Linux-11-SSH KEY免密码分发、管理、备份

最新推荐文章于 2021-05-15 21:05:01 发布
最新推荐文章于 2021-05-15 21:05:01 发布
阅读量403 收藏 1
点赞数
分类专栏: Linux 文章标签: ssh key
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Paul_George/article/details/82814371
版权

SSH是专门为远程登录会话和其他网络服务提供安全性的协议,利用SSH协议可以有效防止远程管理中的信息泄露问题。

默认情况下,SSH本身提供两个服务功能:一个是类似telnet的远程联机shell服务,另一个是sftp-server,可以提供安全的FTP服务。

SSH提供两种级别的安全认证

1.基于口令的安全验证

利用账号和口令进行验证,并登陆到远程主机,所有传输的数据都会被加密

2.基于秘钥的安全验证

用户需要为自己创建一对秘钥,并把公用秘钥放在需要访问的服务器上,如果需要利用SSH连接服务器,客户端SSH软件就会向服务器发送请求利用秘钥进行安全验证,服务器端在接收到请求后,在服务器端用户主目录下寻找公用秘钥,并用它和你发过来的秘钥进行对比,如果一致,服务器端就用公用秘钥加密“质询”并把它发送给客户端。

 

一、分发数据

1.检查环境

[root@C64-5-S ~]# cat /etc/redhat-release 
CentOS release 6.10 (Final)
[root@C64-5-S ~]# uname -mi
x86_64 x86_64
[root@C64-5-S ~]# uname -r
2.6.32-754.2.1.el6.x86_64

2.添加用户(这里我们准备相同的三个服务器,分别是Server(2.2.2.5)B-Client(2.2.2.6) C-Client(2.2.2.7))

[root@C64-5-S ~]# useradd syner
[root@C64-5-S ~]# echo "syner"|passwd --stdin syner
Changing password for user syner.
passwd: all authentication tokens updated successfully.
[root@C64-5-S ~]# tail -1 /etc/passwd
syner:x:514:514::/home/syner:/bin/bash
[root@C64-6-B ~]# useradd syner
[root@C64-6-B ~]# echo "syner"|passwd --stdin syner
Changing password for user syner.
passwd: all authentication tokens updated successfully.
[root@C64-6-B ~]# tail -1 /etc/passwd
syner:x:514:514::/home/syner:/bin/bash
[root@C64-7-C ~]# useradd syner
[root@C64-7-C ~]# echo "syner"|passwd --stdin syner
Changing password for user syner.
passwd: all authentication tokens updated successfully.
[root@C64-7-C ~]# tail -1 /etc/passwd
syner:x:514:514::/home/syner:/bin/bash

3.生成秘钥对

[root@C64-5-S ~]# su - syner
[syner@C64-5-S ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/syner/.ssh/id_dsa): 
Created directory '/home/syner/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/syner/.ssh/id_dsa.
Your public key has been saved in /home/syner/.ssh/id_dsa.pub.
The key fingerprint is:
ba:19:34:a6:2a:8c:fa:48:28:03:3f:b2:73:f1:44:e7 syner@C64-5-S
The key's randomart image is:
+--[ DSA 1024]----+
|                 |
|                 |
|                 |
|    . .          |
|.  . o+ S        |
|o.. .+Eo         |
|B.o+. o          |
|**.o.  +         |
|==o   o          |
+-----------------+

[syner@C64-5-S ~]$ tree .ssh
.ssh
├── id_dsa
└── id_dsa.pub

0 directories, 2 files
[syner@C64-5-S ~]$ ls -al
total 28
drwx------   4 syner syner 4096 Sep 22 22:04 .
drwxr-xr-x. 17 root  root  4096 Sep 22 19:58 ..
drwx------   2 syner syner 4096 Sep 22 22:04 .ssh

 

[syner@C64-5-S ~]$ ls -al .ssh
total 16
drwx------ 2 syner syner 4096 Sep 22 22:04 .
drwx------ 4 syner syner 4096 Sep 22 22:04 ..
-rw------- 1 syner syner  668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner  603 Sep 22 22:04 id_dsa.pub

在创建秘钥时,会在用户家目录下生成一个.ssh的隐藏目录,并在目录中存放公钥和私钥

这里的.ssh目录权限是700,公钥权限是644,私钥权限是600

4.分发公钥

把公钥拷贝的B、C端用户家目录中

[syner@C64-5-S .ssh]$ ssh-copy-id -i id_dsa.pub "-p 52113 syner@2.2.2.6"
The authenticity of host '[2.2.2.6]:52113 ([2.2.2.6]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.6]:52113' (RSA) to the list of known hosts.
syner@2.2.2.6's password: 
Now try logging into the machine, with "ssh '-p 52113 syner@2.2.2.6'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

这里由于我们的ssh端口之前修改过,所以在参数中加上 -p 52113

检查公钥是否发布成功

[test@C64-6-B ~]$ su - syner
Password: 
[syner@C64-6-B ~]$ 
[syner@C64-6-B ~]$ 
[syner@C64-6-B ~]$ ls -al
total 28
drwx------   4 syner syner 4096 Sep 22 22:42 .
drwxr-xr-x. 17 root  root  4096 Sep 22 19:58 ..
-rw-r--r--   1 syner syner   18 Mar 23  2017 .bash_logout
-rw-r--r--   1 syner syner  176 Mar 23  2017 .bash_profile
-rw-r--r--   1 syner syner  124 Mar 23  2017 .bashrc
drwxr-xr-x   2 syner syner 4096 Nov 12  2010 .gnome2
drwx------   2 syner syner 4096 Sep 22 22:42 .ssh
[syner@C64-6-B ~]$ cd .ssh/
[syner@C64-6-B .ssh]$ ls -al
total 12
drwx------ 2 syner syner 4096 Sep 22 22:42 .
drwx------ 4 syner syner 4096 Sep 22 22:42 ..
-rw------- 1 syner syner  603 Sep 22 22:42 authorized_keys

将公钥发布到另外一台机器上

[syner@C64-5-S .ssh]$ ssh-copy-id -i id_dsa.pub "-p 52113 syner@2.2.2.7"
The authenticity of host '[2.2.2.7]:52113 ([2.2.2.7]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.7]:52113' (RSA) to the list of known hosts.
syner@2.2.2.7's password: 
Now try logging into the machine, with "ssh '-p 52113 syner@2.2.2.7'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

检查是否发布成功

[root@C64-7-C ~]# su - syner
[syner@C64-7-C ~]$ ls -al
total 28
drwx------   4 syner syner 4096 Sep 22 22:46 .
drwxr-xr-x. 17 root  root  4096 Sep 22 19:58 ..
-rw-r--r--   1 syner syner   18 Mar 23  2017 .bash_logout
-rw-r--r--   1 syner syner  176 Mar 23  2017 .bash_profile
-rw-r--r--   1 syner syner  124 Mar 23  2017 .bashrc
drwxr-xr-x   2 syner syner 4096 Nov 12  2010 .gnome2
drwx------   2 syner syner 4096 Sep 22 22:46 .ssh
[syner@C64-7-C ~]$ ls -al .ssh/
total 12
drwx------ 2 syner syner 4096 Sep 22 22:46 .
drwx------ 4 syner syner 4096 Sep 22 22:46 ..
-rw------- 1 syner syner  603 Sep 22 22:46 authorized_keys

查看ssh配置文件

[root@C64-5-S ~]# cat /etc/ssh/sshd_config | grep AuthorizedKeysFile 
#AuthorizedKeysFile     .ssh/authorized_keys

5.远程登录执行命令测试

[syner@C64-5-S ~]$ ssh -p 52113 syner@2.2.2.6 /sbin/ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:79:36:89  
          inet addr:2.2.2.6  Bcast:2.2.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe79:3689/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23456 errors:0 dropped:0 overruns:0 frame:0
          TX packets:890 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1457992 (1.3 MiB)  TX bytes:88259 (86.1 KiB)
[syner@C64-5-S ~]$ ssh -p 52113 syner@2.2.2.7 /sbin/ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:BA:45:99  
          inet addr:2.2.2.7  Bcast:2.2.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feba:4599/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23234 errors:0 dropped:0 overruns:0 frame:0
          TX packets:761 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1439707 (1.3 MiB)  TX bytes:73715 (71.9 KiB)

二、备份

我们将B、C机器备份到Server端

1.生成秘钥

[syner@C64-5-S ~]$ ls -al .ssh
total 20
drwx------ 2 syner syner 4096 Sep 22 22:42 .
drwx------ 4 syner syner 4096 Sep 22 22:50 ..
-rw------- 1 syner syner  668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner  603 Sep 22 22:04 id_dsa.pub
-rw-r--r-- 1 syner syner  794 Sep 22 22:46 known_hosts

由于之前生成过秘钥,这里我们就不重新生成了

与之前分发不同,这次方向是反的,我们是需要B、C机器能够免秘钥ssh到S上面,所以我们这次要将私钥分发给B、C

2.分发秘钥

[syner@C64-5-S ~]$ scp -P52113 -p .ssh/id_dsa syner@2.2.2.6:~/.ssh/
id_dsa                                                      100%  668     0.7KB/s   00:00

检查是否分发成功

[syner@C64-6-B ~]$ ls -al .ssh
total 16
drwx------ 2 syner syner 4096 Sep 23 09:57 .
drwx------ 4 syner syner 4096 Sep 22 23:46 ..
-rw------- 1 syner syner  603 Sep 22 22:42 authorized_keys
-rw------- 1 syner syner  668 Sep 22 22:04 id_dsa

分发到另一台服务器上

[syner@C64-5-S ~]$ scp -P52113 -p .ssh/id_dsa syner@2.2.2.7:~/.ssh/
id_dsa                                                      100%  668     0.7KB/s   00:00

检查分发是否成功

[syner@C64-7-C ~]$ ls -al .ssh
total 16
drwx------ 2 syner syner 4096 Sep 23 09:59 .
drwx------ 4 syner syner 4096 Sep 22 23:46 ..
-rw------- 1 syner syner  603 Sep 22 22:46 authorized_keys
-rw------- 1 syner syner  668 Sep 22 22:04 id_dsa

这里我们要将S服务器端公钥的名字改成ssh配置文件中默认的文件名

[syner@C64-5-S ~]$ cd .ssh/
[syner@C64-5-S .ssh]$ ll
total 12
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 id_dsa.pub
-rw-r--r-- 1 syner syner 794 Sep 22 22:46 known_hosts
[syner@C64-5-S .ssh]$ mv id_dsa.pub authorized_keys
[syner@C64-5-S .ssh]$ ll
total 12
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 authorized_keys
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 794 Sep 22 22:46 known_hosts

3.测试连通性

[syner@C64-6-B ~]$ ssh -p 52113 syner@2.2.2.5 /sbin/ifconfig eth0
The authenticity of host '[2.2.2.5]:52113 ([2.2.2.5]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.5]:52113' (RSA) to the list of known hosts.
eth0      Link encap:Ethernet  HWaddr 00:0C:29:CA:07:AA  
          inet addr:2.2.2.5  Bcast:2.2.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feca:7aa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30133 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2995 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1937162 (1.8 MiB)  TX bytes:478213 (467.0 KiB)
[syner@C64-7-C ~]$ ssh -p 52113 syner@2.2.2.5 /sbin/ifconfig eth0
The authenticity of host '[2.2.2.5]:52113 ([2.2.2.5]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.5]:52113' (RSA) to the list of known hosts.
eth0      Link encap:Ethernet  HWaddr 00:0C:29:CA:07:AA  
          inet addr:2.2.2.5  Bcast:2.2.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feca:7aa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30166 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3021 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1941659 (1.8 MiB)  TX bytes:483082 (471.7 KiB)

4.进行备份

[syner@C64-6-B ~]$ scp -P52113 -rp /etc syner@2.2.2.5:/tmp

rsync                                                       100%  332     0.3KB/s   00:00    
rc.local                                                    100%  345     0.3KB/s   00:00    
utmp.conf                                                   100%  564     0.6KB/s   00:00    
pthread.conf                                                100% 7686     7.5KB/s   00:00    
latrace.conf                                                100%   74     0.1KB/s   00:00    
syscall.conf                                                100% 6342     6.2KB/s   00:00

 

备份的几种思路

1.使用rsync,在备份服务器部署rsync守护进程,把所有节点作为rsync客户端,生产环境中常用的方法

2.使用FTP,在备份服务器部署FTP守护进程,把所有节点作为FTP客户端,把数据通过FTP方式推送到备份服务器上

3.使用NFS,在备份服务器部署NFS服务,把所有节点作为NFS客户端,在客户端服务器上通过挂载的方式把数据推送到NFS备份服务器上,不推荐使用(机器太多时不好用)

4.SCP+SSH KEY或expect交互式备份,不推荐

 

实例一:通过root用户直接建立秘钥认证(不推荐)

服务器S向B、C客户端分发

在服务器端建立秘钥对

[root@C64-5-S ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
1a:07:e9:8b:ee:f8:72:da:22:51:33:f4:28:37:ab:c6 root@C64-5-S
The key's randomart image is:
+--[ DSA 1024]----+
|                 |
|  .    .         |
| . o  o          |
|. B .. .         |
| + =  o S        |
|. .  . =         |
|.o  . o          |
|oEo+.            |
|..oB=            |
+-----------------+
[root@C64-5-S ~]# 
[root@C64-5-S ~]# ls -al .ssh
total 16
drwx------  2 root root 4096 Sep 23 11:58 .
dr-xr-x---. 5 root root 4096 Sep 23 11:58 ..
-rw-------  1 root root  668 Sep 23 11:58 id_dsa
-rw-r--r--  1 root root  602 Sep 23 11:58 id_dsa.pub

由于之前我们设置过不允许root用户远程登录,因此我们先取消这个设置

[root@C64-5-S ~]# vi /etc/ssh/sshd_config
PermitRootLogin yes
[root@C64-5-S ~]# /etc/init.d/sshd restart
Stopping sshd: [  OK  ]
Starting sshd: [  OK  ]

[root@C64-6-B ~]# vi /etc/ssh/sshd_config
PermitRootLogin yes
[root@C64-6-B ~]# /etc/init.d/sshd restart
Stopping sshd: [  OK  ]
Starting sshd: [  OK  ]

[root@C64-7-C ~]# vi /etc/ssh/sshd_config
PermitRootLogin yes
[root@C64-7-C ~]# /etc/init.d/sshd  restart
Stopping sshd: [  OK  ]
Starting sshd: [  OK  ]

然后我们对公钥进行分发

[root@C64-5-S ~]# ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 2.2.2.6"
root@2.2.2.6's password: 
Now try logging into the machine, with "ssh '-p 52113 2.2.2.6'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.
[root@C64-5-S ~]# ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 2.2.2.7"
The authenticity of host '[2.2.2.7]:52113 ([2.2.2.7]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.7]:52113' (RSA) to the list of known hosts.
root@2.2.2.7's password: 
Now try logging into the machine, with "ssh '-p 52113 2.2.2.7'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

测试连通性

[root@C64-5-S ~]# ssh -p 52113 2.2.2.6 /sbin/ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:79:36:89  
          inet addr:2.2.2.6  Bcast:2.2.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe79:3689/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:37907 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24863 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2687536 (2.5 MiB)  TX bytes:25927411 (24.7 MiB)
[root@C64-5-S ~]# ssh -p 52113 2.2.2.7 /sbin/ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:BA:45:99  
          inet addr:2.2.2.7  Bcast:2.2.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feba:4599/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:29755 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1449 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1880516 (1.7 MiB)  TX bytes:151824 (148.2 KiB)

我们试着写一个管理脚本并运行,查看B、C客户端的运行情况

[root@C64-5-S ~]# vi manage.sh
#!/bin/sh
for ip in `cat iplist`
do
        echo "======$ip======"
        ssh -p 52113 $ip $1
done

创建ip列表文件

[root@C64-5-S ~]# echo "2.2.2.6">>iplist
[root@C64-5-S ~]# echo "2.2.2.7">>iplist
[root@C64-5-S ~]# more iplist 
2.2.2.6
2.2.2.7

执行管理命令

[root@C64-5-S ~]# sh manage.sh "df -h"
======2.2.2.6======
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda3       7.1G  2.2G  4.6G  32% /
tmpfs           937M     0  937M   0% /dev/shm
/dev/sda1       190M   65M  115M  37% /boot
======2.2.2.7======
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda3       7.1G  2.2G  4.6G  32% /
tmpfs           937M     0  937M   0% /dev/shm
/dev/sda1       190M   65M  115M  37% /boot
[root@C64-5-S ~]# sh manage.sh "free -m"
======2.2.2.6======
             total       used       free     shared    buffers     cached
Mem:          2001        336       1665          0         44        166
-/+ buffers/cache:        125       1876
Swap:          511          0        511
======2.2.2.7======
             total       used       free     shared    buffers     cached
Mem:          2001        320       1681          0         43        151
-/+ buffers/cache:        124       1876
Swap:          511          0        511
[root@C64-5-S ~]# sh manage.sh "uptime"
======2.2.2.6======
 12:27:26 up 10:06,  1 user,  load average: 0.00, 0.00, 0.00
======2.2.2.7======
 12:27:26 up 10:05,  1 user,  load average: 0.00, 0.00, 0.00

写一个分发脚本

[root@C64-5-S ~]# cp manage.sh fenfa.sh
[root@C64-5-S ~]# vi fenfa.sh 

#!/bin/sh
for ip in `cat iplist`
do
        echo "======$ip======"
        scp -rp -P52113 $1 $ip:$2
done

执行分发命令

[root@C64-5-S ~]# sh fenfa.sh /etc /tmp
======2.2.2.6======
sudo.conf                                                   100% 1786     1.7KB/s   00:00    
rsync                                                       100%  332     0.3KB/s   00:00    
rc.local                                                    100%  314     0.3KB/s   00:00 

======2.2.2.7======
sudo.conf                                                   100% 1786     1.7KB/s   00:00    
rsync                                                       100%  332     0.3KB/s   00:00    
rc.local                                                    100%  314     0.3KB/s   00:00

 最后我们将之前的配置删除

[root@C64-5-S ~]# rm -rf .ssh/
[root@C64-5-S ~]# vi /etc/ssh/sshd_config
PermitRootLogin no
[root@C64-6-B ~]# rm -rf .ssh/
[root@C64-6-B ~]# vi /etc/ssh/sshd_config
PermitRootLogin no
[root@C64-7-C ~]# rm -rf .ssh/
[root@C64-7-C ~]# vi /etc/ssh/sshd_config
PermitRootLogin no

 

实例二:普通用户建立的秘钥(通过sudo提权操作)(推荐用这种方法)

这里我们还是实现服务端S到客户端B、C的分发

[root@C64-5-S ~]# useradd ssher
[root@C64-5-S ~]# echo "ssher"|passwd --stdin ssher
Changing password for user ssher.
passwd: all authentication tokens updated successfully.
[root@C64-6-B ~]# useradd ssher
[root@C64-6-B ~]# echo "ssher"|passwd --stdin ssher
Changing password for user ssher.
passwd: all authentication tokens updated successfully.
[root@C64-7-C ~]# useradd ssher
[root@C64-7-C ~]# echo "ssher"|passwd --stdin ssher
Changing password for user ssher.
passwd: all authentication tokens updated successfully.
[ssher@C64-5-S ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/ssher/.ssh/id_dsa): 
Created directory '/home/ssher/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ssher/.ssh/id_dsa.
Your public key has been saved in /home/ssher/.ssh/id_dsa.pub.
The key fingerprint is:
6a:7d:b9:64:48:ea:68:39:a9:ee:57:33:e4:a8:f0:4e ssher@C64-5-S
The key's randomart image is:
+--[ DSA 1024]----+
|                 |
|                 |
|                 |
|      .          |
|     +  S        |
|.   . == . .     |
| oE. ++oo =      |
| .o *+   + .     |
| +=+...   .      |
+-----------------+
[ssher@C64-5-S ~]$ 
[ssher@C64-5-S ~]$ ls -al .ssh
total 16
drwx------ 2 ssher ssher 4096 Sep 23 12:55 .
drwx------ 4 ssher ssher 4096 Sep 23 12:55 ..
-rw------- 1 ssher ssher  668 Sep 23 12:55 id_dsa
-rw-r--r-- 1 ssher ssher  603 Sep 23 12:55 id_dsa.pub
[ssher@C64-5-S ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 ssher@2.2.2.6"
The authenticity of host '[2.2.2.6]:52113 ([2.2.2.6]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.6]:52113' (RSA) to the list of known hosts.
ssher@2.2.2.6's password: 
Now try logging into the machine, with "ssh '-p 52113 ssher@2.2.2.6'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.



[ssher@C64-5-S ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 ssher@2.2.2.7"
The authenticity of host '[2.2.2.7]:52113 ([2.2.2.7]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.7]:52113' (RSA) to the list of known hosts.
ssher@2.2.2.7's password: 
Now try logging into the machine, with "ssh '-p 52113 ssher@2.2.2.7'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[ssher@C64-6-B ~]$ ll .ssh
total 4
-rw------- 1 ssher ssher 603 Sep 23 12:58 authorized_keys
[ssher@C64-7-C ~]$ ll .ssh
total 4
-rw------- 1 ssher ssher 603 Sep 23 12:59 authorized_keys
[ssher@C64-5-S ~]$ ssh ssher@2.2.2.6 /sbin/ifconfig eth0
ssh: connect to host 2.2.2.6 port 22: Connection refused
[ssher@C64-5-S ~]$ ssh -p 52113 ssher@2.2.2.6 /sbin/ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:79:36:89  
          inet addr:2.2.2.6  Bcast:2.2.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe79:3689/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:51775 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29482 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14179418 (13.5 MiB)  TX bytes:26427845 (25.2 MiB)

[ssher@C64-5-S ~]$ ssh -p 52113 ssher@2.2.2.7 /sbin/ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:BA:45:99  
          inet addr:2.2.2.7  Bcast:2.2.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feba:4599/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44991 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6580 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:15031942 (14.3 MiB)  TX bytes:707150 (690.5 KiB)

分发实现

[ssher@C64-5-S ~]$ mkdir ssher
[ssher@C64-5-S ~]$ touch ssher/tt.txt
[ssher@C64-5-S ~]$ tree
.
└── ssher
    └── tt.txt

1 directory, 1 file
[ssher@C64-5-S ~]$ scp -P52113 -rp ssher ssher@2.2.2.6:~
tt.txt                                                      100%    0     0.0KB/s   00:00

到这里普通用户的分发就做完了,但是如果执行的操作超过了客户端机器用户权限,就需要在客户端机器上做sudo提权了

[root@C64-5-S ~]# echo "ssher ALL=(ALL)       NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp" >>/etc/sudoers
[root@C64-5-S ~]# visudo -c
/etc/sudoers: parsed OK

[root@C64-5-S ~]# su - ssher
[ssher@C64-5-S ~]$ sudo -l
Matching Defaults entries for ssher on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
    INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log

User ssher may run the following commands on this host:
    (ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp

[root@C64-6-B ~]# echo "ssher ALL=(ALL)       NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp" >>/etc/sudoers
[root@C64-6-B ~]# visudo -c
/etc/sudoers: parsed OK

[root@C64-6-B ~]# su - ssher
[ssher@C64-6-B ~]$ sudo -l
Matching Defaults entries for ssher on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
    INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log

User ssher may run the following commands on this host:
    (ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp
[root@C64-7-C ~]# echo "ssher ALL=(ALL)       NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp" >>/etc/sudoers
[root@C64-7-C ~]# visudo -c
/etc/sudoers: parsed OK

[root@C64-7-C ~]# su - ssher
[ssher@C64-7-C ~]$ sudo -l
Matching Defaults entries for ssher on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
    INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log

User ssher may run the following commands on this host:
    (ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp

这时我们的分发就分两步走,第一步将文件或目录推送到目标机器的家目录,第二步利用sudo提权命令将文件或目录二次分配到其他的目录

[ssher@C64-5-S ~]$ scp -P52113 -rp ssher/ ssher@2.2.2.6:~
tt.txt                                                      100%    0     0.0KB/s   00:00 
[ssher@C64-5-S ~]$ ssh -t -p 52113 ssher@2.2.2.6 sudo rsync -avzP ssher /etc
sending incremental file list
ssher/
ssher/tt.txt
           0 100%    0.00kB/s    0:00:00 (xfer#1, to-check=0/2)

sent 109 bytes  received 35 bytes  288.00 bytes/sec
total size is 0  speedup is 0.00
Connection to 2.2.2.6 closed.
[ssher@C64-6-B etc]$ ll ssher
total 0
-rw-rw-r-- 1 ssher ssher 0 Sep 23 13:04 tt.txt

通过脚本执行分发命令

[ssher@C64-5-S ~]$ vi putongfenfa.sh

scp -P52113 -rp $1 ssher@$ip:~
for ip in `cat iplist`
for ip in `cat iplist`
  do
        scp -P52113 -rp $1 ssher@$ip:~
        ssh -t -p 52113 ssher@$ip sudo rsync -avzP $1 /etc
  done
~
[ssher@C64-5-S ~]$ echo "2.2.2.6" >> iplist
[ssher@C64-5-S ~]$ echo "2.2.2.7" >> iplist
[ssher@C64-5-S ~]$ cat iplist 
2.2.2.6
2.2.2.7
[ssher@C64-5-S ~]$ cp /etc/hosts ./
[ssher@C64-5-S ~]$ ll
total 16
-rw-r--r-- 1 ssher ssher  166 Sep 23 13:37 hosts
-rw-rw-r-- 1 ssher ssher   16 Sep 23 13:35 iplist
-rw-rw-r-- 1 ssher ssher  119 Sep 23 13:35 putongfenfa.sh
drwxrwxr-x 2 ssher ssher 4096 Sep 23 13:04 ssher
[ssher@C64-5-S ~]$ vi hosts 

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 C64-5-S
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
######################################
[ssher@C64-5-S ~]$ sh putongfenfa.sh /home/ssher/hosts 
hosts                                                       100%  205     0.2KB/s   00:00    
sending incremental file list
hosts
         205 100%    0.00kB/s    0:00:00 (xfer#1, to-check=0/1)

sent 151 bytes  received 31 bytes  364.00 bytes/sec
total size is 205  speedup is 1.13
Connection to 2.2.2.6 closed.
hosts                                                       100%  205     0.2KB/s   00:00    
sending incremental file list
hosts
         205 100%    0.00kB/s    0:00:00 (xfer#1, to-check=0/1)

sent 151 bytes  received 31 bytes  364.00 bytes/sec
total size is 205  speedup is 1.13
Connection to 2.2.2.7 closed.

检查推送是否成功

[ssher@C64-6-B ~]$ more /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 C64-5-S
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
######################################
[ssher@C64-7-C ~]$ more /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 C64-5-S
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
######################################

 

实例三:普通用户建立秘钥(setuid对命令提权操作)

修改rsync的setuid权限

[root@C64-5-S ~]# ll /usr/bin/rsync 
-rwxr-xr-x. 1 root root 414968 Apr 30  2014 /usr/bin/rsync
[root@C64-5-S ~]# chmod 4755 /usr/bin/rsync 
[root@C64-5-S ~]# ll /usr/bin/rsync 
-rwsr-xr-x. 1 root root 414968 Apr 30  2014 /usr/bin/rsync
[root@C64-6-B ~]# ll /usr/bin/rsync 
-rwxr-xr-x. 1 root root 414968 Apr 30  2014 /usr/bin/rsync
[root@C64-6-B ~]# chmod 4755 /usr/bin/rsync 
[root@C64-6-B ~]# ll /usr/bin/rsync 
-rwsr-xr-x. 1 root root 414968 Apr 30  2014 /usr/bin/rsync
[root@C64-7-C ~]# ll /usr/bin/rsync 
-rwxr-xr-x. 1 root root 414968 Apr 30  2014 /usr/bin/rsync
[root@C64-7-C ~]# chmod 4755 /usr/bin/rsync 
[root@C64-7-C ~]# ll /usr/bin/rsync 
-rwsr-xr-x. 1 root root 414968 Apr 30  2014 /usr/bin/rsync
[ssher@C64-5-S ~]$ rsync -avzP ./hosts -e  'ssh -p 52113' ssher@2.2.2.6:/etc
sending incremental file list

sent 45 bytes  received 12 bytes  114.00 bytes/sec
total size is 205  speedup is 3.60
[root@C64-6-B ~]# ll /etc/hosts
-rw-r--r-- 1 ssher ssher 205 Sep 23 13:37 /etc/hosts

 

写在最后

批量分发、部署、管理的始终方案

1.Secboy

2.SecureCRT

3.ssh免秘钥

    (1)通过root用户直接建立秘钥认证

    (2)普通用户建立秘钥(通过sudo进行提权操作)

    (3)普通用户建立秘钥(setuid对命令授权)

4.expect

5.puppet

6.cfengine

7.rsync

8.lsyncd(sersync)

9.http方式

10.NFS网络文件系统

 

Paul_George
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Linux下实现SSH密码登录和实现秘钥的管理分发、部署SHELL脚本分享
09-15
本篇文章将详细阐述如何在Linux系统中实现SSH密码登录,以及如何通过Shell脚本来管理分发和部署SSH密钥。 首先,我们要理解SSH密码登录的基本原理。SSH使用公钥/私钥对进行身份验证。公钥相当于一把锁,私钥...
Linux网络服务——SSH远程访问及控制
|汾西公子
05-12 337
【centos6.5】 目录 一、OpenSSH的配置 二、SSH客户端程序的使用 三、构建密匙对验证的SSH体系 四、时TCP Wrappers 一、OpenSSH的配置 1、OpenSSH安装包 客户端 [root@localhost ~]# rpm -qa |grep openssh* openssh-server-5.3p1-94.el6.x86_64 openssh...
提高SSH服务安全
S_XYY的博客
05-21 3253
3.提高SSH服务安全 问题 本案例要求提高Linux主机上SSH服务端的安全性,完成以下任务: 1)配置基本安全策略(禁止root、禁止空口令) 2)针对SSH访问采用仅允许的策略,未明确列出的用户一概拒绝登录 3)实现密钥验证登录(私钥口令)、密码登入(无私钥口令) 4)确认密钥验证使用正常后,禁用口令验证 方案 使用两台RHEL6虚拟机,其中svr5作为OpenSSH服务器,另一台pc...
快速搭建 Hadoop 环境
dirft_lez的博客
02-05 267
对于Hadoop来说,最主要的是两个方面,一个是分布式文件系统HDFS,另一个是MapReduce计算模型,下面讲解下我在搭建Hadoop 环境过程。Hadoop 测试环境 共4台测试机,1台namenode 3台datanode  OS版本:RHEL 5.5 X86_64 Hadoop:0.20.203.0 Jdk:jdk1.7.0  角色      &nb
Skytools安装配置管理(五)
weixin_33994444的博客
07-04 168
[postgres@db1 .ssh]$ ssh-copy-id -i id_rsa.pub db2The authenticity of host 'db2 (192.168.100.38)' can't be established.RSA key fingerprint is 70:02:66:0a:f5:3a:62:52:55:a2:98:b1:1c:d7:6c:73...
linux SSH密登录
Epoch_Elysian的博客
03-29 417
现在有三台机器组成一个linux集群: 192.168.72.127 192.168.72.128 192.168.72.129 要实现相互之间通过ssh密码登录,方便执行自动化脚本 第一步:通过ssh生成rsa公私密钥,分别在三台机器上执行如下指令,使用默认配置,一路回车,结果如下所示 ssh-keygen -t rsa [root@rabbit-node2 ~]# ssh-key...
linux-shipit简约的SSH部署
08-13
8. **权限管理**:通过SSH密钥对或用户密码进行身份验证,确保只有授权的用户可以执行部署。 在压缩包文件`sapegin-shipit-48de9f4`中,可能包含了shipit的源码、文档、示例配置和安装指南等内容。通过解压并研究...
使用ssh-keygen,实现密码登陆linux的方法
01-20
1 本机创建ssh密钥 ssh-keygen ...scp id_rsa.pub root@10.35.0.35:~/.ssh/id_rsa.pub 3 ssh到“被登陆机”把公共密钥输入 “authorized_keys”(如果多个...以上就是小编为大家带来的使用ssh-keygen,实现密码登陆li
linux远程登录ssh密码配置方法
09-15
每个主机可以通过`ssh-keygen`命令生成一对密钥,包括一个私钥(private key)和一个公钥(public key)。私钥保存在本地,而公钥则可以安全地传输到远程主机。当本地主机尝试SSH连接远程主机时,远程主机验证本地...
linux-远程管理SSH密钥以控制对主机的访问
08-13
一种方法是使用密钥代理(Key Agent,如SSH-Agent),它能记住私钥,从而去每次登录时手动加载私钥的步骤。启动SSH-Agent并在shell中添加密钥后,其他SSH连接会自动使用这些密钥。 此外,还可以使用密钥对的权限...
ansible服务部署与使用
惨绿少年 | 欢迎访问CLSN博客站点 http://clsn.io
10-27 761
第1章 ssh+key实现基于密钥连接(ansible使用前提) 说明:    ansible其功能实现基于SSH远程连接服务    使用ansible需要首先实现ssh密钥连接 1.1 部署ssh key 1.1.1 第一个里程碑: 创建密钥对 ssh-keygen -t 指定密钥类型 rsa1 dsa(常用) ecdsa 语法: SYNOPSIS ...
suse11 ssh密码登陆
learning java
07-03 2119
ssh密码登陆 1. $ssh-keygen -t rsa #生成RSA密钥对 2. $ssh-copy-id -i ~/.ssh/id_rsa.pub hostname #输入完密码后,会有如下输出 Now try logging into the machine, with "ssh 'linux-kc7s'", and check in:   ~/.ssh/au
Linux Centos 服务器密验证(ansible版/非root用户)
MyySophia的博客
03-23 1891
---------------------------------update 2020年5月24日21:38:15--------------------------------可以通过 ssh-keygen - > ssh-copy-id [-i [identity_file]] [user@]machine 把操作机的私钥添加到目标主机的密钥列表中。---------------update 2021年7月28日16:47:52。1、ssh-keygen 用这个命令是用来生成本机的公钥和私钥的。
ssh密远程登录(一)
qq_27410085的博客
11-22 434
环境介绍: 主机1:ip 192.168.200.142 主机2:ip 192.168.200.158 用户要求:主机一 对 主机二 进行密登录。 命 令:ssh scp , 需要安装包:openssh-clients 密过程: (1)ssh-keygen -t rsa (主机1上操作) 命令解析:用来生成秘钥对。 [root@lo...
linux 下实现ssh密钥登录
weixin_33730836的博客
11-07 108
小伙伴经常在运维的时候需要ssh到很多其他的服务器,但是又要每次输入密码,一两台还没什么,多了就烦了。所以这里教大家如何直接ssh到其他机器而不用输入密码。[root@jw ~]# ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/root...
linux设置密遇到的坑爹问题
y976181862的博客
03-28 1608
集群设置密遇到的坑爹问题 log日志可以查看 cd /var/log/secure ------------------------------------------------------------------------------------------------------------------------------------- 密登陆中cd/root 用户权限必须是...
linux 密钥认证,Linux系统的ssh密钥认证
weixin_39779928的博客
05-15 107
linux客户机上生成rsa的ssh密钥Id_rsa是密钥Id_rsa.pub是公钥[root@xuegod128~]#ssh-keygen-trsaGeneratingpublic/privatersakeypair.Enterfileinwhichtosavethekey(/root/.ssh/id_rsa):Enterpassphrase(...
linux 配置密码登录
terrorist2008的专栏
10-12 615
linux 配置密码登录     [root@spark3 .ssh]#  ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa):  Enter passphrase (empty for no passphrase): ...
ubuntu设置ssh-key密码登录
最新发布
06-02
要在Ubuntu上设置SSH密钥密码登录,可以按照以下步骤操作: 1. 在本地机器上生成SSH密钥对。可以使用以下命令: ``` ssh-keygen -t rsa ``` 然后按照提示输入密钥文件名和密码(可选)。 2. 将公钥复制到...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值