Linux下实现SSH免密码登录和实现秘钥的管理、分发、部署SHELL脚本分享
环境:
sshserver:192.168.100.29 server.example.com
sshclient:192.168.100.30 client.example.com
通过root用户建立秘钥认证实现SHELL脚本管理,分发,部署
首先client端创建秘钥对,并将公钥分发给需要登录的SSH服务端
注:公钥相当于锁,私钥相当于钥匙,我们这里相当于在客户端创建一对钥匙和锁,想要做到SSH免密码登录,就相当于我们将锁分发到服务端并装锁,然后客户端就可以利用钥匙开锁。
一.建立秘钥认证
1.在客户端创建秘钥对:(sshclient)
#su-root #ssh-keygen-tdsa
一路回车即可
Generatingpublic/privatedsakeypair. Enterfileinwhichtosavethekey(/root/.ssh/id_dsa): Createddirectory'/root/.ssh'. Enterpassphrase(emptyfornopassphrase): Entersamepassphraseagain: Youridentificationhasbeensavedin/root/.ssh/id_dsa. Yourpublickeyhasbeensavedin/root/.ssh/id_dsa.pub. Thekeyfingerprintis: e9:5e:4a:7f:79:64:c5:ae:f2:06:a7:26:e4:41:5c:0eroot@zabbix.example.com Thekey'srandomartimageis: +--[DSA1024]----+ | | | E. | | .+ .| | .o. o| | S. o| | . o.+.| | oo..B.| | o+o*+ | | o.+=. | +-----------------+
2.查看生成的秘钥对:(sshclient)
#ls-lda.ssh ----------------- drwx------2rootroot40966月 623:03.ssh ----------------- #cd.ssh #ls-la ------------------ 总用量16 drwx------ 2rootroot40966月 623:03. dr-xr-x---.26rootroot40966月 623:03.. -rw------- 1rootroot 6686月 623:03id_dsa -rw-r--r-- 1rootroot 6136月 623:03id_dsa.pub ------------------
秘钥生成完毕
3.将公钥(锁)分发到SSH服务端:(sshclient)
#ssh-copy-id-i.ssh/id_dsa.pub192.168.100.29
注:若非root用户,以及自定义SSH端口,则格式为:
#ssh-copy-id-i.ssh/id_rsa.pub"-p22user@server"
输入yes,然后密码后回车:
Theauthenticityofhost'192.168.100.30(192.168.100.30)'can'tbeestablished. RSAkeyfingerprintisfc:9b:2e:38:3b:04:18:67:16:8f:dd:94:a8:bd:08:03. Areyousureyouwanttocontinueconnecting(yes/no)?yes Warning:Permanentlyadded'192.168.100.30'(RSA)tothelistofknownhosts. Address192.168.100.30mapstobogon,butthisdoesnotmapbacktotheaddress-POSSIBLEBREAK-INATTEMPT! root@192.168.100.30'spassword: Nowtryloggingintothemachine,with"ssh'192.168.100.30'",andcheckin: .ssh/authorized_keys tomakesurewehaven'taddedextrakeysthatyouweren'texpecting.
公钥分发完毕
4.服务端查看收到的分发文件:(sshserver)
#ll/root/.ssh ------------- 总用量4 -rw-------1rootroot6136月 623:29authorized_keys -------------
成功收到
5.客户端验证登陆:(sshclient)
查看服务端IP地址:
#ssh192.168.100.29/sbin/ifconfigeth0 ----------------------- Address192.168.100.29mapstobogon,butthisdoesnotmapbacktotheaddress-POSSIBLEBREAK-INATTEMPT! eth0 Linkencap:Ethernet HWaddr00:0C:29:7A:4F:30 inetaddr:192.168.100.29 Bcast:192.168.100.255 Mask:255.255.255.0 inet6addr:fe80::20c:29ff:fe7a:4f30/64Scope:Link UPBROADCASTRUNNINGMULTICAST MTU:1500 Metric:1 RXpackets:184297errors:0dropped:0overruns:0frame:0 TXpackets:162028errors:0dropped:0overruns:0carrier:0 collisions:0txqueuelen:1000 RXbytes:163599380(156.0MiB) TXbytes:51284830(48.9MiB) Interrupt:19Baseaddress:0x2000
注:这里遇到警告提示“Address192.168.100.29mapstobogon,butthisdoesnotmapbacktotheaddress-POSSIBLEBREAK-INATTEMPT!”。
解决办法为修改客户端/etc/hosts文件,将服务端的ip地址与主机名对应关系写进去就可以了。
(sshclient) #echo"192.168.100.29 server.example.com">>/etc/hosts
重新查看
#ssh192.168.100.29/sbin/ifconfigeth0
无错误提示:
-------------------------- eth0 Linkencap:Ethernet HWaddr00:0C:29:7A:4F:30 inetaddr:192.168.100.29 Bcast:192.168.100.255 Mask:255.255.255.0 inet6addr:fe80::20c:29ff:fe7a:4f30/64Scope:Link UPBROADCASTRUNNINGMULTICAST MTU:1500 Metric:1 RXpackets:184530errors:0dropped:0overruns:0frame:0 TXpackets:162264errors:0dropped:0overruns:0carrier:0 collisions:0txqueuelen:1000 RXbytes:163618650(156.0MiB) TXbytes:51304877(48.9MiB) Interrupt:19Baseaddress:0x2000 ---------------------------
查看服务端内存
#ssh192.168.100.29free-m -------------------------- total used free shared buffers cached Mem: 1006 991 14 0 177 308 -/+buffers/cache: 506 500 Swap: 1023 6 1017 ---------------------------
二.创建SHELL脚本实现批量管理:(sshclient)
1.创建脚本:
#cd/etc/rc.d #vimanager.sh ------------------ foripin`catiplist` do echo"---$ip---" ssh$ip$1 done ------------------
2.生成IP列表:(若有多台SSH服务端需要管理,这里以此类推即可)
#echo192.168.100.29>>iplist #echo192.168.100.28>>iplist 。。。。。 #catiplist --------------- 192.168.100.29 ---------------
3.执行脚本:
#shmanager.sh"df-h" ---------------- ---192.168.100.29--- 文件系统 容量 已用 可用已用%%挂载点 /dev/sda3 19G 6.7G 11G 38%/ tmpfs 504M 0 504M 0%/dev/shm /dev/sda1 194M 27M 158M 15%/boot ----------------
管理成功
三.创建SHELL脚本实现批量分发:(sshclient)
1.创建脚本:
#cd/etc/rc.d #vidistribute.sh ------------------ foripin`catiplist` do echo"---$ip---" scp-r-p$1$ip:$2 done ------------------
脚本IP列表已创建
执行脚本:
将本地/root下文件分发到SSH服务端主机
#shdistribute.sh/root/tmp ------------------ ---192.168.100.29--- .ICEauthority 100% 620 0.6KB/s 00:00 install.log.syslog 100% 10KB 10.2KB/s 00:00 preferred-web-browser.desktop 100%2378 2.3KB/s 00:00 preferred-mail-reader.desktop 100% 257 0.3KB/s 00:00 .converted-launchers 100% 0 0.0KB/s 00:00 .bash_history 100%3200 3.1KB/s 00:00 .bash_logout 100% 18 0.0KB/s 00:00 applet_dirlist 100% 0 0.0KB/s 00:00 saved_state 100% 65KB 64.5KB/s 00:00 8f329b0c645a51e018b765fa0000001a-0 100% 463 0.5KB/s 00:00 ............ ------------------
分发成功
四.批量部署:
这里的部署就结合了SHELL脚本批量管理和分发两个功能。
比如你要部署N台SSH服务端批量安装APACHE。
1.写好APACHE安装脚本。
2.将安装脚本分发到SSH服务端。
3.利用SHELL管理远端执行该脚本即可。
这里就不做过多演示,有机会我整理下我的LAMP文档,写个APACHE脚本,在这里演示下。
注:因为涉及风险操作。所以不推荐线上利用root用户进行批量管理操作。
建议设置普通账户,再利用sudo提权操作。
通过普通用户建立秘钥认证并sudo提权进行管理,分发,部署
(sshserver) #useradduser02 #echo"123456"|passwd--stdinuser02 (sshclient) #useradduser01 #echo"123456"|passwd--stdinuser01 #su-user01 #ssh-keygen-tdsa
注:默认三个回车完成创建
#ssh-copy-id-i.ssh/id_dsa.pubuser02@192.168.100.29
输入密码123456,分发完毕
验证:
#sshuser02@192.168.100.29/sbin/ifconfigeth0
返回192.168.100.29端IP即表明秘钥验证成功。
分发:
注:客户端user01用户现在可以免密码分发到服务端user02所属文件夹,但若想分发到root所属文件夹,则需要sudo提权。
1.服务端sudo提权:
#su-root #echo"user02ALL=(ALL)NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp,/bin/cp">>/etc/sudoers
登录user02账户
#su-user02
查看账户信息:
#sodo-l ---------------- ............ Useruser02mayrunthefollowingcommandsonthishost: (ALL)NOPASSWD:/usr/bin/rsync,(ALL)/bin/tar,(ALL)/usr/bin/scp,(ALL)/bin/cp ----------------
2.客户端先分发到服务端user02用户家目录:
#scp-P22-r-p/home/user01/user02@192.168.100.29:/home/user02 ----------------------------- .bash_logout 100% 18 0.0KB/s 00:00 .bashrc 100% 124 0.1KB/s 00:00 known_hosts 100% 396 0.4KB/s 00:00 id_dsa 100% 672 0.7KB/s 00:00 id_dsa.pub 100% 615 0.6KB/s 00:00 .bash_profile 100% 176 0.2KB/s 00:00 -------------------------------
2.连接服务端后执行sudocp命令执行本地拷贝:
#ssh-tuser02@192.168.100.29sudocp/home/user02/etc ----------------------- Connectionto192.168.100.29closed. -----------------------
拷贝成功
注:
#cp/test1/test2/
是将/test1目录拷贝到/test2/目录下
#cp/test1//test2/
是将/test1目录下的所有文件拷贝到/test2/目录下
-------大功告成--------