环境介绍
SSH Server
[root@vm1 ~]# ifconfig |awk '/broadcast/{print $2}'
192.168.99.241
SSH Client
[root@vm2 ~]# ifconfig |awk '/broadcast/{print $2}'
192.168.99.242
通过root用户建立秘钥认证实现[SHELL](http://www.showerlee.com/archives/tag/shell)脚本管理,分发,部署
首先`SSH Client端`创建密钥对,并将公钥分发给需要登录的`SSH Server`
注:公钥相当于锁,私钥相当于钥匙,我们这里相当于在客户端创建一对钥匙和锁,想要做到SSH免密码登录,就相当于我们将锁分发到服务端并装锁,然后客户端就可以利用钥匙开锁。
一、建立秘玥认证
1.在客户端创建秘玥:(`SSH client`)
[root@vm2 ~]# su - root Last login: Wed Dec 28 10:10:19 CST 2016 from 192.168.99.92 on pts/0 [root@vm2 ~]# ssh-keygen -t dsa # 一直回车即可 Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): ^C [root@vm2 ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 97:75:88:b8:ae:c5:38:b8:24:d7:8a:ce:2a:74:3e:f3 root@vm2 The key's randomart image is: +--[ RSA 2048]----+ | | | . . . | | . . o . | | . o . | | S o | | . . o + . | |. + + + + | |.. O o + | |oo+ *E. | +-----------------+ [root@vm2 ~]#
2.查看生成的秘钥对:(`SSH Client`)
[root@vm2 ~]# ls -lda .ssh/ drwx------. 2 root root 76 Dec 28 10:26 .ssh/ [root@vm2 ~]# cd .ssh/ [root@vm2 .ssh]# ls -la total 20 drwx------. 2 root root 76 Dec 28 10:26 . dr-xr-x---. 5 root root 4096 Dec 28 10:25 .. -rw-r--r--. 1 root root 395 Dec 18 23:16 authorized_keys -rw------- 1 root root 1675 Dec 28 10:26 id_rsa -rw-r--r-- 1 root root 390 Dec 28 10:26 id_rsa.pub -rw-r--r-- 1 root root 176 Dec 19 18:41 known_hosts [root@vm2 .ssh]#
秘玥生成完毕
3.将公钥分发到`SSH Server`端
[root@vm2 ~]# ssh-copy-id -i .ssh/id_rsa.pub 192.168.99.241 /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.99.241's password: Permission denied, please try again. root@192.168.99.241's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '192.168.99.241'" and check to make sure that only the key(s) you wanted were added.
4.`SSH Server端`查看收到的分发文件
[root@vm1 ~]# ls .ssh/ authorized_keys [root@vm1 ~]# cat .ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAlmq1z0G/7wbGuSUewfXlFnwzqCg/myqTi/AwP8LP+JJ49xzIKMzpeWXHD8RWIf5RlDzo+6N7uPK5O22x/QtMosi0egz4shavEJeUkO0EH+KygXXgBIGuMWmAsL+yzbgWXT9H3zdzXi/qWcrBeBv2nYB5mpYSf7o0xqdhCst1MTfcYLD8qxvkwC8RiqBA/1u9N6jeDFbHO+UzZYYCr9zgk9uz4Rrhb9BU7c1GhjUCgRwBDAuo47IHw/OT6KS9lb8lT2R/ujVoDARy/eOhw8cAFXo+QcvzNSW2qKf/Qo21uR/wz2u9SRV0lvUDNSvC2PYtR+iPlDwHY81md430yiNf9w== root@10.1.0.1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLBNDhvo+LBm93MXZDfHOOR9lo8OyZ8mKGQpTcf65/mFDhQXDXoewteIexXkKv8QEQLhEmhW94ChuKeAjTEwO50RAx8JiMDrxF9nI1mcMSxMrPk3+rH8q0g/HnIRf570mfFD5yjD+Ql/MQI8giveuxBakBDZzHXfBC2s++k3hyA77THsNGBUTLgxI8ZCxoWjkQhuZivz02iAVeIpzZESiCv+sRgEUgWsKKn4z5hvM7E7tyEbDFC7R/W0JPQstnkuk7uCMG2nPW9Mp9qrXTC0GhH1V7yFgEhsh+8hfmBpUkn7Nw/17YnSgwB3aoY7PPAKGdSo8JrIoeNNhw2IE2lr85 root@vm2
成功收到
5.`SSH Client 端`登录验证
[root@vm2 ~]# ssh 192.168.99.241
Last failed login: Wed Dec 28 10:32:38 CST 2016 from vm2 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Wed Dec 28 10:00:07 2016 from 192.168.99.92
[root@vm1 ~]# ifconfig |awk '/broadcast/{print $2}'
192.168.99.241
查看地址可以发现现在可以实现免输入密码就可以进行登录了
注:这里遇到警告提示“Address 192.168.100.241 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!”。
解决办法为修改客户端/etc/hosts文件,将服务端的ip地址与主机名对应关系写进去就可以了。
(ssh client) # echo "192.168.100.241 vm1" >> /etc/hosts
二、创建`SHELL`脚本实现批量管理(`SSh Client`)
1.创建脚本`manager.sh`
#!/bin/bash #description: ssh test #version:0.0.1 #author:Jerry <jerry@whitehouse.gov> #date:2016-12-28 for ip in `cat iplist`;do echo "====$ip====" ssh $ip $1 done
2.生成ip列表
[root@vm2 rc.d]# echo "192.168.99.241" > iplist [root@vm2 rc.d]# cat iplist 192.168.99.241
3.执行脚本
[root@vm2 rc.d]# bash manager.sh 'df -h' ====192.168.99.241==== Filesystem Size Used Avail Use% Mounted on /dev/sda2 40G 193M 40G 1% / devtmpfs 475M 0 475M 0% /dev tmpfs 489M 0 489M 0% /dev/shm tmpfs 489M 6.8M 483M 2% /run tmpfs 489M 0 489M 0% /sys/fs/cgroup /dev/sda3 20G 2.6G 18G 13% /usr /dev/sda1 485M 138M 348M 29% /boot tmpfs 98M 0 98M 0% /run/user/0 [root@vm2 rc.d]#
如果有多台,我们需要复制公钥过去,而后追加ip地址到`iplist`文件中即可
三、创建SHELL脚本实现批量分发:(SSH Client)
1.创建脚本:`distribute.sh`
[root@vm2 rc.d]# vim distribute.sh #!/bin/bash for ip in `cat iplist` do echo "=========$ip==========" scp -r -p $1 $ip:$2 done
2.查看脚本ip列表
[root@vm2 rc.d]# cat iplist 192.168.99.241
3.执行脚本
将本地/root目录下的文件分发到`SSH服务端`主机
[root@vm2 rc.d]# sh distribute.sh /root /tmp =========192.168.99.241========== .bash_logout 100% 18 0.0KB/s 00:00 .bash_profile 100% 176 0.2KB/s 00:00 .bashrc 100% 176 0.2KB/s 00:00 .cshrc 100% 100 0.1KB/s 00:00 .tcshrc 100% 129 0.1KB/s 00:00 authorized_keys 100% 395 0.4KB/s 00:00 known_hosts 100% 176 0.2KB/s 00:00 id_rsa 100% 1675 1.6KB/s 00:00 id_rsa.pub 100% 390 0.4KB/s 00:00 anaconda-ks.cfg 100% 2612 2.6KB/s 00:00 lastnotification 100% 11 0.0KB/s 00:00 .bash_history 100% 620 0.6KB/s 00:00 .Xauthority 100% 109 0.1KB/s 00:00 .viminfo 100% 908 0.9KB/s 00:00 [root@vm2 rc.d]#
在SSH server端进行查看验证
[root@vm1 ~]# ls /tmp/ a.txt ks-script-fCpUTO root
可以看到分发成功
四、批量部署
这里的部署就结合了SHELL脚本批量管理和分发两个功能。
因为此操作设计有安全隐患,所以不建议利用root进行批量管理操作。建议设置普通用户,在利用sudo提权操作
通过普通用户建立秘钥认证并sudo提权进行管理,分发,部署
SSH Serve端
[root@vm1 ~]# useradd user1 [root@vm1 ~]# echo "123456" |passwd --stdin user1
SSH Client端
[root@vm2 ~]# useradd user2 [root@vm2 ~]# echo "123456"|passwd --stdin user2 [root@vm2 ~]# su - user2 [user2@vm2 ~]$ ssh-keygen -t rsa #默认输入三个回车键 [user2@vm2 ~]$ ssh-copy-id -i .ssh/id_rsa.pub user1@192.168.99.241 # 输入“123456”,分发完成
验证:
[user2@vm2 ~]$ ssh user1@192.168.99.241 /sbin/ifconfig eno16777736 eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.99.241 netmask 255.255.255.0 broadcast 192.168.99.255 inet6 fe80::20c:29ff:fe93:c008 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:93:c0:08 txqueuelen 1000 (Ethernet) RX packets 14121 bytes 1502069 (1.4 MiB) RX errors 0 dropped 7 overruns 0 frame 0 TX packets 2792 bytes 410399 (400.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 #返回服务端IP地址即表明秘玥认证成功
此时,客户端user2用户现在可以免密码分发到服务端user1所属文件夹,但若想分发到root所属文件夹,则需要sudo提权。
1.服务端`sudo`提权
[root@vm1 ~]# [root@vm1 ~]# su - user1 [user1@vm1 ~]$ su - root Password: Last login: Wed Dec 28 10:58:01 CST 2016 from vm2 on pts/1 [root@vm1 ~]# echo "user1 ALL=(ALL) NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp,/bin/cp" >> /etc/sudoers
2.验证是否提权成功
[root@vm1 ~]# su - user1 [user1@vm1 ~]$ sudo -l Matching Defaults entries for user1 on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User user1 may run the following commands on this host: (ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp, (ALL) /bin/cp # 可以发现提权成功
3.客户端先分发到服务端user1用户家目录
[user2@vm2 ~]$ scp -P22 -r -p /home/user2/ user1@192.168.99.241:/home/user1 .bash_logout 100% 18 0.0KB/s 00:00 .bash_profile 100% 193 0.2KB/s 00:00 .bashrc 100% 231 0.2KB/s 00:00 lastnotification 100% 11 0.0KB/s 00:00 id_rsa 100% 1679 1.6KB/s 00:00 id_rsa.pub 100% 391 0.4KB/s 00:00 known_hosts 100% 176 0.2KB/s 00:00
4.连接服务端后执行`sudo cp`命令执行本地拷贝
[user2@vm2 ~]$ ssh -t user1@192.168.99.241 sudo cp /home/user1/ /etc cp: omitting directory ‘/home/user1/’ Connection to 192.168.99.241 closed.
原创文章,作者:rex,如若转载,请注明出处:http://www.178linux.com/65115
