#1 楼
(在ISR 1921 G2上执行的示例)在开始详细讨论之前,我建议您不要备份密钥,而只是从新路由器中提取新密钥并更新脚本。无论如何,您将需要在没有SSH的情况下进入路由器以加载配置/启用SSH。这可以通过脚本和控制台电缆来完成...您甚至可以拉出新的SSH公钥并自动更新脚本(router#sh ip ssh)。我认为这是一个更安全的选择。但是,要回答备份SSH密钥的问题:
您需要生成可与SSH一起使用的可导出密钥,然后将它们导出到带有密码的PEM文件中。不幸的是,用于加密它们的仅有的两个选项是des和3des。
生成密钥:
home-1921(config)#crypto key generate rsa general-keys exportable label example modulus 4096
The name for the keys will be: example
% The key modulus size is 4096 bits
% Generating 4096 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 658 seconds)
Jun 15 11:10:05.158: %SSH-5-ENABLED: SSH 1.99 has been enabled
home-1921(config)#
如果尚未分配,则分配给SSH:
home-1921(config)#ip ssh rsa keypair-name example
home-1921(config)#
Jun 15 11:11:22.467: %SSH-5-DISABLED: SSH 1.99 has been disabled
Jun 15 11:11:22.467: %SSH-5-ENABLED: SSH 1.99 has been enabled
导出密钥:
这会将密钥导出到终端,可以通过脚本或手动将其保存到文件中。
home-1921(config)#$export rsa example pem terminal 3des somepassword
% Key name: example
Usage: General Purpose Key
Key data:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsWwtMdoyj/LKPzXRf53z
8yhIkRAbODN6DXne8JH53PAwtgQ2FrPARvnjWsqWn2EgkHEMkZl5y5tZ0iLITCPf
bK8pXC/9kiLC2VDGQLbHD57AN/+6+0CoXxGW4FtV1dW4tVzo0YafL3L0rrNY8Snk
nPXUu89RxYu0rnJCJGv3VQ5DS/LMx7RcKdB0oKh5NxrzMGR5AXCtK0d5giHIu5o7
UAO8Q0JHYjHVHTtk8tnK5jhSMT68e4GxtsNSAaf5iA2qXY0E4KSZ+NCQJzM7RKa/
/Sj8wmSHRhGYwEzfVdh+Cp3SRjiNSF4nVcECSEsEo5XzhM+yMHUJWeXw18pVFfED
koen7IRw9Sj+uw0pegIwS4D/eniv/SMfPgjVd6RIm2k35GiH59Y73Bufu23+TOoB
siYsZcbQ3QFohe5ix08pTeyvNXl6d6WlZWsyUfl7B9qIf5dICOfxu22xsFkdd3UX
URyQum/oQPBLEGAaX01vto+oRW/DYXnIz4GXchTVnZMPxk5NGA3Li6advTWT3Vb8
rH0aDSdtybrg0wVyOhEPW9Kx5Kx8ycxisZ7dM9iryvxjNtmmhxn9FS2uSI6mnOmR
aQOG44Jyn/ihzaYuAsfbxHvDnKQKIJtQoJtrbrgjAh93GT/HIyHRLz1iRwGwNwlj
3GUBV1NsL+HVZN68GPOyHfkCAwEAAQ==
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,0243F61FBCFF9FFD
i4lMwdfFZpC48ZFF3RnEOpLZzmv+vSgrHH6DGI/Gm1hB4KK+MC/a1TrrNbNzKPzY
HFs74jLpGvYGb0jL5PbqrCL435F92h+N9SAkp4Tz8x78y4hUnM/2I9X9MhcGXJqE
5U2r47KSYjUO+L41gWRDwwq7uZPXdJMEOr3JhJ6wv1UJx8BkxatmoZyeKMHIAcfQ
JcwHnFnVZP3bNRYSwaMGemrfhg8HiT/JT3gUFj5d8r2pAouY8Vs9j4fM7EIn+CHz
zGdZf9j3wIYOLjOhGLs7zABRmu4Ik7yv7iNqIOpZLMVegC9iQc6RMav8M3ivt+wU
eNBR7+VLOYAz1J7bKEx1ZMk9XR4zdNTJlw+4UuYtXDDlW3OOsBFq/05mKPvaQWCE
/NUrxSSEpgqaLJNJS5V4rgPKhSbg51GeIhkig+NkFIS7EtF/VCMXqaWd0lp7kYig
3arRF0BdZXLsMDhZKmi1JA+rcmCSQIYVaBDc29SMs/Wou99vVazQIs2e1Dkl06Ia
U7VeIwhEJykIl0MhBw+kwD3pNsiPth1xIg3DsDU+bq3gMNhcsl6Pj8FUP+PXdqaa
HSGOy2tnYB60xxFv4vfRiW7JaFse9+uaesRiPDOC5YUx47yP65xEhiCmKMXD+9xU
K/ZFYe9AvbJ4A65JjO/QQm5mg82cw5q4x/YQ1EC9T1w5kdjKJg9MkYoZmhHfttUZ
2zuGBFm9FUiW5SnRRp4Pil0aTAMgj8uZaxUdq1nGfyJo2p7TTNXKsE8YMkSwu93p
L914L64/bI2RLVQCciLZtVnVwAMffNpwtOJQzDDeUDI3i1ZItzehcsXXAWCN5xcQ
+0lF6Q3KlrDNGZCtO8vrbDioaFT25ikdAlF0B+pnadetQkXlLs8xdBxxF9lUZjgw
NqkbrYoY/c7Jf7dsWfC7fRqo3EjBxEFPwrdJJpvTtzgp4/Zk+dcHg0j4K2pFVMeT
sZZzDaWlCaRoKw+OSh2KyzWjGKSzh/mm+cdp/4T+bbhUseRF6eGb0Qk0lMyQv3ja
EE0GnyOYSlcavvIrqpx9v1iLEJLGWi58UiOASnzBlRh33nRqF+uoE5p6k/jgoUWC
CccW2SfyEfXJDOg6fqGyKw3XjAJQ0/t1qWbiIXxtNjH8haO9OgWUn3pKI6PjZwQk
6Eb5ow8WABZXb/pXJ/xjmLKjsmlxeqD31I2CaArV6hRCJoTKXkS2TWHCoHGRAPfL
jrDBiFJ1+KVnCtuGN1kxRG6fyIMMyFBG7qEzNnHmNnLGP19XHvgSJe0QYNdrkFpZ
iG+Kqz5bHcdEsucB0Efn/N7huu++R5XnSRYJnf6iPOTme6qwul3H1YQoaNNAbuch
u98JaciIiSGLesBU4P28FEC4kesslKWcM8Z4GfvX//9zqkB6T1E5/jUs+x6YtPhp
kMg9ZR195mP11E4MbgP9czk7HnK4Xgrns/DmXRdT1/d0dPtfng02jWjvOgNUQ1EJ
ZvFd9ZN67nV4ZiDtcVi3756m7UEI2p/2431ecpigy2OUA+d8YKYEbAreMDE7W4Iq
AlUalEiRmjwoerVIgQeB3oa2GElg2IN6llEa1UndI79ma13SJmgpLM+YUW+nS7k6
COiuKllSbLBSF9s4+ErEXciAAJCGFi7kfFDB59whv1IbmDEGNAamB6oibCewbF0T
xusyjhb2wA0KDq5C3ThlM5KU0g0ACSEuOl/A4AuubwxD7vvC6jiVFw/bCQrRJLJ6
UuEcBTp0vEecdF12NtQWPpg/+K2PYBi7Yzzc8DZcF97afFmZAtnF3EFLJltywjjK
qcGGCNyDj9MSBEnJigK7m0nYKjsOw5myt5LOhwWMr81OC7s6vgMBdf7qFCHiOUUB
5MwpAzjGgaR85uYqCpCOmW5pjRpRptEocJPxeW6Uy+aFPAEQu92HvFjHk/tvefGX
ttSsOPU5BC1J5xGZIoUfGPRFPYkjLauwQ34hGdQrbhJ3DrEe1pDAwd8/yIhzNp0o
N8uZDWKegLPrRg1B6CvmY3+Axiz0ZJZ86LOLa67ZsEkbWpQoy4F8D+z131JFrRcK
v0glY5b2GESUXtVxO668LqbmcO/eoDgBIhNvbrJT1QVgM/rr3poeeARGgff9OQ0i
FpsA4yk4uOqS/TS4OfpG6ymneGao1tJfktXmiR37cpGfkKjHPvI5kE8/KTOZSdSk
5RYjuCaWW363ysn7XA21Y9NiMYZesKCw8XdxVfVDZB6IphawYZ/a4cyvkYfD5HKw
QeLE7Rv7fGhlUPPWr1WQZOBgnnmAZoxNxkPhC4S62WvdiJNmiIeLrmD50n22zukH
aCj5S6sqXRuHdLB8FiZdi24s9tISBt0kAzK4bg3bvPoaqj3nSL8eirr1qWED/O+5
xxjJrR7fgY0BdzbqU5gXK22o6PLGzlOIpgFep12dnoYUVL2igRJfTAGSHyMPeJpv
e5mmAqxCz8FGgztZVP+v8MEkz/fDd/bIA0zkeA+0ugedbI/IkDkS25RdZkpvUpXH
2+SNL1RJyoYT/uoShAuVv6y9uyvoojX9XNDVmLX10ip8tSsTVbJx97MPzNSaTABe
Zbc5rgU4FJnUIIjb4igmccUrdW7ZknKk2cV9xRv7BHFYAl4hsitcsdKe8IPdX+2E
WOXl2i2+ndUkzoqGlr4q8nOgAcr53Msjnn1ljasWHXDpeXRW+kraX+88UUmv9zEf
T4gyl7shs/J24IlgHhJbqD5g10thG9esp8KvaxgeHyuBVpPniWWrecwajKFjfVKp
J9EcxDXRUZH3c4jDIWxpKsGQFFsx9e7p286tcUXwGDBFkYOao9NOcyllltRq+ECH
93Sc6hLp/Fd7hIAdZFbnjaemp2llA81cNKIVRUpJ4OyoVSOwhMp+j3m5SOmJdAxu
SWcMKENRU6RSjqZOt15acOktCRRrMbLSxZY+fW+1g5IvA1j6mFiK57F569ouYZeP
zvMgPgkDN/ATMd/RkHAWq5/EjeNmhey52XnHSqyAPmP4mX9qoaYtRYgBTGrKEFNo
05V14xLunvGz+FEsqZ/IwSZYbYkGCpfczQWlRLnLkb8X7gbL/esfKfb3tSsbOluZ
F/bAHniMg51uU2MmpspuWR+SzyWuabWiCkEq7lvXLTwdJGBYduaRH9u14bBCWUuA
-----END RSA PRIVATE KEY-----
home-1921(config)#
登录测试:
demo-mac:~ demo$ ssh demo@<cleared>.205
The authenticity of host '<cleared>.205 (<cleared>.205)' can't be established.
RSA key fingerprint is af:6e:a0:fa:c3:45:ab:2d:a9:60:84:fe:0b:96:de:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '<cleared>.205' (RSA) to the list of known hosts.
Password:
home-1921#
好,所以我们知道它可以工作...是时候擦除NVRAM了并重新启动。
home-1921#erase nvram:
Erasing the nvram filesystem will remove all configuration files! Continue? [co]
[OK]
Erase of nvram: complete
home-1921#
Jun 15 11:16:19.268: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
home-1921#reload
System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]
现在,我们重新配置测试路由器以再次允许SSH:
注意:我只生成一个全新的密钥来演示我的终端拒绝新密钥,但随后接受还原的密钥。除非您要验证它是否有效,否则不需要执行此步骤。
好吧,让我们还原密钥并查看会发生什么情况:
router>en
router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#int G0/0
router(config-if)#ip add <cleared>.205 255.255.255.0
router(config-if)#no shutdown
router(config-if)#exit
router(config)#ip domain-name example.com
router(config)#aaa new-model
router(config)#aaa authen log def loc
router(config)#aaa author exe def loc
router(config)#username demo priv 15 sec demo
router(config)#cry key gen rsa mod 4096
The name for the keys will be: router.example.com
% The key modulus size is 4096 bits
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 117 seconds)
Jun 15 11:17:55.247: %SSH-5-ENABLED: SSH 1.99 has been enabled
router(config)#
现在再次将其分配给SSH:
demo-mac:~ demo$ ssh demo@<cleared>.205
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
8c:62:d4:75:0f:4c:59:a8:81:d2:01:1b:68:9d:08:cb.
Please contact your system administrator.
Add correct host key in /Users/demo/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/demo/.ssh/known_hosts:90
RSA host key for <cleared>.205 has changed and you have requested strict checking.
Host key verification failed.
demo-mac:~ demo$
,然后尝试重新登录:
router(config)#$crypto key import rsa example-restored pem terminal somepassword
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsWwtMdoyj/LKPzXRf53z
8yhIkRAbODN6DXne8JH53PAwtgQ2FrPARvnjWsqWn2EgkHEMkZl5y5tZ0iLITCPf
bK8pXC/9kiLC2VDGQLbHD57AN/+6+0CoXxGW4FtV1dW4tVzo0YafL3L0rrNY8Snk
nPXUu89RxYu0rnJCJGv3VQ5DS/LMx7RcKdB0oKh5NxrzMGR5AXCtK0d5giHIu5o7
UAO8Q0JHYjHVHTtk8tnK5jhSMT68e4GxtsNSAaf5iA2qXY0E4KSZ+NCQJzM7RKa/
/Sj8wmSHRhGYwEzfVdh+Cp3SRjiNSF4nVcECSEsEo5XzhM+yMHUJWeXw18pVFfED
koen7IRw9Sj+uw0pegIwS4D/eniv/SMfPgjVd6RIm2k35GiH59Y73Bufu23+TOoB
siYsZcbQ3QFohe5ix08pTeyvNXl6d6WlZWsyUfl7B9qIf5dICOfxu22xsFkdd3UX
URyQum/oQPBLEGAaX01vto+oRW/DYXnIz4GXchTVnZMPxk5NGA3Li6advTWT3Vb8
rH0aDSdtybrg0wVyOhEPW9Kx5Kx8ycxisZ7dM9iryvxjNtmmhxn9FS2uSI6mnOmR
aQOG44Jyn/ihzaYuAsfbxHvDnKQKIJtQoJtrbrgjAh93GT/HIyHRLz1iRwGwNwlj
3GUBV1NsL+HVZN68GPOyHfkCAwEAAQ==
-----END PUBLIC KEY-----
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,0243F61FBCFF9FFD
i4lMwdfFZpC48ZFF3RnEOpLZzmv+vSgrHH6DGI/Gm1hB4KK+MC/a1TrrNbNzKPzY
HFs74jLpGvYGb0jL5PbqrCL435F92h+N9SAkp4Tz8x78y4hUnM/2I9X9MhcGXJqE
5U2r47KSYjUO+L41gWRDwwq7uZPXdJMEOr3JhJ6wv1UJx8BkxatmoZyeKMHIAcfQ
JcwHnFnVZP3bNRYSwaMGemrfhg8HiT/JT3gUFj5d8r2pAouY8Vs9j4fM7EIn+CHz
zGdZf9j3wIYOLjOhGLs7zABRmu4Ik7yv7iNqIOpZLMVegC9iQc6RMav8M3ivt+wU
eNBR7+VLOYAz1J7bKEx1ZMk9XR4zdNTJlw+4UuYtXDDlW3OOsBFq/05mKPvaQWCE
/NUrxSSEpgqaLJNJS5V4rgPKhSbg51GeIhkig+NkFIS7EtF/VCMXqaWd0lp7kYig
3arRF0BdZXLsMDhZKmi1JA+rcmCSQIYVaBDc29SMs/Wou99vVazQIs2e1Dkl06Ia
U7VeIwhEJykIl0MhBw+kwD3pNsiPth1xIg3DsDU+bq3gMNhcsl6Pj8FUP+PXdqaa
HSGOy2tnYB60xxFv4vfRiW7JaFse9+uaesRiPDOC5YUx47yP65xEhiCmKMXD+9xU
K/ZFYe9AvbJ4A65JjO/QQm5mg82cw5q4x/YQ1EC9T1w5kdjKJg9MkYoZmhHfttUZ
2zuGBFm9FUiW5SnRRp4Pil0aTAMgj8uZaxUdq1nGfyJo2p7TTNXKsE8YMkSwu93p
L914L64/bI2RLVQCciLZtVnVwAMffNpwtOJQzDDeUDI3i1ZItzehcsXXAWCN5xcQ
+0lF6Q3KlrDNGZCtO8vrbDioaFT25ikdAlF0B+pnadetQkXlLs8xdBxxF9lUZjgw
NqkbrYoY/c7Jf7dsWfC7fRqo3EjBxEFPwrdJJpvTtzgp4/Zk+dcHg0j4K2pFVMeT
sZZzDaWlCaRoKw+OSh2KyzWjGKSzh/mm+cdp/4T+bbhUseRF6eGb0Qk0lMyQv3ja
EE0GnyOYSlcavvIrqpx9v1iLEJLGWi58UiOASnzBlRh33nRqF+uoE5p6k/jgoUWC
CccW2SfyEfXJDOg6fqGyKw3XjAJQ0/t1qWbiIXxtNjH8haO9OgWUn3pKI6PjZwQk
6Eb5ow8WABZXb/pXJ/xjmLKjsmlxeqD31I2CaArV6hRCJoTKXkS2TWHCoHGRAPfL
jrDBiFJ1+KVnCtuGN1kxRG6fyIMMyFBG7qEzNnHmNnLGP19XHvgSJe0QYNdrkFpZ
iG+Kqz5bHcdEsucB0Efn/N7huu++R5XnSRYJnf6iPOTme6qwul3H1YQoaNNAbuch
u98JaciIiSGLesBU4P28FEC4kesslKWcM8Z4GfvX//9zqkB6T1E5/jUs+x6YtPhp
kMg9ZR195mP11E4MbgP9czk7HnK4Xgrns/DmXRdT1/d0dPtfng02jWjvOgNUQ1EJ
ZvFd9ZN67nV4ZiDtcVi3756m7UEI2p/2431ecpigy2OUA+d8YKYEbAreMDE7W4Iq
AlUalEiRmjwoerVIgQeB3oa2GElg2IN6llEa1UndI79ma13SJmgpLM+YUW+nS7k6
COiuKllSbLBSF9s4+ErEXciAAJCGFi7kfFDB59whv1IbmDEGNAamB6oibCewbF0T
xusyjhb2wA0KDq5C3ThlM5KU0g0ACSEuOl/A4AuubwxD7vvC6jiVFw/bCQrRJLJ6
UuEcBTp0vEecdF12NtQWPpg/+K2PYBi7Yzzc8DZcF97afFmZAtnF3EFLJltywjjK
qcGGCNyDj9MSBEnJigK7m0nYKjsOw5myt5LOhwWMr81OC7s6vgMBdf7qFCHiOUUB
5MwpAzjGgaR85uYqCpCOmW5pjRpRptEocJPxeW6Uy+aFPAEQu92HvFjHk/tvefGX
ttSsOPU5BC1J5xGZIoUfGPRFPYkjLauwQ34hGdQrbhJ3DrEe1pDAwd8/yIhzNp0o
N8uZDWKegLPrRg1B6CvmY3+Axiz0ZJZ86LOLa67ZsEkbWpQoy4F8D+z131JFrRcK
v0glY5b2GESUXtVxO668LqbmcO/eoDgBIhNvbrJT1QVgM/rr3poeeARGgff9OQ0i
FpsA4yk4uOqS/TS4OfpG6ymneGao1tJfktXmiR37cpGfkKjHPvI5kE8/KTOZSdSk
5RYjuCaWW363ysn7XA21Y9NiMYZesKCw8XdxVfVDZB6IphawYZ/a4cyvkYfD5HKw
QeLE7Rv7fGhlUPPWr1WQZOBgnnmAZoxNxkPhC4S62WvdiJNmiIeLrmD50n22zukH
aCj5S6sqXRuHdLB8FiZdi24s9tISBt0kAzK4bg3bvPoaqj3nSL8eirr1qWED/O+5
xxjJrR7fgY0BdzbqU5gXK22o6PLGzlOIpgFep12dnoYUVL2igRJfTAGSHyMPeJpv
e5mmAqxCz8FGgztZVP+v8MEkz/fDd/bIA0zkeA+0ugedbI/IkDkS25RdZkpvUpXH
2+SNL1RJyoYT/uoShAuVv6y9uyvoojX9XNDVmLX10ip8tSsTVbJx97MPzNSaTABe
Zbc5rgU4FJnUIIjb4igmccUrdW7ZknKk2cV9xRv7BHFYAl4hsitcsdKe8IPdX+2E
WOXl2i2+ndUkzoqGlr4q8nOgAcr53Msjnn1ljasWHXDpeXRW+kraX+88UUmv9zEf
T4gyl7shs/J24IlgHhJbqD5g10thG9esp8KvaxgeHyuBVpPniWWrecwajKFjfVKp
J9EcxDXRUZH3c4jDIWxpKsGQFFsx9e7p286tcUXwGDBFkYOao9NOcyllltRq+ECH
93Sc6hLp/Fd7hIAdZFbnjaemp2llA81cNKIVRUpJ4OyoVSOwhMp+j3m5SOmJdAxu
SWcMKENRU6RSjqZOt15acOktCRRrMbLSxZY+fW+1g5IvA1j6mFiK57F569ouYZeP
zvMgPgkDN/ATMd/RkHAWq5/EjeNmhey52XnHSqyAPmP4mX9qoaYtRYgBTGrKEFNo
05V14xLunvGz+FEsqZ/IwSZYbYkGCpfczQWlRLnLkb8X7gbL/esfKfb3tSsbOluZ
F/bAHniMg51uU2MmpspuWR+SzyWuabWiCkEq7lvXLTwdJGBYduaRH9u14bBCWUuA
-----END RSA PRIVATE KEY-----
quit
% Key pair import succeeded.
router(config)#
所有设置!
编辑:
注意:导入时密钥,请确保密钥信息周围没有多余的空格。如果您从控制台复制和粘贴,这可能会在每行上放置尾随空格,并且需要在导入之前删除这些空格。
#2 楼
备份主机密钥以替换它们比它值得的麻烦更多。如果您不希望脚本阻碍密钥更改(在* nix中),请像这样运行
ssh ... ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no username@hostname
这告诉
ssh客户端使用一个空的Known Hosts文件,并且不强制进行严格的密钥检查。如评论中所述,您将通过禁用主机密钥检查来删除与SSH密钥检查相关的保护。您可以通过在环境中运行IDS或在该Vlan上使用非常严格的Layer2安全功能来减轻此风险:
动态ARP检查或主机级静态ARP做法
DHCP侦听
以太网端口安全性
评论
我同意Mike的观点,备份它们通常不值得付出努力。当我遇到Rancid这个问题时,我的解决方案是一个名为“ fixrancid”的别名,该别名很简单:alias fixrancid ='rm /var/lib/rancid/.ssh/known_hosts'可能不是最好的解决方法,但是它适用于那些在网络中的盒子上重新生成SSH密钥的情况。而且很容易告诉其他工程师只需在包装盒上运行“ fixrancid”即可解决该问题。
–布雷特·莱金斯(Brett Lykins)
2013年6月14日14:30
不利的一面是,所有安全性都丢失了。我们非常谨慎地保护秘密密钥,因此我们因此牺牲了整个ssh安全模型。显然,如果密钥仅在运行配置中可见,则牺牲较小。
–ytti
2013年6月14日15:05
@ytti,它在运行的配置中不可见,并且说“所有安全性都丧失了”是过于简单的了。如果存在妥协,安全性就会丢失……大概是人们仍然手动地向路由器SSH(这意味着启用了主机密钥检查)。此外,我们不要以为备份主机密钥是更安全的……您现在必须保护密钥的存储位置……这些密钥是纯文本格式,比5类启用密钥更危险。知道私钥后,您可以解密该主机的所有流量。
–迈克·彭宁顿
2013年6月14日15:35
如果您的系统不验证密钥,而只是接受提供的任何密钥,那么任何人都可以成为MITM。显然,将密钥显示在配置备份中会更安全。
–ytti
2013年6月14日15:37
@ytti,我认为您应该考虑一种不同的计算统计信息的方式,因为由于部分ssh会话不验证密钥,因此增加了MITM攻击的可能性。这意味着您无法使用脚本检测到潜在的MITM攻击...该攻击不会自动发生(这是我们必须假设的事实,才能相信您的断言表明ssh密钥关闭了MITM == 1的可能性)
–迈克·彭宁顿
2013年6月15日11:02
#3 楼
简单的答案...不可能直接获得关键。它们存储在用户无法访问的nvram private-config中。如果密钥是以默认方式生成的,则不会将其设置为可导出,因此无法检索。 /导入它们)另一个选择是使用“安全USB令牌”(
usbtoken#)进行密钥存储。更换路由器时可以移动令牌。但是,该令牌仍然是单个副本。因此,可能需要更复杂的导出方法。从好的方面来说,密钥只需要备份一次。 (关键点是永远不变-即使更换了硬件。)
[另请参见]
评论
在示例中,私钥使用密码“ somepassword”用3des加密。但是,3des是什么,我完全同意您关于保护数据的意见。我也不推荐这种选择,我将使用脚本化的新密钥。在写这篇文章之前,我通常不知道该怎么做。
–some_guy_long_gone
2013年6月15日12:02
我喜欢这个想法,也许可以用另一个从未导出私钥的版本来扩展它。假设控制面板已损坏,您将其替换为new并生成所有新密钥。此时将新的公钥导出并存储在中央NMS位置即NMS box ssh检查密钥的目录中就足够了。这使NMS可以验证密钥,而不必再用以前的私钥替换私钥。
–ytti
13年6月15日在12:05
sh ip ssh仅以与known_hosts接受的格式相同的格式显示公钥。没有私钥被拔出。因此,当您生成新密钥时,只需拉出该公共信息并更新您的known_hosts文件即可。
–some_guy_long_gone
2013年6月15日12:09