网站建设中一般要多久,凡科自助建站自己做网站,wordpress 调用模板路径,寻找小程序代理目录 需求实验步骤0. 实验环境1. Linux2. CiscoIOS基础设置保存密钥登陆测试 3. CiscoNexus基础配置保存密钥登陆测试 需求
在实际工作中#xff0c;常会遇到自动化的需求#xff0c;那么在自动采集、配置等对网络设备的自动化需求中#xff0c;不可避免的会遇到需要登录-常会遇到自动化的需求那么在自动采集、配置等对网络设备的自动化需求中不可避免的会遇到需要登录-采集-录入的流程。 而第一步登录一般采用ssh进行安全的远程连接。不过每次需要输入密码的远程登陆不便于自动化的应用因此需要采用免密登录。 一般针对服务器如Linux的ssh免密登录仅需要将需要免密登录进来的其他服务器的rsa公钥放入自己的authorized_keys文件中即可。 详细可以见我之前的笔记linux下的openssh简介centos 8 那么针对网络设备没有这个文件应该如何进行rsa公钥的存放和ssh免密登录 网络上对于华为设备如何配置ssh免密登录的文章很多同时现网中很多华为真实设备有自动保存登录设备的RSA公钥的功能但对于Cisco尤其存在IOS和Nexus两种软件版本的交换机反而没有直接可以使用的文章因此本文将对此进行分享。 Cisco官网上有RSA和X.509两种配置方式分别是公钥和CA两种方式这里介绍的是RSA公钥免密登陆方式。 可以参考的官方文档Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 10.5(x) 实验步骤
服务器创建rsa密钥对Cisco交换机保存服务器创建的rsa公钥服务器ssh登录Cisco设备进行测试
0. 实验环境 设备型号IPLinuxRHEL8192.168.100.141SwitchCisco IOS192.168.100.100NXOSCisco Nexus192.168.100.101NetCLoud0(桥接VMnet8)N/A
1. Linux Linux上仅需要能ping通两台交换机申请rsa密钥对并将公钥记录下来即可 # 查看ip
[rootlinux ~]# ip a s ens33 | awk NR4 {print $2}
192.168.100.141/24# 生成一个2048长度的密钥
# 交换机可能因为版本限制rsa的长度2048是一个非常稳妥的长度
[rootlinux ~]# ssh-keygen -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:WwIJVzyTw89Rsp2JVfUbUwjRr0gLCUqXoXPT4NMC14 rootdocker01
The keys randomart image is:
---[RSA 2048]----
| . ......oo|
| o .B .* oo o|
| o Bo. .|
| .o E o |
| .SX.O . o |
| . B B . |
| . o. o |
| . . |
| |
----[SHA256]-----# 查看公钥,记录下来可以用
# 以64字符为一行因为Cisco IOS的公钥录入有行长度限制需要多行录入提前设置好方便录入
# 仅需要记录从ssh-rsa开始到主机名空格前结束
[rootlinux ~]# fold -w 64 ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoVHfQEHOq50u7kl5ukfPwwoYn
RHGCaYEHht4Fy8O3pGM3hk9GyT/IsBBquiBR1cxPjvZFlIGUd9gc2v4Xk8JHPIsH
f3IaS/5lhL257N4CZcLaZh/PWCaY3DSmZqJ3ywFlX1YLUDlUvelcG2fmc/p0brM
LCxawgePkzl/MQqaiEW/cqfXHR134InlV9nhBYyADGQff7Mmg6ysqEKKBMqG
h6dSquXo3i8PnQSI0RwIf8W9oUOWFIFJAzaaauqmMQhwxFbsc6vLOdctHc9Ndgy
z04O5bmoI7qT0Tgh1yuynHWmkfuUnCCi/S83BaFOyOKxn4ymEVA3mJCcA1t roo
tlinux
2. CiscoIOS
基础设置
# 查看版本
Switch#show version
Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Experimental Version 15.2(20200924:215240) [sweickge-sep24-2020-l2iol-release 135]# 修改主机名
testen
test#configure terminal
test(config)#hostname Switch# 设置svi1 ip
Switch(config-if)#int vlan 1
Switch(config-if)#ip add 192.168.100.100 255.255.255.0# ping测试
Switch#ping 192.168.100.141
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.141, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max 4/4/5 ms
保存密钥
# 均在配置模式下配置# 设置域名不设置不能启用ssh和rsa
Switch(config)#ip domain-name test# 创建rsa密钥用于开始ssh
Switch(config)#crypto key generate rsa
% You already have RSA keys defined named Switch.test.
Choose the size of the key modulus in the range of 360 to 4096 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)# 启用sshv2
Switch(config)#ip ssh version 2# 启用ssh登录
Switch(config)#line vty 0 4
Switch(config-line)#transport input ssh
Switch(config-line)#login local
Switch(config-line)#exit# 设置无密码账号linux
Switch(config)#username linux privilege 15# 导入linux的公钥
Switch(config)#ip ssh pubkey-chain
Switch(conf-ssh-pubkey)#username linux
Switch(conf-ssh-pubkey-user)#key-string
# 以下是录入密钥将前面录入的复制下来
Switch(conf-ssh-pubkey-data)#$2EAAAADAQABAAABAQCoVHfQEHOq50u7kl5ukfPwwoYn
Switch(conf-ssh-pubkey-data)#$k9GyT/IsBBquiBR1cxPjvZFlIGUd9gc2v4Xk8JHPIsH
Switch(conf-ssh-pubkey-data)#$Zh/PWCaY3DSmZqJ3ywFlX1YLUDlUvelcG2fmc/p0brM
Switch(conf-ssh-pubkey-data)#$/cqfXHR134InlV9nhBYyADGQff7Mmg6ysqEKKBMqG
Switch(conf-ssh-pubkey-data)#$8W9oUOWFIFJAzaaauqmMQhwxFbsc6vLOdctHc9Ndgy
Switch(conf-ssh-pubkey-data)#$HWmkfuUnCCi/S83BaFOyOKxn4ymEVA3mJCcA1t
#录入完后退出即完成录入
Switch(conf-ssh-pubkey-data)#exit
Switch(conf-ssh-pubkey-user)#exit
Switch(conf-ssh-pubkey)#exit
登陆测试 在linux上ssh Cisco交换机 # 登录后可以看到回显有“永久将主机(RSA)添加入已知列表“
[rootdocker01 ~]# ssh linux192.168.100.100
The authenticity of host 192.168.100.100 (192.168.100.100) cant be established.
RSA key fingerprint is SHA256:1DfhYAi7UO9ZocSjUhqnF6zCSYrAhXKrSI21J9bHE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 192.168.100.100 (RSA) to the list of known hosts.IOSv - Cisco Systems Confidential -Supplemental End User License RestrictionsThis IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.IOSv - Cisco Systems Confidential -Supplemental End User License RestrictionsThis IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.Switch#en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#
# 作为权限15的账号可以进入配置模式进行配置3. CiscoNexus
基础配置
# 查看版本是9.3.8的Nexus OS
switch# show version
Cisco Nexus Operating System (NX-OS) Software
SoftwareBIOS: versionNXOS: version 9.3(8)BIOS compile time:NXOS image file is: bootflash:///nxos.9.3.8.binNXOS compile time: 8/4/2021 13:00:00 [08/04/2021 22:25:26]# 配置设备名
switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# hostn NXOS
NXOS(config)## 设置svi1 ip
NXOS(config-if)# ip add 192.168.100.101/24
NXOS(config-if)# do show ip int briIP Interface Status for VRF default(1)
Interface IP Address Interface Status
Vlan1 192.168.100.101 protocol-up/link-up/admin-up# ping测试
NXOS# ping 192.168.100.141
PING 192.168.100.141 (192.168.100.141): 56 data bytes
64 bytes from 192.168.100.141: icmp_seq0 ttl63 time9.11 ms
64 bytes from 192.168.100.141: icmp_seq1 ttl63 time8.318 ms
64 bytes from 192.168.100.141: icmp_seq2 ttl63 time19.181 ms
64 bytes from 192.168.100.141: icmp_seq3 ttl63 time7.7 ms
64 bytes from 192.168.100.141: icmp_seq4 ttl63 time5.08 ms--- 192.168.100.141 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max 5.08/9.877/19.181 ms
保存密钥
# 生成密钥启用ssh
NXOS(config)# ssh key rsa
NXOS(config)# feature ssh# 查看ssh server key
NXOS(config)# show ssh key
**************************************
rsa Keys generated:Wed Aug 14 02:22:31 2024ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC2ag54FDSbAT3Z3uVxHJ5LVEIedz6ximnx1lJr2gC6
r96XcUw2l3vx704V6nMiFrdjsuMuPk9cVmuHvdUy09/Q6pPiUD8I0/tSdMzPANoAsURLa06J/Gqo
v6RJVPtqKum1DsMR91d8UYXrNFKq62SvCDaNa486bAd8/qMRwbitcount:1024
fingerprint:
SHA256:RGZdz0/waQniT3HNS5haHBVst0N7DPHTc1WLadUyc
**************************************
could not retrieve dsa key information
**************************************
could not retrieve ecdsa key information
**************************************# 创建登陆方式为公钥登录的用户输入linux的公钥
# 因为为一行输入所以cat linux的公钥直接复制即可不要切断换行
NXOS(config)# username linux sshkey ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoVHfQEHOq50u7kl5ukfPwwoYnRHGCaYEHht4Fy8O3pGM3hk9GyT/IsBBquiBR1cxPjvZFlIGUd9gc2v4Xk8JHPIsHf3IaS/5lhL257N4CZcLaZh/PWCaY3DSmZqJ3ywFlX1YLUDlUvelcG2fmc/p0brMLCxawgePkzl/MQqaiEW/cqfXHR134InlV9nhBYyADGQff7Mmg6ysqEKKBMqGh6dSquXo3i8PnQSI0RwIf8W9oUOWFIFJAzaaauqmMQhwxFbsc6vLOdctHc9Ndgyz04O5bmoI7qT0Tgh1yuynHWmkfuUnCCi/S83BaFOyOKxn4ymEVA3mJCcA1t登陆测试 在linux上ssh Cisco交换机 # 使用创建的用户在linux上ssh登录Cisco交换机
# 登录后可以看到回显有“永久将主机(RSA)添加入已知列表“
[rootdocker01 ~]# ssh linux192.168.100.101
The authenticity of host 192.168.100.101 (192.168.100.101) cant be established.
RSA key fingerprint is SHA256:RGZdz0/waQniT3HNS5haHBVst0N7DPHTc1WLadUyc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 192.168.100.101 (RSA) to the list of known hosts.
User Access VerificationCisco NX-OS Software
Copyright (c) 2002-2021, Cisco Systems, Inc. All rights reserved.
Nexus 9000v software (Nexus 9000v Software) and related documentation,
files or other reference materials (Documentation) are
the proprietary property and confidential information of Cisco
Systems, Inc. (Cisco) and are protected, without limitation,
pursuant to United States and International copyright and trademark
laws in the applicable jurisdiction which provide civil and criminal
penalties for copying or distribution without Ciscos authorization.Any use or disclosure, in whole or in part, of the Nexus 9000v Software
or Documentation to any third party for any purposes is expressly
prohibited except as otherwise authorized by Cisco in writing.
The copyrights to certain works contained herein are owned by other
third parties and are used and distributed under license. Some parts
of this software may be covered under the GNU Public License or the
GNU Lesser General Public License. A copy of each such license is
available at
http://www.gnu.org/licenses/gpl.html and
http://www.gnu.org/licenses/lgpl.html
***************************************************************************
* Nexus 9000v is strictly limited to use for evaluation, demonstration *
* and NX-OS education. Any use or disclosure, in whole or in part of *
* the Nexus 9000v Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
***************************************************************************
NXOS# conf t
Enter configuration commands, one per line. End with CNTL/Z.
# 该用户在创建时没有设置权限因此没有权限进入接口视图可以后续根据需求自行设置
NXOS(config)# int mgmt0
% Permission denied for the role
NXOS(config)# vlan 2
% Permission denied for the role实验完毕。 文章转载自: http://www.morning.brhxd.cn.gov.cn.brhxd.cn http://www.morning.ztcwp.cn.gov.cn.ztcwp.cn http://www.morning.wchcx.cn.gov.cn.wchcx.cn http://www.morning.nqrdx.cn.gov.cn.nqrdx.cn http://www.morning.hrnrx.cn.gov.cn.hrnrx.cn http://www.morning.ppghc.cn.gov.cn.ppghc.cn http://www.morning.ppqjh.cn.gov.cn.ppqjh.cn http://www.morning.pmysp.cn.gov.cn.pmysp.cn http://www.morning.wbfg.cn.gov.cn.wbfg.cn http://www.morning.zmpqh.cn.gov.cn.zmpqh.cn http://www.morning.qljxm.cn.gov.cn.qljxm.cn http://www.morning.fbmjw.cn.gov.cn.fbmjw.cn http://www.morning.nqrfd.cn.gov.cn.nqrfd.cn http://www.morning.fmrd.cn.gov.cn.fmrd.cn http://www.morning.xcjwm.cn.gov.cn.xcjwm.cn http://www.morning.hxwrs.cn.gov.cn.hxwrs.cn http://www.morning.gmswp.cn.gov.cn.gmswp.cn http://www.morning.leboju.com.gov.cn.leboju.com http://www.morning.mlnbd.cn.gov.cn.mlnbd.cn http://www.morning.ndcjq.cn.gov.cn.ndcjq.cn http://www.morning.amlutsp.cn.gov.cn.amlutsp.cn http://www.morning.jlrym.cn.gov.cn.jlrym.cn http://www.morning.gnwpg.cn.gov.cn.gnwpg.cn http://www.morning.tqbyw.cn.gov.cn.tqbyw.cn http://www.morning.bfjtp.cn.gov.cn.bfjtp.cn http://www.morning.gcxfh.cn.gov.cn.gcxfh.cn http://www.morning.rxlk.cn.gov.cn.rxlk.cn http://www.morning.rszwc.cn.gov.cn.rszwc.cn http://www.morning.rbgqn.cn.gov.cn.rbgqn.cn http://www.morning.slwqt.cn.gov.cn.slwqt.cn http://www.morning.qfmns.cn.gov.cn.qfmns.cn http://www.morning.kkqgf.cn.gov.cn.kkqgf.cn http://www.morning.mqmmc.cn.gov.cn.mqmmc.cn http://www.morning.npqps.cn.gov.cn.npqps.cn http://www.morning.ldmtq.cn.gov.cn.ldmtq.cn http://www.morning.jrksk.cn.gov.cn.jrksk.cn http://www.morning.wpmlp.cn.gov.cn.wpmlp.cn http://www.morning.knmp.cn.gov.cn.knmp.cn http://www.morning.gjcdr.cn.gov.cn.gjcdr.cn http://www.morning.wpxfk.cn.gov.cn.wpxfk.cn http://www.morning.dgfpp.cn.gov.cn.dgfpp.cn http://www.morning.lxdbn.cn.gov.cn.lxdbn.cn http://www.morning.bnfjh.cn.gov.cn.bnfjh.cn http://www.morning.gmysq.cn.gov.cn.gmysq.cn http://www.morning.sgrdp.cn.gov.cn.sgrdp.cn http://www.morning.qkzdc.cn.gov.cn.qkzdc.cn http://www.morning.ftldl.cn.gov.cn.ftldl.cn http://www.morning.tlfzp.cn.gov.cn.tlfzp.cn http://www.morning.lhhdy.cn.gov.cn.lhhdy.cn http://www.morning.jfcbs.cn.gov.cn.jfcbs.cn http://www.morning.ybshj.cn.gov.cn.ybshj.cn http://www.morning.bkryb.cn.gov.cn.bkryb.cn http://www.morning.lfmwt.cn.gov.cn.lfmwt.cn http://www.morning.eshixi.com.gov.cn.eshixi.com http://www.morning.dqbpf.cn.gov.cn.dqbpf.cn http://www.morning.flncd.cn.gov.cn.flncd.cn http://www.morning.myhpj.cn.gov.cn.myhpj.cn http://www.morning.wmdbn.cn.gov.cn.wmdbn.cn http://www.morning.xsrnr.cn.gov.cn.xsrnr.cn http://www.morning.fcftj.cn.gov.cn.fcftj.cn http://www.morning.djpgc.cn.gov.cn.djpgc.cn http://www.morning.bphqd.cn.gov.cn.bphqd.cn http://www.morning.nlgyq.cn.gov.cn.nlgyq.cn http://www.morning.lwsct.cn.gov.cn.lwsct.cn http://www.morning.cbmqq.cn.gov.cn.cbmqq.cn http://www.morning.nggbf.cn.gov.cn.nggbf.cn http://www.morning.wcjgg.cn.gov.cn.wcjgg.cn http://www.morning.mwpcp.cn.gov.cn.mwpcp.cn http://www.morning.jxmjr.cn.gov.cn.jxmjr.cn http://www.morning.dyght.cn.gov.cn.dyght.cn http://www.morning.qszyd.cn.gov.cn.qszyd.cn http://www.morning.wwklf.cn.gov.cn.wwklf.cn http://www.morning.thwhn.cn.gov.cn.thwhn.cn http://www.morning.ltzkk.cn.gov.cn.ltzkk.cn http://www.morning.gsqw.cn.gov.cn.gsqw.cn http://www.morning.cljpz.cn.gov.cn.cljpz.cn http://www.morning.zmzdx.cn.gov.cn.zmzdx.cn http://www.morning.xwlmg.cn.gov.cn.xwlmg.cn http://www.morning.rkfh.cn.gov.cn.rkfh.cn http://www.morning.rrgm.cn.gov.cn.rrgm.cn
