SSH批量分发服务
1. 系统环境
[root@A ~]# uname -a
Linux A 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 2203:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@A ~]# ifconfig eth0 | grep 'inet addr' |awk'{print $2}'|awk -F':' '{print $2}'
10.0.0.3
[root@A ~]#
[root@B ~]# uname -a
Linux B 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 2203:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@B ~]# ifconfig eth0 | grep 'inet addr' |awk'{print $2}'|awk -F':' '{print $2}'
10.0.0.4
[root@B ~]#
[deng@C ~]$ uname -a
Linux C 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 2203:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[deng@C ~]$ ifconfig eth0 | grep 'inet addr' |awk'{print $2}'|awk -F':' '{print $2}'
10.0.0.5
[deng@C ~]$
2.部署图示
3.创建用于批量分发的用户
这里选择在A.B.C三台服务器中创建三个相同用户。
[root@A ~]# useradd gao
[root@A ~]# echo asdasd|passwd --stdin gao
Changing password for user gao.
passwd: all authentication tokens updatedsuccessfully.
[root@A ~]# tail -1 /etc/passwd
gao:x:500:500::/home/gao:/bin/bash
[root@B ~]# useradd gao
[root@B ~]# echo asdasd|passwd --stdin gao
Changing password for user gao.
passwd: all authentication tokens updatedsuccessfully.
[root@B ~]# tail -1 /etc/passwd
gao:x:500:500::/home/gao:/bin/bash
[root@C ~]# useradd gao
[root@C ~]# echo asdasd|passwd --stdin gao
Changing password for user gao.
passwd: all authentication tokens updatedsuccessfully.
[root@C ~]# tail -1 /etc/passwd
gao:x:500:500::/home/gao:/bin/bash
4.生成密钥
三台服务器都切到gao用户下!在A中生成密钥,在把A的公钥分别发给B和C中的deng用户的家目录
在A中生成密钥对
[root@A ~]# su – deng
[gao@A ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key(/home/gao/.ssh/id_dsa): Created directory '/home/gao/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/home/gao/.ssh/id_dsa.
Your public key has been saved in/home/gao/.ssh/id_dsa.pub.
The key fingerprint is:
08:3b:9f:fd:f2:49:61:26:3a:fd:27:ed:dd:ca:2a:65gao@A
The key's randomart p_w_picpath is:
+--[ DSA 1024]----+
| |
| |
| . |
| o. |
| o . S+ |
| o = +.E |
| = o.+ |
| ..+o.oo . |
| o==o.+..|
+-----------------+
[gao@A ~]$
查看密钥对
[gao@A ~]$ ls -al .ssh/
total 16
drwx------. 2 gao gao 4096 Jul 20 14:03 .
drwx------. 3 gao gao 4096 Jul 20 14:03 ..
-rw-------. 1 gao gao 668 Jul 20 14:03 id_dsa
-rw-r--r--. 1 gao gao 595 Jul 20 14:03 id_dsa.pub(公钥)
[gao@A ~]$ ls -al .ssh/ -d
drwx------. 2 gao gao 4096 Jul 20 14:03 .ssh/
[gao@A ~]$
分发发送公钥到B和C的gao的家目录
[gao@A ~]$ ssh-copy-id -i .ssh/id_dsa.pub"-p22 gao@10.0.0.4"
The authenticity of host '10.0.0.4 (10.0.0.4)'can't be established.
RSA key fingerprint iscc:1b:7f:cc:a7:61:4f:ab:c3:60:df:f8:3a:17:b8:44.
Are you sure you want to continue connecting(yes/no)? yes
Warning: Permanently added '10.0.0.4' (RSA) to thelist of known hosts.
gao@10.0.0.4's password:
Now try logging into the machine, with "ssh'-p22 gao@10.0.0.4'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that youweren't expecting.
[gao@A ~]$ ssh-copy-id -i .ssh/id_dsa.pub gao@10.0.0.5
The authenticity of host '10.0.0.5 (10.0.0.5)'can't be established.
RSA key fingerprint is cc:1b:7f:cc:a7:61:4f:ab:c3:60:df:f8:3a:17:b8:44.
Are you sure you want to continue connecting(yes/no)? yes
Warning: Permanently added '10.0.0.5' (RSA) to thelist of known hosts.
gao@10.0.0.5's password:
Now try logging into the machine, with "ssh'gao@10.0.0.5'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that youweren't expecting.
[gao@A ~]$
查看B和C下gao的家目录,是否存在A的公钥
[gao@B ~]$ ls .ssh/ -l
total 4
-rw-------. 1 gao gao 595 Jul 20 14:07 authorized_keys
[gao@B ~]$
[gao@C ~]$ ls .ssh/
authorized_keys
[gao@C ~]$ ls .ssh/ -l
total 4
-rw-------. 1 gao gao 595 Jul 20 17:02 authorized_keys
[gao@C ~]$
对比可以发现,A的公钥发送过来,不仅名称改变了,文件权限也改变了。
所以如果日后不适用ssh-copy-id发送密钥,就需要把公钥改为authorized_keys且权限为600c才可以。
把公钥正确发送到B和C,A就可以单线免密钥批量分发和管理B和C了。
下面进行测试
在A中免密钥查看B和C的IP地址
^C
[gao@A ~]$ ssh -p22 gao@10.0.0.4 /sbin/ifconfigeth0|grep 'inet addr'
inet addr:10.0.0.4 Bcast:10.0.0.255 Mask:255.255.255.0
[gao@A ~]$ ssh -p22 gao@10.0.0.5 /sbin/ifconfigeth0|grep 'inet addr'
inet addr:10.0.0.5 Bcast:10.0.0.255 Mask:255.255.255.0
[gao@A ~]$ ssh -p22 gao@10.0.0.5 /sbin/ifconfig eth0 | grep 'inet addr'|awk'{print $2}'|awk -F ':' '{print $2}'
10.0.0.5
[gao@A ~]$ ssh -p22 gao@10.0.0.4 /sbin/ifconfig eth0 | grep 'inet addr'|awk'{print $2}'|awk -F ':' '{print $2}'
10.0.0.4
证明免密钥分发成功!
适用脚本分发文件
[gao@A ~]$ sh fengfa.sh fengfa.sh
fengfa.sh 100% 120 0.1KB/s 00:00
fengfa.sh 100% 120 0.1KB/s 00:00
[gao@A ~]$ cat fengfa.sh
if [ $# -ne 1 ]
then
echo "USAGE:/bin/sh $0 arg1"
exit 1
fi
for n in 4 5
do
scp -P22 -rp $1 gao@10.0.0.$n:~/
done
[gao@A ~]$
适用脚本批量管理服务器
[gao@A ~]$ sh guangli.sh /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr00:0C:29:61:34:C0
inet addr:10.0.0.4 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe61:34c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RXpackets:146015 errors:0 dropped:0 overruns:0 frame:0
TXpackets:273645 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RXbytes:21283373 (20.2 MiB) TXbytes:16164642 (15.4 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UPLOOPBACK RUNNING MTU:16436 Metric:1
RXpackets:131107 errors:0 dropped:0 overruns:0 frame:0
TXpackets:131107 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RXbytes:5507564 (5.2 MiB) TX bytes:5507564(5.2 MiB)
eth0 Link encap:Ethernet HWaddr00:0C:29:04:9C:CB
inet addr:10.0.0.5 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe04:9ccb/64 Scope:Link
UPBROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RXpackets:3379 errors:0 dropped:0 overruns:0 frame:0
TXpackets:1738 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RXbytes:478398 (467.1 KiB) TX bytes:276437(269.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UPLOOPBACK RUNNING MTU:16436 Metric:1
RXpackets:28 errors:0 dropped:0 overruns:0 frame:0
TXpackets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RXbytes:4610 (4.5 KiB) TX bytes:4610 (4.5KiB)
[gao@A ~]$ cat guangli.sh
if [ $# -ne 1 ]
then
echo "USAGE:/bin/sh $0 arg1"
exit 1
fi
for n in 4 5
do
ssh -p22 gao@10.0.0.$n $1
done
[gao@A ~]$
5. sudo分发文件或目录到普通用户没有权限的目录下
步骤如下:
修改每个服务器的/etc/sudoers文件,让普通用户具有在所以目录复制的功能
先发文件到对方的家目录
使用特殊的ssh命令,格式为:用 ssh -t user@IP “sudo 命令”(记得要带参数-t)
下面使用生产环境中最常用的例子作为实例,把hosts目录统一分发到所以服务器的/etc/hosts下
所有服务器都切到root用户下。执行下面命令
echo 'gao ALL=(ALL) NOPASSWD: /bin/cp'>>/etc/sudoers
tail -5 /etc/sudoers
visudo –c
A切换到gao(普通用户)下,把host文件分别发到B.C目录下。并使用ssh命令,把文件推到/etc/下面
[gao@A ~]$ scp -P22 hosts gao@10.0.0.4:~/
hosts 100% 219 0.2KB/s 00:00
[gao@A ~]$ ssh -t -P22 gao@10.0.0.4 "sudo/bin/cp hosts /etc/"
Connection to 10.0.0.4 closed.
[gao@A ~]$
[gao@A ~]$ scp -P22 hosts gao@10.0.0.5:~/
hosts 100% 219 0.2KB/s 00:00
[gao@A ~]$ ssh -t -P22 gao@10.0.0.5 "sudo/bin/cp hosts /etc/"
Connection to 10.0.0.5 closed.
[gao@A ~]$
上面的2可以用下面脚本实现
[gao@A ~]$ vi tfengfa.sh
#!/bin/sh
file="$1"
remotedir="$2"
. /etc/init.d/functions
if [ $# -ne 2 ]
then
echo "USAGE:/bin/sh $0 file path"
exit 1
fi
for n in 4 5
do
scp-P22 -rp $file gao@10.0.0.$n:~/
ssh-t -p22 gao@10.0.0.$n "sudo /bin/cp ~/$file $remotedir "
if [$? -eq 0 ]
then
action "scp $file to $remotedir is ok" /bin/true
else
action "scp $file to $remotedir is fail" /bin/false
fi
done
[gao@A ~]$ sh tfengfa.sh hosts /root/
hosts 100% 219 0.2KB/s 00:00
Connection to 10.0.0.4 closed.
scp hosts to /root/ is ok [ OK ]
hosts 100% 219 0.2KB/s 00:00
Connection to 10.0.0.5 closed.
scp hosts to /root/ is ok [ OK ]
[gao@A ~]$
6. suid分发文件到特殊文件夹
在所有把rsync命令授权4755或者u+s
[root@A ~]# which rsync
/usr/bin/rsync
[root@A ~]# chmod u+s `which rsync`
[root@A ~]# ll `which rsync`
-rwsr-xr-x. 1 root root 415000 Oct 31 2013 /usr/bin/rsync
[root@A ~]#
[root@B ~]# chmod 4755 /usr/bin/rsync
[root@B ~]# ll /usr/bin/rsync
-rwsr-xr-x. 1 root root 415000 Oct 31 2013 /usr/bin/rsync
[root@B ~]#
[root@C ~]# chmod 4755 /usr/bin/rsync
[root@C ~]# ll /usr/bin/rsync
-rwsr-xr-x. 1 root root 415000 Oct 31 2013 /usr/bin/rsync
[root@C ~]#
把要分发的文件分发到服务器的家目录
[gao@A ~]$ echo asdasdaf >gao.txt
[gao@A ~]$ scp -P22 -rp gao.txt gao@10.0.0.5:~/
gao.txt 100% 9 0.0KB/s 00:00
[gao@A ~]$scp -P22 -rp gao.txt gao@10.0.0.4:~/
gao.txt 100% 9 0.0KB/s 00:00
[gao@B ~]$ ll
total 12
-rw-r--r--. 1 gao gao 120 Jul 20 14:22 fengfa.sh
-rw-rw-r--. 1 gao gao 9 Jul 20 18:59 gao.txt
-rw-r--r--. 1 gao gao 219 Jul 20 18:31 hosts
[gao@B ~]$ cat gao.txt
asdasdaf
[gao@B ~]$
[gao@C ~]$ ll
total 88
-rw-r--r--. 1 gao gao 120 Jul 20 14:22 fengfa.sh
-rw-rw-r--. 1 gao gao 9 Jul 20 22:02 gao.txt
-rw-r--r--. 1 gao gao 219 Jul 20 18:31 hosts
-rwxr-xr-x. 1 gao gao 73936 May 10 2012 ifconfig
[gao@C ~]$ cat gao.txt
asdasdaf
[gao@C ~]$
直接用ssh和/usr/bin/rsync命令把家目录中的文件分发到特殊目录了。
[gao@A ~]$ ssh -p22 gao@10.0.0.5 "/usr/bin/rsync ~/gao.txt /root/"
[gao@A ~]$
[root@B ~]# cat gao.txt
asdasdaf
[root@B ~]#
[gao@A ~]$ ssh -p22 gao@10.0.0.4 "/usr/bin/rsync ~/gao.txt /root/"
[gao@A ~]$
[root@C ~]# ls
anaconda-ks.cfg gao.txt hosts install.log install.log.syslog
[root@C ~]# cat gao.txt
asdasdaf
[root@C ~]#
脚本实现
[gao@A ~]$ echo aaaaaaaaa>guo.txt
[gao@A ~]$ sh tfengfa1.sh guo.txt /etc/
guo.txt 100% 10 0.0KB/s 00:00
Connection to 10.0.0.4 closed.
scp guo.txt to /etc/ is ok [ OK ]
guo.txt 100% 10 0.0KB/s 00:00
Connection to 10.0.0.5 closed.
scp guo.txt to /etc/ is ok [ OK ]
[gao@A ~]$
[gao@A ~]$
[gao@A ~]$ cat tfengfa1.sh
#!/bin/sh
file="$1"
remotedir="$2"
. /etc/init.d/functions
if [ $# -ne 2 ]
then
echo "USAGE:/bin/sh $0 file path"
exit 1
fi
for n in 4 5
do
scp-P22 -rp $file gao@10.0.0.$n:~/
ssh-t -p22 gao@10.0.0.$n "/usr/bin/rsync ~/$file $remotedir "
if [$? -eq 0 ]
then
action "scp $file to $remotedir is ok" /bin/true
else
action "scp $file to $remotedir is fail" /bin/false
fi
done
[gao@A ~]$