SSH批量分发服务

1. 系统环境

[[email protected] ~]# uname -a

Linux A 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 2203:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

[[email protected] ~]# ifconfig eth0 | grep ‘inet addr‘ |awk‘{print $2}‘|awk -F‘:‘ ‘{print $2}‘

10.0.0.3

[[email protected] ~]#

[[email protected] ~]# uname -a

Linux B 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 2203:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

[[email protected] ~]# ifconfig eth0 | grep ‘inet addr‘ |awk‘{print $2}‘|awk -F‘:‘ ‘{print $2}‘

10.0.0.4

[[email protected] ~]#

[[email protected] ~]$ uname -a

Linux C 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 2203:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

[[email protected] ~]$ ifconfig eth0 | grep ‘inet addr‘ |awk‘{print $2}‘|awk -F‘:‘ ‘{print $2}‘

10.0.0.5

[[email protected] ~]$

2.部署图示

3.创建用于批量分发的用户

这里选择在A.B.C三台服务器中创建三个相同用户。

[[email protected] ~]# useradd gao

[[email protected] ~]# echo asdasd|passwd --stdin gao

Changing password for user gao.

passwd: all authentication tokens updatedsuccessfully.

[[email protected] ~]# tail -1 /etc/passwd

gao:x:500:500::/home/gao:/bin/bash

[[email protected] ~]# useradd gao

[[email protected] ~]# echo asdasd|passwd --stdin gao

Changing password for user gao.

passwd: all authentication tokens updatedsuccessfully.

[[email protected] ~]# tail -1 /etc/passwd

gao:x:500:500::/home/gao:/bin/bash

[[email protected] ~]# useradd gao

[[email protected] ~]# echo asdasd|passwd --stdin gao

Changing password for user gao.

passwd: all authentication tokens updatedsuccessfully.

[[email protected] ~]# tail -1 /etc/passwd

gao:x:500:500::/home/gao:/bin/bash

4.生成密钥

三台服务器都切到gao用户下！在A中生成密钥，在把A的公钥分别发给B和C中的deng用户的家目录

在A中生成密钥对

[[email protected] ~]# su – deng

[[email protected] ~]$ ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key(/home/gao/.ssh/id_dsa): Created directory ‘/home/gao/.ssh‘.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in/home/gao/.ssh/id_dsa.

Your public key has been saved in/home/gao/.ssh/id_dsa.pub.

The key fingerprint is:

08:3b:9f:fd:f2:49:61:26:3a:fd:27:ed:dd:ca:2a:[email protected]

The key‘s randomart image is:

+--[ DSA 1024]----+

| |

| . |

| o. |

| o . S+ |

| o = +.E |

| = o.+ |

| ..+o.oo . |

| o==o.+..|

+-----------------+

[[email protected] ~]$

查看密钥对

[[email protected] ~]$ ls -al .ssh/

total 16

drwx------. 2 gao gao 4096 Jul 20 14:03 .

drwx------. 3 gao gao 4096 Jul 20 14:03 ..

-rw-------. 1 gao gao 668 Jul 20 14:03 id_dsa

-rw-r--r--. 1 gao gao 595 Jul 20 14:03 id_dsa.pub（公钥）

[[email protected] ~]$ ls -al .ssh/ -d

drwx------. 2 gao gao 4096 Jul 20 14:03 .ssh/

[[email protected] ~]$

分发发送公钥到B和C的gao的家目录

[[email protected] ~]$ ssh-copy-id -i .ssh/id_dsa.pub"-p22 [email protected]"

The authenticity of host ‘10.0.0.4 (10.0.0.4)‘can‘t be established.

RSA key fingerprint iscc:1b:7f:cc:a7:61:4f:ab:c3:60:df:f8:3a:17:b8:44.

Are you sure you want to continue connecting(yes/no)? yes

Warning: Permanently added ‘10.0.0.4‘ (RSA) to thelist of known hosts.

[email protected]‘s password:

Now try logging into the machine, with "ssh‘-p22 [email protected]‘", and check in:

.ssh/authorized_keys

to make sure we haven‘t added extra keys that youweren‘t expecting.

[[email protected] ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]

The authenticity of host ‘10.0.0.5 (10.0.0.5)‘can‘t be established.

RSA key fingerprint is cc:1b:7f:cc:a7:61:4f:ab:c3:60:df:f8:3a:17:b8:44.

Are you sure you want to continue connecting(yes/no)? yes

Warning: Permanently added ‘10.0.0.5‘ (RSA) to thelist of known hosts.

[email protected]‘s password:

Now try logging into the machine, with "ssh‘[email protected]‘", and check in:

.ssh/authorized_keys

to make sure we haven‘t added extra keys that youweren‘t expecting.

[[email protected] ~]$

查看B和C下gao的家目录，是否存在A的公钥

[[email protected] ~]$ ls .ssh/ -l

total 4

-rw-------. 1 gao gao 595 Jul 20 14:07 authorized_keys

[[email protected] ~]$

[[email protected] ~]$ ls .ssh/

authorized_keys

[[email protected] ~]$ ls .ssh/ -l

total 4

-rw-------. 1 gao gao 595 Jul 20 17:02 authorized_keys

[[email protected] ~]$

对比可以发现，A的公钥发送过来，不仅名称改变了，文件权限也改变了。

所以如果日后不适用ssh-copy-id发送密钥，就需要把公钥改为authorized_keys且权限为600c才可以。

把公钥正确发送到B和C，A就可以单线免密钥批量分发和管理B和C了。

下面进行测试

在A中免密钥查看B和C的IP地址

[[email protected] ~]$ ssh -p22 [email protected] /sbin/ifconfigeth0|grep ‘inet addr‘

inet addr:10.0.0.4 Bcast:10.0.0.255 Mask:255.255.255.0

[[email protected] ~]$ ssh -p22 [email protected] /sbin/ifconfigeth0|grep ‘inet addr‘

inet addr:10.0.0.5 Bcast:10.0.0.255 Mask:255.255.255.0

[[email protected] ~]$ ssh -p22 [email protected] /sbin/ifconfig eth0 | grep ‘inet addr‘|awk‘{print $2}‘|awk -F ‘:‘ ‘{print $2}‘

10.0.0.5

[[email protected] ~]$ ssh -p22 [email protected] /sbin/ifconfig eth0 | grep ‘inet addr‘|awk‘{print $2}‘|awk -F ‘:‘ ‘{print $2}‘

10.0.0.4

证明免密钥分发成功！

适用脚本分发文件

[[email protected] ~]$ sh fengfa.sh fengfa.sh

fengfa.sh 100% 120 0.1KB/s 00:00

[[email protected] ~]$ cat fengfa.sh

if [ $# -ne 1 ]

then

echo "USAGE:/bin/sh $0 arg1"

exit 1

for n in 4 5

scp -P22 -rp $1 [email protected]$n:~/

done

[[email protected] ~]$

适用脚本批量管理服务器

[[email protected] ~]$ sh guangli.sh /sbin/ifconfig

eth0 Link encap:Ethernet HWaddr00:0C:29:61:34:C0

inet addr:10.0.0.4 Bcast:10.0.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe61:34c0/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RXpackets:146015 errors:0 dropped:0 overruns:0 frame:0

TXpackets:273645 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RXbytes:21283373 (20.2 MiB) TXbytes:16164642 (15.4 MiB)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UPLOOPBACK RUNNING MTU:16436 Metric:1

RXpackets:131107 errors:0 dropped:0 overruns:0 frame:0

TXpackets:131107 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RXbytes:5507564 (5.2 MiB) TX bytes:5507564(5.2 MiB)

eth0 Link encap:Ethernet HWaddr00:0C:29:04:9C:CB

inet addr:10.0.0.5 Bcast:10.0.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe04:9ccb/64 Scope:Link

UPBROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RXpackets:3379 errors:0 dropped:0 overruns:0 frame:0

TXpackets:1738 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RXbytes:478398 (467.1 KiB) TX bytes:276437(269.9 KiB)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UPLOOPBACK RUNNING MTU:16436 Metric:1

RXpackets:28 errors:0 dropped:0 overruns:0 frame:0

TXpackets:28 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RXbytes:4610 (4.5 KiB) TX bytes:4610 (4.5KiB)

[[email protected] ~]$ cat guangli.sh

if [ $# -ne 1 ]

then

echo "USAGE:/bin/sh $0 arg1"

exit 1

for n in 4 5

ssh -p22 [email protected]$n $1

done

[[email protected] ~]$

5. sudo分发文件或目录到普通用户没有权限的目录下

步骤如下：

修改每个服务器的/etc/sudoers文件，让普通用户具有在所以目录复制的功能
先发文件到对方的家目录
使用特殊的ssh命令，格式为：用 ssh -t [email protected] “sudo 命令”（记得要带参数-t）

下面使用生产环境中最常用的例子作为实例，把hosts目录统一分发到所以服务器的/etc/hosts下

所有服务器都切到root用户下。执行下面命令

echo ‘gao ALL=(ALL) NOPASSWD: /bin/cp‘>>/etc/sudoers

tail -5 /etc/sudoers

visudo –c

A切换到gao(普通用户)下，把host文件分别发到B.C目录下。并使用ssh命令，把文件推到/etc/下面

[[email protected] ~]$ scp -P22 hosts [email protected]:~/

hosts 100% 219 0.2KB/s 00:00

[[email protected] ~]$ ssh -t -P22 [email protected] "sudo/bin/cp hosts /etc/"

Connection to 10.0.0.4 closed.

[[email protected] ~]$

[[email protected] ~]$ scp -P22 hosts [email protected]:~/

hosts 100% 219 0.2KB/s 00:00

[[email protected] ~]$ ssh -t -P22 [email protected] "sudo/bin/cp hosts /etc/"

Connection to 10.0.0.5 closed.

[[email protected] ~]$

上面的2可以用下面脚本实现

[[email protected] ~]$ vi tfengfa.sh

#!/bin/sh

file="$1"

remotedir="$2"

. /etc/init.d/functions

if [ $# -ne 2 ]

then

echo "USAGE:/bin/sh $0 file path"

exit 1

for n in 4 5

scp-P22 -rp $file [email protected]$n:~/

ssh-t -p22 [email protected]$n "sudo /bin/cp ~/$file $remotedir "

if [$? -eq 0 ]

then

action "scp $file to $remotedir is ok" /bin/true

else

action "scp $file to $remotedir is fail" /bin/false

done

[[email protected] ~]$ sh tfengfa.sh hosts /root/

hosts 100% 219 0.2KB/s 00:00

Connection to 10.0.0.4 closed.

scp hosts to /root/ is ok [ OK ]

hosts 100% 219 0.2KB/s 00:00

Connection to 10.0.0.5 closed.

scp hosts to /root/ is ok [ OK ]

[[email protected] ~]$

6. suid分发文件到特殊文件夹

在所有把rsync命令授权4755或者u+s

[[email protected] ~]# which rsync

/usr/bin/rsync

[[email protected] ~]# chmod u+s `which rsync`

[[email protected] ~]# ll `which rsync`

-rwsr-xr-x. 1 root root 415000 Oct 31 2013 /usr/bin/rsync

[[email protected] ~]#

[[email protected] ~]# chmod 4755 /usr/bin/rsync

[[email protected] ~]# ll /usr/bin/rsync

-rwsr-xr-x. 1 root root 415000 Oct 31 2013 /usr/bin/rsync

[[email protected] ~]#

[[email protected] ~]# chmod 4755 /usr/bin/rsync

[[email protected] ~]# ll /usr/bin/rsync

-rwsr-xr-x. 1 root root 415000 Oct 31 2013 /usr/bin/rsync

[[email protected] ~]#

[[email protected] ~]$ echo asdasdaf >gao.txt

[[email protected] ~]$ scp -P22 -rp gao.txt [email protected]:~/

gao.txt 100% 9 0.0KB/s 00:00

[[email protected] ~]$scp -P22 -rp gao.txt [email protected]:~/

gao.txt 100% 9 0.0KB/s 00:00

[[email protected] ~]$ ll

total 12

-rw-r--r--. 1 gao gao 120 Jul 20 14:22 fengfa.sh

-rw-rw-r--. 1 gao gao 9 Jul 20 18:59 gao.txt

-rw-r--r--. 1 gao gao 219 Jul 20 18:31 hosts

[[email protected] ~]$ cat gao.txt

asdasdaf

[[email protected] ~]$

[[email protected] ~]$ ll

total 88

-rw-r--r--. 1 gao gao 120 Jul 20 14:22 fengfa.sh

-rw-rw-r--. 1 gao gao 9 Jul 20 22:02 gao.txt

-rw-r--r--. 1 gao gao 219 Jul 20 18:31 hosts

-rwxr-xr-x. 1 gao gao 73936 May 10 2012 ifconfig

[[email protected] ~]$ cat gao.txt

asdasdaf

[[email protected] ~]$

直接用ssh和/usr/bin/rsync命令把家目录中的文件分发到特殊目录了。

[[email protected] ~]$ ssh -p22 [email protected] "/usr/bin/rsync ~/gao.txt /root/"

[[email protected] ~]$

[[email protected] ~]# cat gao.txt

asdasdaf

[[email protected] ~]#

[[email protected] ~]$ ssh -p22 [email protected] "/usr/bin/rsync ~/gao.txt /root/"

[[email protected] ~]$

[[email protected] ~]# ls

anaconda-ks.cfg gao.txt hosts install.log install.log.syslog

[[email protected] ~]# cat gao.txt

asdasdaf

[[email protected] ~]#

脚本实现

[[email protected] ~]$ echo aaaaaaaaa>guo.txt

[[email protected] ~]$ sh tfengfa1.sh guo.txt /etc/

guo.txt 100% 10 0.0KB/s 00:00

Connection to 10.0.0.4 closed.

scp guo.txt to /etc/ is ok [ OK ]

guo.txt 100% 10 0.0KB/s 00:00

Connection to 10.0.0.5 closed.

scp guo.txt to /etc/ is ok [ OK ]

[[email protected] ~]$

[[email protected] ~]$ cat tfengfa1.sh

#!/bin/sh

file="$1"

remotedir="$2"

. /etc/init.d/functions

if [ $# -ne 2 ]

then

echo "USAGE:/bin/sh $0 file path"

exit 1

for n in 4 5

scp-P22 -rp $file [email protected]$n:~/

ssh-t -p22 [email protected]$n "/usr/bin/rsync ~/$file $remotedir "

if [$? -eq 0 ]

then

action "scp $file to $remotedir is ok" /bin/true

else

action "scp $file to $remotedir is fail" /bin/false

done

[[email protected] ~]$

时间： 2024-10-03 14:24:59

ssh批量分发服务搭建

SSH批量分发服务

1. 系统环境

2.部署图示

3.创建用于批量分发的用户

4.生成密钥

5. sudo分发文件或目录到普通用户没有权限的目录下

6. suid分发文件到特殊文件夹

ssh批量分发服务搭建的相关文章

(转)SSH批量分发管理&非交互式expect

SSH批量部署服务

SSH批量分发与管理

SSH批量分发管理

ubuntu14.04基于preseed批量分发环境搭建

SSH服务及批量分发与管理实战

（干货）ssh服务安全优化及批量分发

7）SSH批量管理分发项目

SSH认证原理和批量分发管理