在管理机产生公钥和私钥,然后把自己的公钥推送给需要被管理的服务器,然后就可以通过scp和ssh命令,无需输入密码即可管理
锁=公钥,钥匙=私钥
企业里实现ssh方案:
1)直接root ssh key。
条件:系统允许root使用ssh
2)sudo提权来实现没有权限用户拷贝
实验环境:
| hostname | ip | 描述 |
|---|---|---|
| m01 | 172.16.1.61 | 管理机 |
| web01 | 172.16.1.7 | 被管理 |
| nfs | 172.16.1.31 | 被管理 |
| backup | 172.16.1.41 | 被管理 |
所有机器系统环境统一
[root@m01 /]# cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core) [root@m01 /]# uname -r3.10.0-862.el7.x86_641.1 所有的服务器创建普通用户及密码
useradd xiaoliecho "123456" |passwd --stdin xiaoliid xiaolisu - xiaoli ?#<==统一切换到xiaoli用户1.2 m01产生密钥
#使用xiaoli用户来创建私钥,并且分发公钥
[xiaoli@m01 ~]$ ssh-keygen -t dsa ??#<==生成私钥(一路回车)Generating public/private dsa key pair.Enter file in which to save the key (/home/xiaoli/.ssh/id_dsa): Created directory ‘/home/xiaoli/.ssh‘. #<==私钥存放的目录Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/xiaoli/.ssh/id_dsa.Your public key has been saved in /home/xiaoli/.ssh/id_dsa.pub.The key fingerprint is:SHA256:/UtUhhM++KSQH9OgJyP+MCRz+LhdYfRt/r6384aVLzU xiaoli@m01The key‘s randomart image is:+---[DSA 1024]----+| ???????. . . ???|| ????. . + * o ??|| ???+ + O * X o ?|| ????O o O O = ??|| ???. = S + + ??.|| ????o = ??o . Eo|| ???. . . ??o .+o|| ??????????. oo.+|| ???????????. o*=|+----[SHA256]-----+[xiaoli@m01 ~]$ pwd/home/xiaoli[xiaoli@m01 ~]$ ls .ssh/id_dsa ?id_dsa.pub[xiaoli@m01 ~]$ ll .ssh/total 8-rw------- 1 xiaoli xiaoli 672 Nov ?5 20:57 id_dsa #<==私钥-rw-r--r-- 1 xiaoli xiaoli 600 Nov ?5 20:57 id_dsa.pub ?#<==公钥1.3 管理机分发公钥给客户端
管理机推送公钥给backup
[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.41/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub"The authenticity of host ‘172.16.1.41 (172.16.1.41)‘ can‘t be established.ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.Are you sure you want to continue connecting (yes/no)? yes/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysxiaoli@172.16.1.41‘s password: Number of key(s) added: 1Now try logging into the machine, with: ??"ssh ‘xiaoli@172.16.1.41‘"and check to make sure that only the key(s) you wanted were added.#backup上查看是否收到公钥[xiaoli@backup ~]$ ls .ssh/authorized_keys .ssh/authorized_key#配置文件默认就是.ssh/authorized_key这个文件名,是由/etc/ssh/sshd_config这个配置文件所定义[root@backup backup]$ grep authorized_keys /etc/ssh/sshd_config |egrep -v "^#" ??AuthorizedKeysFile ?????.ssh/authorized_keys管理机推送公钥给nfs
[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.31/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub"The authenticity of host ‘172.16.1.31 (172.16.1.31)‘ can‘t be established.ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.Are you sure you want to continue connecting (yes/no)? yes/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysxiaoli@172.16.1.31‘s password: Number of key(s) added: 1Now try logging into the machine, with: ??"ssh ‘xiaoli@172.16.1.31‘"and check to make sure that only the key(s) you wanted were added.#nfs上查看是否收到公钥[xiaoli@nfs ~]$ ls -l .ssh/total 4-rw------- 1 xiaoli xiaoli 600 Nov ?5 21:16 authorized_keys管理机推送公钥给web01
[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.7/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub"The authenticity of host ‘172.16.1.7 (172.16.1.7)‘ can‘t be established.ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.Are you sure you want to continue connecting (yes/no)? yes/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysxiaoli@172.16.1.7‘s password: Number of key(s) added: 1Now try logging into the machine, with: ??"ssh ‘xiaoli@172.16.1.7‘"and check to make sure that only the key(s) you wanted were added.#web01查看是否收到公钥[xiaoli@web01 ~]$ ls -l .ssh/total 4-rw------- 1 xiaoli xiaoli 600 Nov ?5 21:20 authorized_keys1.4 管理机实现批量获取参数
单独查看某一台客户端IP地址,如果端口号为22,就不需要加-p
[xiaoli@m01 ~]$ ssh xiaoli@172.16.1.31 /sbin/ifconfig ens33ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> ?mtu 1500 ???????inet 10.0.0.31 ?netmask 255.255.255.0 ?broadcast 10.0.0.255 ???????inet6 fe80::7ef6:6b6b:fba4:c66c ?prefixlen 64 ?scopeid 0x20<link> ???????inet6 fe80::f15a:916:1ee7:65e9 ?prefixlen 64 ?scopeid 0x20<link> ???????ether 00:50:56:20:de:ec ?txqueuelen 1000 ?(Ethernet) ???????RX packets 68059 ?bytes 50182137 (47.8 MiB) ???????RX errors 0 ?dropped 0 ?overruns 0 ?frame 0 ???????TX packets 32722 ?bytes 6712416 (6.4 MiB) ???????TX errors 0 ?dropped 0 overruns 0 ?carrier 0 ?collisions 0#我们可以发现这时执行ssh就不需要输入密码创建脚本查看三台客户端的IP地址
[xiaoli@m01 ~]$ mkdir seripts[xiaoli@m01 ~]$ cd seripts[xiaoli@m01 seripts]$ cat view_ip.sh ??#!/bin/shUser=xiaoliIp=(172.16.1.7172.16.1.31172.16.1.41)for ((i=0;i<${#Ip[*]};i++))do ???????ssh ${User}@${Ip[$i]} /sbin/ifconfig ens33done#执行脚本[xiaoli@m01 seripts]$ sh view_ip.sh ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> ?mtu 1500 ???????inet 10.0.0.7 ?netmask 255.255.255.0 ?broadcast 10.0.0.255 ???????inet6 fe80::7ef6:6b6b:fba4:c66c ?prefixlen 64 ?scopeid 0x20<link> ???????inet6 fe80::b85a:6444:fdc7:90ef ?prefixlen 64 ?scopeid 0x20<link> ???????inet6 fe80::f15a:916:1ee7:65e9 ?prefixlen 64 ?scopeid 0x20<link> ???????ether 00:50:56:32:88:be ?txqueuelen 1000 ?(Ethernet) ???????RX packets 11633 ?bytes 2805754 (2.6 MiB) ???????RX errors 0 ?dropped 0 ?overruns 0 ?frame 0 ???????TX packets 6003 ?bytes 1047269 (1022.7 KiB) ???????TX errors 0 ?dropped 0 overruns 0 ?carrier 0 ?collisions 0ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> ?mtu 1500 ???????inet 10.0.0.31 ?netmask 255.255.255.0 ?broadcast 10.0.0.255 ???????inet6 fe80::7ef6:6b6b:fba4:c66c ?prefixlen 64 ?scopeid 0x20<link> ???????inet6 fe80::f15a:916:1ee7:65e9 ?prefixlen 64 ?scopeid 0x20<link> ???????ether 00:50:56:20:de:ec ?txqueuelen 1000 ?(Ethernet) ???????RX packets 68065 ?bytes 50182545 (47.8 MiB) ???????RX errors 0 ?dropped 0 ?overruns 0 ?frame 0 ???????TX packets 32726 ?bytes 6712704 (6.4 MiB) ???????TX errors 0 ?dropped 0 overruns 0 ?carrier 0 ?collisions 0ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> ?mtu 1500 ???????inet 10.0.0.41 ?netmask 255.255.255.0 ?broadcast 10.0.0.255 ???????inet6 fe80::7ef6:6b6b:fba4:c66c ?prefixlen 64 ?scopeid 0x20<link> ???????inet6 fe80::b85a:6444:fdc7:90ef ?prefixlen 64 ?scopeid 0x20<link> ???????inet6 fe80::f15a:916:1ee7:65e9 ?prefixlen 64 ?scopeid 0x20<link> ???????ether 00:50:56:21:a4:2a ?txqueuelen 1000 ?(Ethernet) ???????RX packets 123357 ?bytes 15582283 (14.8 MiB) ???????RX errors 0 ?dropped 0 ?overruns 0 ?frame 0 ???????TX packets 130534 ?bytes 11862139 (11.3 MiB) ???????TX errors 0 ?dropped 0 overruns 0 ?carrier 0 ?collisions 0上面结果为成功标志!连接所有机器,不提示密码直接可以操作1.5 scp实现批量下发文件
每台服务器root权限下实施sudo#切换到root用户,给xiaoli用户赋予有rsync的命令执行权限echo "xiaoli ALL=(ALL) NOPASSWD:/usr/bin/rsync ">>/etc/sudoersvisudo -c将/etc/hosts文件拷贝到家目录(xiaoli),并修改hosts文件内容
[xiaoli@m01 ~]$ cp /etc/hosts .[xiaoli@m01 ~]$ tail -5 ?hosts172.16.1.7 web01172.16.1.41 backup172.16.1.31 nfs172.16.1.51 m01################2018-11-5################使用脚本批量分发hosts文件
[xiaoli@m01 ~]$ ?cat seripts/fenfa_file.sh #!/bin/shUser=xiaoliIp=(172.16.1.7172.16.1.31172.16.1.41)for ((i=0;i<${#Ip[*]};i++)) do scp ~/hosts ${User}@${Ip[$i]}:~ ssh -t ${User}@${Ip[$i]} sudo rsync ~/hosts /etc/hosts done#运行批量分发脚本[xiaoli@m01 seripts]$ sh ?fenfa_file.shhosts ????????????????????????????????????????????????????????????????????100% ?268 ??245.5KB/s ??00:00 ???Connection to 172.16.1.7 closed.hosts ????????????????????????????????????????????????????????????????????100% ?268 ???47.6KB/s ??00:00 ???Connection to 172.16.1.31 closed.hosts ????????????????????????????????????????????????????????????????????100% ?268 ??295.1KB/s ??00:00 ???Connection to 172.16.1.41 closed.客户端查看结果
#以backup客户端为例展示结果:[xiaoli@backup ~]$ tail -5 /etc/hosts172.16.1.7 web01172.16.1.41 backup172.16.1.31 nfs172.16.1.51 m01################2018-11-5################扩展:使用rsync通道模式,实现增量、加密
[xiaoli@m01 ~]$ rsync -avz hosts -e ‘ssh -p 22‘ xiaoli@172.16.1.41sending incremental file listhostssent 214 bytes ?received 35 bytes ?498.00 bytes/sectotal size is 268 ?speedup is 1.08Web集群之SSH批量管理
原文地址:http://blog.51cto.com/12643266/2314340