降瞳、什么是SSH批量管理

在管理機產(chǎn)生公鑰和私鑰茵瀑，然后把自己的公鑰推送給需要被管理的服務器撮躁，然后就可以通過scp和ssh命令金踪，無需輸入密碼即可管理

鎖=公鑰，鑰匙=私鑰

企業(yè)里實現(xiàn)ssh方案：

1）直接root ssh key季春。

條件：系統(tǒng)允許root使用ssh

2）sudo提權來實現(xiàn)沒有權限用戶拷貝

實驗環(huán)境：

hostnameip描述

m01172.16.1.61管理機

web01172.16.1.7被管理

nfs172.16.1.31被管理

backup172.16.1.41被管理

所有機器系統(tǒng)環(huán)境統(tǒng)一

[root@m01 /]# cat /etc/redhat-release CentOS Linux release7.5.1804(Core) [root@m01 /]# uname -r3.10.0-862.el7.x86_64

1.1 所有的服務器創(chuàng)建普通用戶及密碼

useradd xiaoliecho"123456"|passwd --stdin xiaoliid xiaolisu - xiaoli#<==統(tǒng)一切換到xiaoli用戶

1.2 m01產(chǎn)生密鑰

#使用xiaoli用戶來創(chuàng)建私鑰洗搂，并且分發(fā)公鑰

[xiaoli@m01 ~]$ ssh-keygen -t dsa#<==生成私鑰（一路回車）Generatingpublic/privatedsa key pair.Enter fileinwhich to save thekey(/home/xiaoli/.ssh/id_dsa): Created directory '/home/xiaoli/.ssh'. #<==私鑰存放的目錄Enterpassphrase(emptyforno passphrase): Enter same passphrase again: Your identification has been savedin/home/xiaoli/.ssh/id_dsa.Yourpublickey has been savedin/home/xiaoli/.ssh/id_dsa.pub.The key fingerprintis:SHA256:/UtUhhM++KSQH9OgJyP+MCRz+LhdYfRt/r6384aVLzU xiaoli@m01The key's randomart imageis:+---[DSA 1024]----+|? ? ? ? . . .? ? ||? ? . . + * o? ||? ? + + O * X o? ||? ? O o O O=? ||? ? . = S + +? .||? ? o =? o . Eo||? ? . . .? o .+o||? ? ? ? ? . oo.+||? ? ? ? ? ? . o*=|+----[SHA256]-----+[xiaoli@m01 ~]$ pwd/home/xiaoli[xiaoli@m01 ~]$ ls .ssh/id_dsa? id_dsa.pub[xiaoli@m01 ~]$ ll .ssh/total8-rw-------1xiaoli xiaoli672Nov520:57id_dsa#<==私鑰-rw-r--r--1xiaoli xiaoli600Nov520:57id_dsa.pub#<==公鑰

1.3 管理機分發(fā)公鑰給客戶端

管理機推送公鑰給backup

[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.41/bin/ssh-copy-id: INFO: Sourceofkey(s) to be installed:".ssh/id_dsa.pub"The authenticityofhost'172.16.1.41 (172.16.1.41)'can't be established.

ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.

ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.

Are you sure you want to continue connecting (yes/no)? yes

/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

xiaoli@172.16.1.41's password: Numberofkey(s) added:1Nowtrylogging into the machine, with:"ssh 'xiaoli@172.16.1.41'"andcheck to make sure that only the key(s) you wanted were added.#backup上查看是否收到公鑰[xiaoli@backup ~]$ ls .ssh/authorized_keys .ssh/authorized_key#配置文件默認就是.ssh/authorized_key這個文件名，是由/etc/ssh/sshd_config這個配置文件所定義[root@backup backup]$ grep authorized_keys /etc/ssh/sshd_config |egrep -v"^#"AuthorizedKeysFile? ? ? .ssh/authorized_keys

管理機推送公鑰給nfs

[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.31/bin/ssh-copy-id: INFO: Sourceofkey(s) to be installed:".ssh/id_dsa.pub"The authenticityofhost'172.16.1.31 (172.16.1.31)'can't be established.

ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.

ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.

Are you sure you want to continue connecting (yes/no)? yes

/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

xiaoli@172.16.1.31's password: Numberofkey(s) added:1Nowtrylogging into the machine, with:"ssh 'xiaoli@172.16.1.31'"andcheck to make sure that only the key(s) you wanted were added.#nfs上查看是否收到公鑰[xiaoli@nfs ~]$ ls -l .ssh/total4-rw-------1xiaoli xiaoli600Nov521:16authorized_keys

管理機推送公鑰給web01

[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.7/bin/ssh-copy-id: INFO: Sourceofkey(s) to be installed:".ssh/id_dsa.pub"The authenticityofhost'172.16.1.7 (172.16.1.7)'can't be established.

ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.

ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.

Are you sure you want to continue connecting (yes/no)? yes

/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

xiaoli@172.16.1.7's password: Numberofkey(s) added:1Nowtrylogging into the machine, with:"ssh 'xiaoli@172.16.1.7'"andcheck to make sure that only the key(s) you wanted were added.#web01查看是否收到公鑰[xiaoli@web01 ~]$ ls -l .ssh/total4-rw-------1xiaoli xiaoli600Nov521:20authorized_keys

1.4 管理機實現(xiàn)批量獲取參數(shù)

單獨查看某一臺客戶端IP地址载弄，如果端口號為22，就不需要加-p

[xiaoli@m01 ~]$ ssh xiaoli@172.16.1.31/sbin/ifconfig ens33ens33:flags=4163? mtu1500inet10.0.0.31netmask255.255.255.0broadcast10.0.0.255inet6 fe80::7ef6:6b6b:fba4:c66c? prefixlen64scopeid0x20? ? ? ? inet6 fe80::f15a:916:1ee7:65e9? prefixlen64scopeid0x20? ? ? ? ether00:50:56:20:de:ectxqueuelen1000(Ethernet)? ? ? ? RX packets68059bytes50182137(47.8MiB)? ? ? ? RX errors0dropped0overruns0frame0TX packets32722bytes6712416(6.4MiB)? ? ? ? TX errors0dropped0overruns0carrier0collisions0#我們可以發(fā)現(xiàn)這時執(zhí)行ssh就不需要輸入密碼

創(chuàng)建腳本查看三臺客戶端的IP地址

[xiaoli@m01 ~]$ mkdir seripts[xiaoli@m01 ~]$ cd seripts[xiaoli@m01 seripts]$ cat view_ip.sh#!/bin/shUser=xiaoliIp=(172.16.1.7

172.16.1.31

172.16.1.41

)

for ((i=0;i<${#Ip[*]};i++))

do

? ? ? ? ssh ${User}@${Ip[$i]} /sbin/ifconfig ens33

done

#執(zhí)行腳本?貨運APP找上海捌躍網(wǎng)絡科技有限公司QQ3343874032

[xiaoli@m01 seripts]$ sh view_ip.sh

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500inet10.0.0.7netmask255.255.255.0broadcast10.0.0.255inet6 fe80::7ef6:6b6b:fba4:c66c? prefixlen64scopeid0x20? ? ? ? inet6 fe80::b85a:6444:fdc7:90ef? prefixlen64scopeid0x20? ? ? ? inet6 fe80::f15a:916:1ee7:65e9? prefixlen64scopeid0x20? ? ? ? ether00:50:56:32:88:betxqueuelen1000(Ethernet)? ? ? ? RX packets11633bytes2805754(2.6MiB)? ? ? ? RX errors0dropped0overruns0frame0TX packets6003bytes1047269(1022.7KiB)? ? ? ? TX errors0dropped0overruns0carrier0collisions0ens33:flags=4163? mtu1500inet10.0.0.31netmask255.255.255.0broadcast10.0.0.255inet6 fe80::7ef6:6b6b:fba4:c66c? prefixlen64scopeid0x20? ? ? ? inet6 fe80::f15a:916:1ee7:65e9? prefixlen64scopeid0x20? ? ? ? ether00:50:56:20:de:ectxqueuelen1000(Ethernet)? ? ? ? RX packets68065bytes50182545(47.8MiB)? ? ? ? RX errors0dropped0overruns0frame0TX packets32726bytes6712704(6.4MiB)? ? ? ? TX errors0dropped0overruns0carrier0collisions0ens33:flags=4163? mtu1500inet10.0.0.41netmask255.255.255.0broadcast10.0.0.255inet6 fe80::7ef6:6b6b:fba4:c66c? prefixlen64scopeid0x20? ? ? ? inet6 fe80::b85a:6444:fdc7:90ef? prefixlen64scopeid0x20? ? ? ? inet6 fe80::f15a:916:1ee7:65e9? prefixlen64scopeid0x20? ? ? ? ether00:50:56:21:a4:2a? txqueuelen1000(Ethernet)? ? ? ? RX packets123357bytes15582283(14.8MiB)? ? ? ? RX errors0dropped0overruns0frame0TX packets130534bytes11862139(11.3MiB)? ? ? ? TX errors0dropped0overruns0carrier0collisions0上面結果為成功標志撵颊！連接所有機器宇攻，不提示密碼直接可以操作

1.5 scp實現(xiàn)批量下發(fā)文件

每臺服務器root權限下實施sudo#切換到root用戶，給xiaoli用戶賦予有rsync的命令執(zhí)行權限echo"xiaoli ALL=(ALL) NOPASSWD:/usr/bin/rsync ">>/etc/sudoersvisudo -c

將/etc/hosts文件拷貝到家目錄（xiaoli）倡勇，并修改hosts文件內(nèi)容

[xiaoli@m01 ~]$ cp /etc/hosts .[xiaoli@m01 ~]$ tail-5hosts172.16.1.7web01172.16.1.41backup172.16.1.31nfs172.16.1.51m01################2018-11-5################

使用腳本批量分發(fā)hosts文件

[xiaoli@m01 ~]$? cat seripts/fenfa_file.sh#!/bin/shUser=xiaoliIp=(172.16.1.7172.16.1.31172.16.1.41)for((i=0;i<${#Ip[*]};i++))doscp ~/hosts${User}@${Ip[$i]}:~ ssh -t${User}@${Ip[$i]}sudo rsync ~/hosts /etc/hostsdone#運行批量分發(fā)腳本[xiaoli@m01 seripts]$ sh? fenfa_file.shhosts? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 100%? 268? 245.5KB/s? 00:00? ? Connection to 172.16.1.7 closed.hosts? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 100%? 268? ? 47.6KB/s? 00:00? ? Connection to 172.16.1.31 closed.hosts? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 100%? 268? 295.1KB/s? 00:00? ? Connection to 172.16.1.41 closed.

客戶端查看結果

#以backup客戶端為例展示結果：[xiaoli@backup ~]$ tail-5/etc/hosts172.16.1.7web01172.16.1.41backup172.16.1.31nfs172.16.1.51m01################2018-11-5################

擴展：使用rsync通道模式逞刷，實現(xiàn)增量、加密

[xiaoli@m01 ~]$ rsync -avz hosts -e'ssh -p 22'xiaoli@172.16.1.41sending incremental file listhostssent214bytes? received35bytes498.00bytes/sectotal sizeis268speedupis1.08

轉自：http://blog.51cto.com/12643266/2314340