環境:
ssh server: 192.168.100.29 server.example.com
ssh client: 192.168.100.30 client.example.com
通過root用戶建立秘鑰認證實現SHELL腳本管理,分發,部署
首先client端創建秘鑰對,並將公鑰分發給需要登錄的SSH服務端
注:公鑰相當於鎖,私鑰相當於鑰匙,我們這裡相當於在客戶端創建一對鑰匙和鎖,想要做到SSH免密碼登錄,就相當於我們將鎖分發到服務端並裝鎖,然後客戶端就可以利用鑰匙開鎖。
一.建立秘鑰認證
1.在客戶端創建秘鑰對:(ssh client)
# su - root
# ssh-keygen -t dsa
一路回車即可
----------------------
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
e9:5e:4a:7f:79:64:c5:ae:f2:06:a7:26:e4:41:5c:0e [email protected]
The key's randomart image is:
+--[ DSA 1024]----+
| |
| E . |
| . + . |
| .o . o|
| S. o |
| . o . + .|
| oo.. B . |
| o +o * + |
| o .+ =. |
+-----------------+
----------------------
2.查看生成的秘鑰對:(ssh client)
# ls -lda .ssh
-----------------
drwx------ 2 root root 4096 6月 6 23:03 .ssh
-----------------
# cd .ssh
# ls -la
------------------
總用量 16
drwx------ 2 root root 4096 6月 6 23:03 .
dr-xr-x---. 26 root root 4096 6月 6 23:03 ..
-rw------- 1 root root 668 6月 6 23:03 id_dsa
-rw-r--r-- 1 root root 613 6月 6 23:03 id_dsa.pub
------------------
秘鑰生成完畢
3.將公鑰(鎖)分發到SSH服務端:(ssh client)
# ssh-copy-id -i .ssh/id_dsa.pub 192.168.100.29
注:若非root用戶,以及自定義SSH端口,則格式為:
# ssh-copy-id -i .ssh/id_rsa.pub "-p 22 user@server"
輸入yes,然後密碼後回車:
----------------------------
The authenticity of host '192.168.100.30 (192.168.100.30)' can't be established.
RSA key fingerprint is fc:9b:2e:38:3b:04:18:67:16:8f:dd:94:a8:bd:08:03.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.30' (RSA) to the list of known hosts.
Address 192.168.100.30 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
[email protected]'s password:
Now try logging into the machine, with "ssh '192.168.100.30'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
-----------------------------
公鑰分發完畢
4.服務端查看收到的分發文件:(ssh server)
# ll /root/.ssh
-------------
總用量 4
-rw------- 1 root root 613 6月 6 23:29 authorized_keys
-------------
成功收到
5.客戶端驗證登陸:(ssh client)
查看服務端IP地址:
# ssh 192.168.100.29 /sbin/ifconfig eth0
-----------------------
Address 192.168.100.29 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
eth0 Link encap:Ethernet HWaddr 00:0C:29:7A:4F:30
inet addr:192.168.100.29 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe7a:4f30/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:184297 errors:0 dropped:0 overruns:0 frame:0
TX packets:162028 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:163599380 (156.0 MiB) TX bytes:51284830 (48.9 MiB)
Interrupt:19 Base address:0x2000
-----------------------
注:這裡遇到警告提示“Address 192.168.100.29 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!”。
解決辦法為修改客戶端/etc/hosts文件,將服務端的ip地址與主機名對應關系寫進去就可以了。
(ssh client)
# echo "192.168.100.29 server.example.com" >> /etc/hosts
重新查看
# ssh 192.168.100.29 /sbin/ifconfig eth0
無錯誤提示:
--------------------------
eth0 Link encap:Ethernet HWaddr 00:0C:29:7A:4F:30
inet addr:192.168.100.29 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe7a:4f30/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:184530 errors:0 dropped:0 overruns:0 frame:0
TX packets:162264 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:163618650 (156.0 MiB) TX bytes:51304877 (48.9 MiB)
Interrupt:19 Base address:0x2000
---------------------------
查看服務端內存
# ssh 192.168.100.29 free -m
--------------------------
total used free shared buffers cached
Mem: 1006 991 14 0 177 308
-/+ buffers/cache: 506 500
Swap: 1023 6 1017
---------------------------
二.創建SHELL腳本實現批量管理:(ssh client)
1.創建腳本:
# cd /etc/rc.d
# vi manager.sh
------------------
for ip in `cat iplist`
do
echo "---$ip---"
ssh $ip $1
done
------------------
2.生成IP列表:(若有多台SSH服務端需要管理,這裡以此類推即可)
# echo 192.168.100.29 >> iplist
# echo 192.168.100.28 >> iplist
。。。。。
# cat iplist
---------------
192.168.100.29
---------------
3.執行腳本:
# sh manager.sh "df -h"
----------------
---192.168.100.29---
文件系統 容量 已用 可用 已用%% 掛載點
/dev/sda3 19G 6.7G 11G 38% /
tmpfs 504M 0 504M 0% /dev/shm
/dev/sda1 194M 27M 158M 15% /boot
----------------
管理成功
三.創建SHELL腳本實現批量分發:(ssh client)
1.創建腳本:
# cd /etc/rc.d
# vi distribute.sh
------------------
for ip in `cat iplist`
do
echo "---$ip---"
scp -r -p $1 $ip:$2
done
------------------
腳本IP列表已創建
執行腳本:
將本地/root下文件分發到SSH服務端主機
# sh distribute.sh /root /tmp
------------------
---192.168.100.29---
.ICEauthority 100% 620 0.6KB/s 00:00
install.log.syslog 100% 10KB 10.2KB/s 00:00
preferred-web-browser.desktop 100% 2378 2.3KB/s 00:00
preferred-mail-reader.desktop 100% 257 0.3KB/s 00:00
.converted-launchers 100% 0 0.0KB/s 00:00
.bash_history 100% 3200 3.1KB/s 00:00
.bash_logout 100% 18 0.0KB/s 00:00
applet_dirlist 100% 0 0.0KB/s 00:00
saved_state 100% 65KB 64.5KB/s 00:00
8f329b0c645a51e018b765fa0000001a-0 100% 463 0.5KB/s 00:00
............
------------------
分發成功
 
四.批量部署:
這裡的部署就結合了SHELL腳本批量管理和分發兩個功能。
比如你要部署N台SSH服務端批量安裝APACHE。
1.寫好APACHE安裝腳本。
2.將安裝腳本分發到SSH服務端。
3.利用SHELL管理遠端執行該腳本即可。
這裡就不做過多演示,有機會我整理下我的LAMP文檔,寫個APACHE腳本,在這裡演示下。
注:因為涉及風險操作。所以不推薦線上利用root用戶進行批量管理操作。
建議設置普通賬戶,再利用sudo提權操作。
通過普通用戶建立秘鑰認證並sudo提權進行管理,分發,部署
(ssh server)
# useradd user02
# echo "123456" | passwd --stdin user02
(ssh client)
# useradd user01
# echo "123456" | passwd --stdin user01
# su - user01
# ssh-keygen -t dsa
注:默認三個回車完成創建
# ssh-copy-id -i .ssh/id_dsa.pub [email protected]
輸入密碼123456,分發完畢
驗證:
# ssh [email protected] /sbin/ifconfig eth0
返回192.168.100.29端IP即表明秘鑰驗證成功。
分發:
注:客戶端user01用戶現在可以免密碼分發到服務端user02所屬文件夾,但若想分發到root所屬文件夾,則需要sudo提權。
1.服務端sudo提權:
# su - root
# echo "user02 ALL=(ALL) NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp,/bin/cp" >> /etc/sudoers
登錄user02賬戶
# su - user02
查看賬戶信息:
# sodo -l
----------------
............
User user02 may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp,(ALL) /bin/cp
----------------
2.客戶端先分發到服務端user02用戶家目錄:
# scp -P22 -r -p /home/user01/ [email protected]:/home/user02
-----------------------------
.bash_logout 100% 18 0.0KB/s 00:00
.bashrc 100% 124 0.1KB/s 00:00
known_hosts 100% 396 0.4KB/s 00:00
id_dsa 100% 672 0.7KB/s 00:00
id_dsa.pub 100% 615 0.6KB/s 00:00
.bash_profile 100% 176 0.2KB/s 00:00
-------------------------------
2.連接服務端後執行sudo cp命令執行本地拷貝:
# ssh -t [email protected] sudo cp /home/user02 /etc
-----------------------
Connection to 192.168.100.29 closed.
-----------------------
拷貝成功
注:
# cp /test1 /test2/
是將/test1目錄拷貝到/test2/目錄下
# cp /test1/ /test2/
是將/test1目錄下的所有文件拷貝到/test2/目錄下
-------大功告成--------
作者:51cto博客 一路向北