ecdsa >> ~/.ssh/known_hosts
# 192.168.31.11:22 SSH-2.0-OpenSSH_7.4
192.168.31.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFvgOhbbSsK/8YQV5XcBEIJfAziEcOnW//7KLKjvX7bgdWGCsCXKtSBf28YXgMOsvSOeOJoXMrgbzsYwLLcl0Mc=
# 192.168.31.21:22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
192.168.31.21 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI9vnM3jZCyV9adtajHBkqtZcUBI5h+L2uzRTyskKcZAbUtPNfYM7HExnr63TWfVQIKkrtAWlo/BExJePNyCRx4=
# localhost:22 SSH-2.0-OpenSSH_7.4
localhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFvgOhbbSsK/8YQV5XcBEIJfAziEcOnW//7KLKjvX7bgdWGCsCXKtSBf28YXgMOsvSOeOJoXMrgbzsYwLLcl0Mc=
# 127.0.0.1:22 SSH-2.0-OpenSSH_7.4
127.0.0.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFvgOhbbSsK/8YQV5XcBEIJfAziEcOnW//7KLKjvX7bgdWGCsCXKtSBf28YXgMOsvSOeOJoXMrgbzsYwLLcl0Mc=