在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
环境: ssh server: 192.168.100.29 server.example.com 通过root用户建立秘钥认证实现SHELL脚本管理,分发,部署 首先client端创建秘钥对,并将公钥分发给需要登录的SSH服务端 注:公钥相当于锁,私钥相当于钥匙,我们这里相当于在客户端创建一对钥匙和锁,想要做到SSH免密码登录,就相当于我们将锁分发到服务端并装锁,然后客户端就可以利用钥匙开锁。 一.建立秘钥认证 1.在客户端创建秘钥对:(ssh client) 复制代码 代码如下: # su - root # ssh-keygen -t dsa 一路回车即可 复制代码 代码如下: Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: e9:5e:4a:7f:79:64:c5:ae:f2:06:a7:26:e4:41:5c:0e [email protected] The key's randomart image is: +--[ DSA 1024]----+ | | | E . | | . + . | | .o . o| | S. o | | . o . + .| | oo.. B . | | o +o * + | | o .+ =. | +-----------------+ 2.查看生成的秘钥对:(ssh client) 复制代码 代码如下: # ls -lda .ssh ----------------- drwx------ 2 root root 4096 6月 6 23:03 .ssh ----------------- # cd .ssh # ls -la ------------------ 总用量 16 drwx------ 2 root root 4096 6月 6 23:03 . dr-xr-x---. 26 root root 4096 6月 6 23:03 .. -rw------- 1 root root 668 6月 6 23:03 id_dsa -rw-r--r-- 1 root root 613 6月 6 23:03 id_dsa.pub ------------------ 秘钥生成完毕 3.将公钥(锁)分发到SSH服务端:(ssh client) 复制代码 代码如下: # ssh-copy-id -i .ssh/id_dsa.pub 192.168.100.29 注:若非root用户,以及自定义SSH端口,则格式为: 复制代码 代码如下: # ssh-copy-id -i .ssh/id_rsa.pub "-p 22 user@server" 输入yes,然后密码后回车: 复制代码 代码如下: The authenticity of host '192.168.100.30 (192.168.100.30)' can't be established. RSA key fingerprint is fc:9b:2e:38:3b:04:18:67:16:8f:dd:94:a8:bd:08:03. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.100.30' (RSA) to the list of known hosts. Address 192.168.100.30 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! [email protected]'s password: Now try logging into the machine, with "ssh '192.168.100.30'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. 公钥分发完毕 4.服务端查看收到的分发文件:(ssh server) 复制代码 代码如下: # ll /root/.ssh ------------- 总用量 4 -rw------- 1 root root 613 6月 6 23:29 authorized_keys ------------- 成功收到 5.客户端验证登陆:(ssh client) 复制代码 代码如下: # ssh 192.168.100.29 /sbin/ifconfig eth0 ----------------------- Address 192.168.100.29 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! eth0 Link encap:Ethernet HWaddr 00:0C:29:7A:4F:30 inet addr:192.168.100.29 Bcast:192.168.100.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe7a:4f30/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:184297 errors:0 dropped:0 overruns:0 frame:0 TX packets:162028 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:163599380 (156.0 MiB) TX bytes:51284830 (48.9 MiB) Interrupt:19 Base address:0x2000 注:这里遇到警告提示“Address 192.168.100.29 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!”。 解决办法为修改客户端/etc/hosts文件,将服务端的ip地址与主机名对应关系写进去就可以了。 复制代码 代码如下: (ssh client) # echo "192.168.100.29 server.example.com" >> /etc/hosts 重新查看 复制代码 代码如下: # ssh 192.168.100.29 /sbin/ifconfig eth0 无错误提示: 复制代码 代码如下: -------------------------- eth0 Link encap:Ethernet HWaddr 00:0C:29:7A:4F:30 inet addr:192.168.100.29 Bcast:192.168.100.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe7a:4f30/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:184530 errors:0 dropped:0 overruns:0 frame:0 TX packets:162264 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:163618650 (156.0 MiB) TX bytes:51304877 (48.9 MiB) Interrupt:19 Base address:0x2000 --------------------------- 查看服务端内存 复制代码 代码如下: # ssh 192.168.100.29 free -m -------------------------- total used free shared buffers cached Mem: 1006 991 14 0 177 308 -/+ buffers/cache: 506 500 Swap: 1023 6 1017 --------------------------- 二.创建SHELL脚本实现批量管理:(ssh client) 1.创建脚本: 复制代码 代码如下: # cd /etc/rc.d # vi manager.sh ------------------ for ip in `cat iplist` do echo "---$ip---" ssh $ip $1 done ------------------ 2.生成IP列表:(若有多台SSH服务端需要管理,这里以此类推即可) 复制代码 代码如下: # echo 192.168.100.29 >> iplist # echo 192.168.100.28 >> iplist 。。。。。 # cat iplist --------------- 192.168.100.29 --------------- 3.执行脚本: 复制代码 代码如下: # sh manager.sh "df -h" ---------------- ---192.168.100.29--- 文件系统 容量 已用 可用 已用%% 挂载点 /dev/sda3 19G 6.7G 11G 38% / tmpfs 504M 0 504M 0% /dev/shm /dev/sda1 194M 27M 158M 15% /boot ---------------- 管理成功 三.创建SHELL脚本实现批量分发:(ssh client) 1.创建脚本: 复制代码 代码如下: # cd /etc/rc.d # vi distribute.sh ------------------ for ip in `cat iplist` do echo "---$ip---" scp -r -p $1 $ip:$2 done ------------------ 脚本IP列表已创建 执行脚本: 将本地/root下文件分发到SSH服务端主机 复制代码 代码如下: # sh distribute.sh /root /tmp ------------------ ---192.168.100.29--- .ICEauthority 100% 620 0.6KB/s 00:00 install.log.syslog 100% 10KB 10.2KB/s 00:00 preferred-web-browser.desktop 100% 2378 2.3KB/s 00:00 preferred-mail-reader.desktop 100% 257 0.3KB/s 00:00 .converted-launchers 100% 0 0.0KB/s 00:00 .bash_history 100% 3200 3.1KB/s 00:00 .bash_logout 100% 18 0.0KB/s 00:00 applet_dirlist 100% 0 0.0KB/s 00:00 saved_state 100% 65KB 64.5KB/s 00:00 8f329b0c645a51e018b765fa0000001a-0 100% 463 0.5KB/s 00:00 ............ ------------------ 分发成功 四.批量部署: 这里的部署就结合了SHELL脚本批量管理和分发两个功能。 1.写好APACHE安装脚本。 通过普通用户建立秘钥认证并sudo提权进行管理,分发,部署 复制代码 代码如下: (ssh server) # useradd user02 # echo "123456" | passwd --stdin user02 (ssh client) # useradd user01 # echo "123456" | passwd --stdin user01 # su - user01 # ssh-keygen -t dsa 注:默认三个回车完成创建 复制代码 代码如下: 输入密码123456,分发完毕 验证: 复制代码 代码如下: 返回192.168.100.29端IP即表明秘钥验证成功。 分发: 注:客户端user01用户现在可以免密码分发到服务端user02所属文件夹,但若想分发到root所属文件夹,则需要sudo提权。 1.服务端sudo提权: 复制代码 代码如下: # su - root # echo "user02 ALL=(ALL) NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp,/bin/cp" >> /etc/sudoers 登录user02账户 复制代码 代码如下: # su - user02 查看账户信息: 复制代码 代码如下: # sodo -l ---------------- ............ User user02 may run the following commands on this host: (ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp,(ALL) /bin/cp ---------------- 2.客户端先分发到服务端user02用户家目录: 复制代码 代码如下: # scp -P22 -r -p /home/user01/ [email protected]:/home/user02 ----------------------------- .bash_logout 100% 18 0.0KB/s 00:00 .bashrc 100% 124 0.1KB/s 00:00 known_hosts 100% 396 0.4KB/s 00:00 id_dsa 100% 672 0.7KB/s 00:00 id_dsa.pub 100% 615 0.6KB/s 00:00 .bash_profile 100% 176 0.2KB/s 00:00 ------------------------------- 2.连接服务端后执行sudo cp命令执行本地拷贝: 复制代码 代码如下: # ssh -t [email protected] sudo cp /home/user02 /etc ----------------------- Connection to 192.168.100.29 closed. ----------------------- 拷贝成功 注: 复制代码 代码如下: # cp /test1 /test2/ 是将/test1目录拷贝到/test2/目录下 复制代码 代码如下: # cp /test1/ /test2/ 是将/test1目录下的所有文件拷贝到/test2/目录下 -------大功告成-------- |
请发表评论