1.创建用户及密码:
useradd ceshi1
echo 123456|passwd --stdin ceshi1
id ceshi1
su - ceshi1
2.生成公钥和私钥(在m01上)
[ceshi1@m01 ~]$ ssh-keygen -t dsa #回车 回车
[ceshi1@m01 ~]$ ll .ssh/
总用量 8
-rw-------. 1 ceshi1 ceshi1 672 6月 15 20:58 id_dsa #私钥(钥匙)
-rw-r--r--. 1 ceshi1 ceshi1 600 6月 15 20:58 id_dsa.pub #公钥(锁)
非交互式创建密钥:
ssh-keygen -t dsa -P ‘’-f ~/.ssh/id_dsa >/dev/null 2>&1
echo -e “\n”|ssh-keygen -t das -N “”
3.服务端分发公钥:
ssh-copy-id -i .ssh/id_dsa.pub [email protected] #传输公钥到服务端
ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 <a href="mailto:[email protected]\" "="">[email protected]" #指定端口传输
客户端:
[ceshi1@backup ~]$ ll .ssh/
总用量 4
-rw------- 1 ceshi1 ceshi1 600 6月 15 20:16 authorized_keys
4.测试,服务端查看是否可以使用:
[ceshi1@m01 ~]$ ssh [email protected] /sbin/ifconfig eth0
创建简单脚本批量查看ip:
[ceshi1@m01 ~]$ mkdir scripts
[ceshi1@m01 ~]$ cd scripts/
[ceshi1@m01 scripts]$ vi view_ip.sh
sh [email protected] /sbin/ifconfig eth0
ssh [email protected] /sbin/ifconfig eth0
[ceshi1@m01 scripts]$ sh view_ip.sh
企业实现ssh方案:3种
1.直接root ssh key(条件:允许root ssh登录)
优点:简单易用
缺点:安全差,同时无法禁止root远程连接这个功能
2.sudo提权实现没有权限用户拷贝
配置sudoers:
echo "ceshi1 ALL= NOPASSWD:/usr/bin/rsync">>/etc/sudoers
visudo -c
scp hosts [email protected]:~
ssh -t [email protected] sudo rsync ~/hosts /etc/hosts
rsync -avz hosts 'ssh -p' [email protected]:~ (实现增量和加密)
3.利用suid实现没有权限用户拷贝
优点:相对安全
缺点:复杂,安全性较差,任何人都可以处理带有suid权限的命令
先客户端授权需要的命令
[root@nfs01 ~]# ls -l `which rsync`
-rwxr-xr-x. 1 root root 415000 10月 31 2013 /usr/bin/rsync
[root@nfs01 ~]# chmod u+s `which rsync`
[root@nfs01 ~]# ls -l `which rsync`
-rwsr-xr-x. 1 root root 415000 10月 31 2013 /usr/bin/rsync
[root@nfs01 ~]# cp /etc/hosts /etc/hosts.ior #备份需要替换的文件
服务端执行:
[ceshi1@m01 ~]$ scp hosts [email protected]:/etc/hosts #先suid授权
scp: /etc/hosts: Permission denied
[ceshi1@m01 ~]$ scp hosts [email protected]:~
hosts 100% 365 0.4KB/s 00:00
[ceshi1@m01 ~]$ ssh [email protected] rsync ~/hosts /etc/hosts
实验完毕:
[root@nfs01 ~]# chmod a-s `which rsync`
[root@nfs01 ~]# ls -l `which rsync`
-rwxr-xr-x. 1 root root 415000 10月 31 2013 /usr/bin/rsync
ssh批量管理分发项目脚本:
[ceshi1@m01 ~]$ vim fenfa_file.sh
scp hosts [email protected]:~
ssh -t [email protected] sudo rsync ~/hosts /etc/hosts
scp hosts [email protected]:~
ssh -t [email protected] sudo rsync ~/hosts /etc/hosts
脚本优化:
脚本1
[ceshi1@m01 scripts]$ vim fenfa_file2.sh
#!/bin/sh
if [ $# -ne 2 ];then
echo "USAGE:/bin/sh $0 ARG1 ARG2"
exit 1
fi
. /etc/init.d/functions
for n in 31 41 51
do
scp ~/$1 [email protected].${n}:~ >/dev/null 2>&1&&\
ssh -t [email protected].$n sudo rsync ~/$1 $2 >/dev/null 2>&1
if [ $? -eq 0 ];then
action "fenfa hosts 172.16.1.$n" /bin/true
else
action "fenfa hosts 172.16.1.$n" /bin/false
fi
done
[ceshi1@m01 ~]$ sh scripts/fenfa_file2.sh hosts /opt/
fenfa hosts 172.16.1.31 [确定]
fenfa hosts 172.16.1.41 [确定]
fenfa hosts 172.16.1.51 [失败]
脚本2
[ceshi1@m01 scripts]$ vim view_ip.sh
ssh [email protected] /sbin/ifconfig eth0
#!/bin/sh
if [ $# -ne 1 ];then
echo "USAGE:/bin/sh $0 ARG1"
exit 1
fi
for n in 31 41
do
echo =========172.16.1$n===========
ssh [email protected].$n "$1"
done
[ceshi1@m01 scripts]$ sh view_ip.sh
USAGE:/bin/sh view_ip.sh ARG1
[ceshi1@m01 scripts]$ sh view_ip.sh "/sbin/ifconfig eth0"
=========172.16.131===========
eth0 Link encap:Ethernet HWaddr 00:0C:29:21:09:BC
inet addr:10.0.0.31 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe21:9bc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:225 errors:0 dropped:0 overruns:0 frame:0
TX packets:133 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21774 (21.2 KiB) TX bytes:22854 (22.3 KiB)
=========172.16.141===========
eth0 Link encap:Ethernet HWaddr 00:0C:29:9C:E6:21
inet addr:10.0.0.41 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe9c:e621/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:150 errors:0 dropped:0 overruns:0 frame:0
TX packets:85 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15470 (15.1 KiB) TX bytes:10799 (10.5 KiB)
[ceshi1@m01 scripts]$ sh view_ip.sh "cat /etc/redhat-release"
=========172.16.131===========
CentOS release 6.5 (Final)
=========172.16.141===========
CentOS release 6.5 (Final)
批量管理:
ssh+rsync+sersync,saltstack,puppet,ansible
企业级生产场景批量管理,自动化管理方案:
1. 最简单最常用ssh key,功能最强大的。一般中小型企业都会用,50-100台以下
2. sina cfengine/puppet较早的批量管理工具,现在基本不用
3. 门户级别比较流行的,puppet批量管理工具,复杂,笨重
4. saltstack批量管理工具,特点:简单,功能强大(配置复杂)
5. http+cron
批量管理路线:sshkey-->cfengine-->puppet-->saltstack/ansible