SSH是专门为远程登录会话和其他网络服务提供安全性的协议,利用SSH协议可以有效防止远程管理中的信息泄露问题。
默认情况下,SSH本身提供两个服务功能:一个是类似telnet的远程联机shell服务,另一个是sftp-server,可以提供安全的FTP服务。
SSH提供两种级别的安全认证
1.基于口令的安全验证
利用账号和口令进行验证,并登陆到远程主机,所有传输的数据都会被加密
2.基于秘钥的安全验证
用户需要为自己创建一对秘钥,并把公用秘钥放在需要访问的服务器上,如果需要利用SSH连接服务器,客户端SSH软件就会向服务器发送请求利用秘钥进行安全验证,服务器端在接收到请求后,在服务器端用户主目录下寻找公用秘钥,并用它和你发过来的秘钥进行对比,如果一致,服务器端就用公用秘钥加密“质询”并把它发送给客户端。
一、分发数据
1.检查环境
[root@C64-5-S ~]# cat /etc/redhat-release
CentOS release 6.10 (Final)
[root@C64-5-S ~]# uname -mi
x86_64 x86_64
[root@C64-5-S ~]# uname -r
2.6.32-754.2.1.el6.x86_64
2.添加用户(这里我们准备相同的三个服务器,分别是Server(2.2.2.5)B-Client(2.2.2.6) C-Client(2.2.2.7))
[root@C64-5-S ~]# useradd syner
[root@C64-5-S ~]# echo "syner"|passwd --stdin syner
Changing password for user syner.
passwd: all authentication tokens updated successfully.
[root@C64-5-S ~]# tail -1 /etc/passwd
syner:x:514:514::/home/syner:/bin/bash
[root@C64-6-B ~]# useradd syner
[root@C64-6-B ~]# echo "syner"|passwd --stdin syner
Changing password for user syner.
passwd: all authentication tokens updated successfully.
[root@C64-6-B ~]# tail -1 /etc/passwd
syner:x:514:514::/home/syner:/bin/bash
[root@C64-7-C ~]# useradd syner
[root@C64-7-C ~]# echo "syner"|passwd --stdin syner
Changing password for user syner.
passwd: all authentication tokens updated successfully.
[root@C64-7-C ~]# tail -1 /etc/passwd
syner:x:514:514::/home/syner:/bin/bash
3.生成秘钥对
[root@C64-5-S ~]# su - syner
[syner@C64-5-S ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/syner/.ssh/id_dsa):
Created directory '/home/syner/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/syner/.ssh/id_dsa.
Your public key has been saved in /home/syner/.ssh/id_dsa.pub.
The key fingerprint is:
ba:19:34:a6:2a:8c:fa:48:28:03:3f:b2:73:f1:44:e7 syner@C64-5-S
The key's randomart image is:
+--[ DSA 1024]----+
| |
| |
| |
| . . |
|. . o+ S |
|o.. .+Eo |
|B.o+. o |
|**.o. + |
|==o o |
+-----------------+
[syner@C64-5-S ~]$ tree .ssh
.ssh
├── id_dsa
└── id_dsa.pub
0 directories, 2 files
[syner@C64-5-S ~]$ ls -al
total 28
drwx------ 4 syner syner 4096 Sep 22 22:04 .
drwxr-xr-x. 17 root root 4096 Sep 22 19:58 ..
drwx------ 2 syner syner 4096 Sep 22 22:04 .ssh
[syner@C64-5-S ~]$ ls -al .ssh
total 16
drwx------ 2 syner syner 4096 Sep 22 22:04 .
drwx------ 4 syner syner 4096 Sep 22 22:04 ..
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 id_dsa.pub
在创建秘钥时,会在用户家目录下生成一个.ssh的隐藏目录,并在目录中存放公钥和私钥
这里的.ssh目录权限是700,公钥权限是644,私钥权限是600
4.分发公钥
把公钥拷贝的B、C端用户家目录中
[syner@C64-5-S .ssh]$ ssh-copy-id -i id_dsa.pub "-p 52113 syner@2.2.2.6"
The authenticity of host '[2.2.2.6]:52113 ([2.2.2.6]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.6]:52113' (RSA) to the list of known hosts.
syner@2.2.2.6's password:
Now try logging into the machine, with "ssh '-p 52113 syner@2.2.2.6'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
这里由于我们的ssh端口之前修改过,所以在参数中加上 -p 52113
检查公钥是否发布成功
[test@C64-6-B ~]$ su - syner
Password:
[syner@C64-6-B ~]$
[syner@C64-6-B ~]$
[syner@C64-6-B ~]$ ls -al
total 28
drwx------ 4 syner syner 4096 Sep 22 22:42 .
drwxr-xr-x. 17 root root 4096 Sep 22 19:58 ..
-rw-r--r-- 1 syner syner 18 Mar 23 2017 .bash_logout
-rw-r--r-- 1 syner syner 176 Mar 23 2017 .bash_profile
-rw-r--r-- 1 syner syner 124 Mar 23 2017 .bashrc
drwxr-xr-x 2 syner syner 4096 Nov 12 2010 .gnome2
drwx------ 2 syner syner 4096 Sep 22 22:42 .ssh
[syner@C64-6-B ~]$ cd .ssh/
[syner@C64-6-B .ssh]$ ls -al
total 12
drwx------ 2 syner syner 4096 Sep 22 22:42 .
drwx------ 4 syner syner 4096 Sep 22 22:42 ..
-rw------- 1 syner syner 603 Sep 22 22:42 authorized_keys
将公钥发布到另外一台机器上
[syner@C64-5-S .ssh]$ ssh-copy-id -i id_dsa.pub "-p 52113 syner@2.2.2.7"
The authenticity of host '[2.2.2.7]:52113 ([2.2.2.7]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.7]:52113' (RSA) to the list of known hosts.
syner@2.2.2.7's password:
Now try logging into the machine, with "ssh '-p 52113 syner@2.2.2.7'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
检查是否发布成功
[root@C64-7-C ~]# su - syner
[syner@C64-7-C ~]$ ls -al
total 28
drwx------ 4 syner syner 4096 Sep 22 22:46 .
drwxr-xr-x. 17 root root 4096 Sep 22 19:58 ..
-rw-r--r-- 1 syner syner 18 Mar 23 2017 .bash_logout
-rw-r--r-- 1 syner syner 176 Mar 23 2017 .bash_profile
-rw-r--r-- 1 syner syner 124 Mar 23 2017 .bashrc
drwxr-xr-x 2 syner syner 4096 Nov 12 2010 .gnome2
drwx------ 2 syner syner 4096 Sep 22 22:46 .ssh
[syner@C64-7-C ~]$ ls -al .ssh/
total 12
drwx------ 2 syner syner 4096 Sep 22 22:46 .
drwx------ 4 syner syner 4096 Sep 22 22:46 ..
-rw------- 1 syner syner 603 Sep 22 22:46 authorized_keys
查看ssh配置文件
[root@C64-5-S ~]# cat /etc/ssh/sshd_config | grep AuthorizedKeysFile
#AuthorizedKeysFile .ssh/authorized_keys
5.远程登录执行命令测试
[syner@C64-5-S ~]$ ssh -p 52113 syner@2.2.2.6 /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:79:36:89
inet addr:2.2.2.6 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe79:3689/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23456 errors:0 dropped:0 overruns:0 frame:0
TX packets:890 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1457992 (1.3 MiB) TX bytes:88259 (86.1 KiB)
[syner@C64-5-S ~]$ ssh -p 52113 syner@2.2.2.7 /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:BA:45:99
inet addr:2.2.2.7 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feba:4599/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23234 errors:0 dropped:0 overruns:0 frame:0
TX packets:761 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1439707 (1.3 MiB) TX bytes:73715 (71.9 KiB)
二、备份
我们将B、C机器备份到Server端
1.生成秘钥
[syner@C64-5-S ~]$ ls -al .ssh
total 20
drwx------ 2 syner syner 4096 Sep 22 22:42 .
drwx------ 4 syner syner 4096 Sep 22 22:50 ..
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 id_dsa.pub
-rw-r--r-- 1 syner syner 794 Sep 22 22:46 known_hosts
由于之前生成过秘钥,这里我们就不重新生成了
与之前分发不同,这次方向是反的,我们是需要B、C机器能够免秘钥ssh到S上面,所以我们这次要将私钥分发给B、C
2.分发秘钥
[syner@C64-5-S ~]$ scp -P52113 -p .ssh/id_dsa syner@2.2.2.6:~/.ssh/
id_dsa 100% 668 0.7KB/s 00:00
检查是否分发成功
[syner@C64-6-B ~]$ ls -al .ssh
total 16
drwx------ 2 syner syner 4096 Sep 23 09:57 .
drwx------ 4 syner syner 4096 Sep 22 23:46 ..
-rw------- 1 syner syner 603 Sep 22 22:42 authorized_keys
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
分发到另一台服务器上
[syner@C64-5-S ~]$ scp -P52113 -p .ssh/id_dsa syner@2.2.2.7:~/.ssh/
id_dsa 100% 668 0.7KB/s 00:00
检查分发是否成功
[syner@C64-7-C ~]$ ls -al .ssh
total 16
drwx------ 2 syner syner 4096 Sep 23 09:59 .
drwx------ 4 syner syner 4096 Sep 22 23:46 ..
-rw------- 1 syner syner 603 Sep 22 22:46 authorized_keys
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
这里我们要将S服务器端公钥的名字改成ssh配置文件中默认的文件名
[syner@C64-5-S ~]$ cd .ssh/
[syner@C64-5-S .ssh]$ ll
total 12
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 id_dsa.pub
-rw-r--r-- 1 syner syner 794 Sep 22 22:46 known_hosts
[syner@C64-5-S .ssh]$ mv id_dsa.pub authorized_keys
[syner@C64-5-S .ssh]$ ll
total 12
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 authorized_keys
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 794 Sep 22 22:46 known_hosts
3.测试连通性
[syner@C64-6-B ~]$ ssh -p 52113 syner@2.2.2.5 /sbin/ifconfig eth0
The authenticity of host '[2.2.2.5]:52113 ([2.2.2.5]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.5]:52113' (RSA) to the list of known hosts.
eth0 Link encap:Ethernet HWaddr 00:0C:29:CA:07:AA
inet addr:2.2.2.5 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feca:7aa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30133 errors:0 dropped:0 overruns:0 frame:0
TX packets:2995 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1937162 (1.8 MiB) TX bytes:478213 (467.0 KiB)
[syner@C64-7-C ~]$ ssh -p 52113 syner@2.2.2.5 /sbin/ifconfig eth0
The authenticity of host '[2.2.2.5]:52113 ([2.2.2.5]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.5]:52113' (RSA) to the list of known hosts.
eth0 Link encap:Ethernet HWaddr 00:0C:29:CA:07:AA
inet addr:2.2.2.5 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feca:7aa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30166 errors:0 dropped:0 overruns:0 frame:0
TX packets:3021 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1941659 (1.8 MiB) TX bytes:483082 (471.7 KiB)
4.进行备份
[syner@C64-6-B ~]$ scp -P52113 -rp /etc syner@2.2.2.5:/tmp
rsync 100% 332 0.3KB/s 00:00
rc.local 100% 345 0.3KB/s 00:00
utmp.conf 100% 564 0.6KB/s 00:00
pthread.conf 100% 7686 7.5KB/s 00:00
latrace.conf 100% 74 0.1KB/s 00:00
syscall.conf 100% 6342 6.2KB/s 00:00
备份的几种思路
1.使用rsync,在备份服务器部署rsync守护进程,把所有节点作为rsync客户端,生产环境中常用的方法
2.使用FTP,在备份服务器部署FTP守护进程,把所有节点作为FTP客户端,把数据通过FTP方式推送到备份服务器上
3.使用NFS,在备份服务器部署NFS服务,把所有节点作为NFS客户端,在客户端服务器上通过挂载的方式把数据推送到NFS备份服务器上,不推荐使用(机器太多时不好用)
4.SCP+SSH KEY或expect交互式备份,不推荐
实例一:通过root用户直接建立秘钥认证(不推荐)
服务器S向B、C客户端分发
在服务器端建立秘钥对
[root@C64-5-S ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
1a:07:e9:8b:ee:f8:72:da:22:51:33:f4:28:37:ab:c6 root@C64-5-S
The key's randomart image is:
+--[ DSA 1024]----+
| |
| . . |
| . o o |
|. B .. . |
| + = o S |
|. . . = |
|.o . o |
|oEo+. |
|..oB= |
+-----------------+
[root@C64-5-S ~]#
[root@C64-5-S ~]# ls -al .ssh
total 16
drwx------ 2 root root 4096 Sep 23 11:58 .
dr-xr-x---. 5 root root 4096 Sep 23 11:58 ..
-rw------- 1 root root 668 Sep 23 11:58 id_dsa
-rw-r--r-- 1 root root 602 Sep 23 11:58 id_dsa.pub
由于之前我们设置过不允许root用户远程登录,因此我们先取消这个设置
[root@C64-5-S ~]# vi /etc/ssh/sshd_config
PermitRootLogin yes
[root@C64-5-S ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@C64-6-B ~]# vi /etc/ssh/sshd_config
PermitRootLogin yes
[root@C64-6-B ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@C64-7-C ~]# vi /etc/ssh/sshd_config
PermitRootLogin yes
[root@C64-7-C ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
然后我们对公钥进行分发
[root@C64-5-S ~]# ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 2.2.2.6"
root@2.2.2.6's password:
Now try logging into the machine, with "ssh '-p 52113 2.2.2.6'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@C64-5-S ~]# ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 2.2.2.7"
The authenticity of host '[2.2.2.7]:52113 ([2.2.2.7]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.7]:52113' (RSA) to the list of known hosts.
root@2.2.2.7's password:
Now try logging into the machine, with "ssh '-p 52113 2.2.2.7'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
测试连通性
[root@C64-5-S ~]# ssh -p 52113 2.2.2.6 /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:79:36:89
inet addr:2.2.2.6 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe79:3689/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37907 errors:0 dropped:0 overruns:0 frame:0
TX packets:24863 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2687536 (2.5 MiB) TX bytes:25927411 (24.7 MiB)
[root@C64-5-S ~]# ssh -p 52113 2.2.2.7 /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:BA:45:99
inet addr:2.2.2.7 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feba:4599/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29755 errors:0 dropped:0 overruns:0 frame:0
TX packets:1449 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1880516 (1.7 MiB) TX bytes:151824 (148.2 KiB)
我们试着写一个管理脚本并运行,查看B、C客户端的运行情况
[root@C64-5-S ~]# vi manage.sh
#!/bin/sh
for ip in `cat iplist`
do
echo "======$ip======"
ssh -p 52113 $ip $1
done
创建ip列表文件
[root@C64-5-S ~]# echo "2.2.2.6">>iplist
[root@C64-5-S ~]# echo "2.2.2.7">>iplist
[root@C64-5-S ~]# more iplist
2.2.2.6
2.2.2.7
执行管理命令
[root@C64-5-S ~]# sh manage.sh "df -h"
======2.2.2.6======
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 7.1G 2.2G 4.6G 32% /
tmpfs 937M 0 937M 0% /dev/shm
/dev/sda1 190M 65M 115M 37% /boot
======2.2.2.7======
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 7.1G 2.2G 4.6G 32% /
tmpfs 937M 0 937M 0% /dev/shm
/dev/sda1 190M 65M 115M 37% /boot
[root@C64-5-S ~]# sh manage.sh "free -m"
======2.2.2.6======
total used free shared buffers cached
Mem: 2001 336 1665 0 44 166
-/+ buffers/cache: 125 1876
Swap: 511 0 511
======2.2.2.7======
total used free shared buffers cached
Mem: 2001 320 1681 0 43 151
-/+ buffers/cache: 124 1876
Swap: 511 0 511
[root@C64-5-S ~]# sh manage.sh "uptime"
======2.2.2.6======
12:27:26 up 10:06, 1 user, load average: 0.00, 0.00, 0.00
======2.2.2.7======
12:27:26 up 10:05, 1 user, load average: 0.00, 0.00, 0.00
写一个分发脚本
[root@C64-5-S ~]# cp manage.sh fenfa.sh
[root@C64-5-S ~]# vi fenfa.sh
#!/bin/sh
for ip in `cat iplist`
do
echo "======$ip======"
scp -rp -P52113 $1 $ip:$2
done
执行分发命令
[root@C64-5-S ~]# sh fenfa.sh /etc /tmp
======2.2.2.6======
sudo.conf 100% 1786 1.7KB/s 00:00
rsync 100% 332 0.3KB/s 00:00
rc.local 100% 314 0.3KB/s 00:00
======2.2.2.7======
sudo.conf 100% 1786 1.7KB/s 00:00
rsync 100% 332 0.3KB/s 00:00
rc.local 100% 314 0.3KB/s 00:00
最后我们将之前的配置删除
[root@C64-5-S ~]# rm -rf .ssh/
[root@C64-5-S ~]# vi /etc/ssh/sshd_config
PermitRootLogin no
[root@C64-6-B ~]# rm -rf .ssh/
[root@C64-6-B ~]# vi /etc/ssh/sshd_config
PermitRootLogin no
[root@C64-7-C ~]# rm -rf .ssh/
[root@C64-7-C ~]# vi /etc/ssh/sshd_config
PermitRootLogin no
实例二:普通用户建立的秘钥(通过sudo提权操作)(推荐用这种方法)
这里我们还是实现服务端S到客户端B、C的分发
[root@C64-5-S ~]# useradd ssher
[root@C64-5-S ~]# echo "ssher"|passwd --stdin ssher
Changing password for user ssher.
passwd: all authentication tokens updated successfully.
[root@C64-6-B ~]# useradd ssher
[root@C64-6-B ~]# echo "ssher"|passwd --stdin ssher
Changing password for user ssher.
passwd: all authentication tokens updated successfully.
[root@C64-7-C ~]# useradd ssher
[root@C64-7-C ~]# echo "ssher"|passwd --stdin ssher
Changing password for user ssher.
passwd: all authentication tokens updated successfully.
[ssher@C64-5-S ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/ssher/.ssh/id_dsa):
Created directory '/home/ssher/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ssher/.ssh/id_dsa.
Your public key has been saved in /home/ssher/.ssh/id_dsa.pub.
The key fingerprint is:
6a:7d:b9:64:48:ea:68:39:a9:ee:57:33:e4:a8:f0:4e ssher@C64-5-S
The key's randomart image is:
+--[ DSA 1024]----+
| |
| |
| |
| . |
| + S |
|. . == . . |
| oE. ++oo = |
| .o *+ + . |
| +=+... . |
+-----------------+
[ssher@C64-5-S ~]$
[ssher@C64-5-S ~]$ ls -al .ssh
total 16
drwx------ 2 ssher ssher 4096 Sep 23 12:55 .
drwx------ 4 ssher ssher 4096 Sep 23 12:55 ..
-rw------- 1 ssher ssher 668 Sep 23 12:55 id_dsa
-rw-r--r-- 1 ssher ssher 603 Sep 23 12:55 id_dsa.pub
[ssher@C64-5-S ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 ssher@2.2.2.6"
The authenticity of host '[2.2.2.6]:52113 ([2.2.2.6]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.6]:52113' (RSA) to the list of known hosts.
ssher@2.2.2.6's password:
Now try logging into the machine, with "ssh '-p 52113 ssher@2.2.2.6'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[ssher@C64-5-S ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 ssher@2.2.2.7"
The authenticity of host '[2.2.2.7]:52113 ([2.2.2.7]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.7]:52113' (RSA) to the list of known hosts.
ssher@2.2.2.7's password:
Now try logging into the machine, with "ssh '-p 52113 ssher@2.2.2.7'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[ssher@C64-6-B ~]$ ll .ssh
total 4
-rw------- 1 ssher ssher 603 Sep 23 12:58 authorized_keys
[ssher@C64-7-C ~]$ ll .ssh
total 4
-rw------- 1 ssher ssher 603 Sep 23 12:59 authorized_keys
[ssher@C64-5-S ~]$ ssh ssher@2.2.2.6 /sbin/ifconfig eth0
ssh: connect to host 2.2.2.6 port 22: Connection refused
[ssher@C64-5-S ~]$ ssh -p 52113 ssher@2.2.2.6 /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:79:36:89
inet addr:2.2.2.6 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe79:3689/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:51775 errors:0 dropped:0 overruns:0 frame:0
TX packets:29482 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14179418 (13.5 MiB) TX bytes:26427845 (25.2 MiB)
[ssher@C64-5-S ~]$ ssh -p 52113 ssher@2.2.2.7 /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:BA:45:99
inet addr:2.2.2.7 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feba:4599/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:44991 errors:0 dropped:0 overruns:0 frame:0
TX packets:6580 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15031942 (14.3 MiB) TX bytes:707150 (690.5 KiB)
分发实现
[ssher@C64-5-S ~]$ mkdir ssher
[ssher@C64-5-S ~]$ touch ssher/tt.txt
[ssher@C64-5-S ~]$ tree
.
└── ssher
└── tt.txt
1 directory, 1 file
[ssher@C64-5-S ~]$ scp -P52113 -rp ssher ssher@2.2.2.6:~
tt.txt 100% 0 0.0KB/s 00:00
到这里普通用户的分发就做完了,但是如果执行的操作超过了客户端机器用户权限,就需要在客户端机器上做sudo提权了
[root@C64-5-S ~]# echo "ssher ALL=(ALL) NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp" >>/etc/sudoers
[root@C64-5-S ~]# visudo -c
/etc/sudoers: parsed OK
[root@C64-5-S ~]# su - ssher
[ssher@C64-5-S ~]$ sudo -l
Matching Defaults entries for ssher on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User ssher may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp
[root@C64-6-B ~]# echo "ssher ALL=(ALL) NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp" >>/etc/sudoers
[root@C64-6-B ~]# visudo -c
/etc/sudoers: parsed OK
[root@C64-6-B ~]# su - ssher
[ssher@C64-6-B ~]$ sudo -l
Matching Defaults entries for ssher on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User ssher may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp
[root@C64-7-C ~]# echo "ssher ALL=(ALL) NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp" >>/etc/sudoers
[root@C64-7-C ~]# visudo -c
/etc/sudoers: parsed OK
[root@C64-7-C ~]# su - ssher
[ssher@C64-7-C ~]$ sudo -l
Matching Defaults entries for ssher on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User ssher may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp
这时我们的分发就分两步走,第一步将文件或目录推送到目标机器的家目录,第二步利用sudo提权命令将文件或目录二次分配到其他的目录
[ssher@C64-5-S ~]$ scp -P52113 -rp ssher/ ssher@2.2.2.6:~
tt.txt 100% 0 0.0KB/s 00:00
[ssher@C64-5-S ~]$ ssh -t -p 52113 ssher@2.2.2.6 sudo rsync -avzP ssher /etc
sending incremental file list
ssher/
ssher/tt.txt
0 100% 0.00kB/s 0:00:00 (xfer#1, to-check=0/2)
sent 109 bytes received 35 bytes 288.00 bytes/sec
total size is 0 speedup is 0.00
Connection to 2.2.2.6 closed.
[ssher@C64-6-B etc]$ ll ssher
total 0
-rw-rw-r-- 1 ssher ssher 0 Sep 23 13:04 tt.txt
通过脚本执行分发命令
[ssher@C64-5-S ~]$ vi putongfenfa.sh
scp -P52113 -rp $1 ssher@$ip:~
for ip in `cat iplist`
for ip in `cat iplist`
do
scp -P52113 -rp $1 ssher@$ip:~
ssh -t -p 52113 ssher@$ip sudo rsync -avzP $1 /etc
done
~
[ssher@C64-5-S ~]$ echo "2.2.2.6" >> iplist
[ssher@C64-5-S ~]$ echo "2.2.2.7" >> iplist
[ssher@C64-5-S ~]$ cat iplist
2.2.2.6
2.2.2.7
[ssher@C64-5-S ~]$ cp /etc/hosts ./
[ssher@C64-5-S ~]$ ll
total 16
-rw-r--r-- 1 ssher ssher 166 Sep 23 13:37 hosts
-rw-rw-r-- 1 ssher ssher 16 Sep 23 13:35 iplist
-rw-rw-r-- 1 ssher ssher 119 Sep 23 13:35 putongfenfa.sh
drwxrwxr-x 2 ssher ssher 4096 Sep 23 13:04 ssher
[ssher@C64-5-S ~]$ vi hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 C64-5-S
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
######################################
[ssher@C64-5-S ~]$ sh putongfenfa.sh /home/ssher/hosts
hosts 100% 205 0.2KB/s 00:00
sending incremental file list
hosts
205 100% 0.00kB/s 0:00:00 (xfer#1, to-check=0/1)
sent 151 bytes received 31 bytes 364.00 bytes/sec
total size is 205 speedup is 1.13
Connection to 2.2.2.6 closed.
hosts 100% 205 0.2KB/s 00:00
sending incremental file list
hosts
205 100% 0.00kB/s 0:00:00 (xfer#1, to-check=0/1)
sent 151 bytes received 31 bytes 364.00 bytes/sec
total size is 205 speedup is 1.13
Connection to 2.2.2.7 closed.
检查推送是否成功
[ssher@C64-6-B ~]$ more /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 C64-5-S
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
######################################
[ssher@C64-7-C ~]$ more /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 C64-5-S
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
######################################
实例三:普通用户建立秘钥(setuid对命令提权操作)
修改rsync的setuid权限
[root@C64-5-S ~]# ll /usr/bin/rsync
-rwxr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[root@C64-5-S ~]# chmod 4755 /usr/bin/rsync
[root@C64-5-S ~]# ll /usr/bin/rsync
-rwsr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[root@C64-6-B ~]# ll /usr/bin/rsync
-rwxr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[root@C64-6-B ~]# chmod 4755 /usr/bin/rsync
[root@C64-6-B ~]# ll /usr/bin/rsync
-rwsr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[root@C64-7-C ~]# ll /usr/bin/rsync
-rwxr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[root@C64-7-C ~]# chmod 4755 /usr/bin/rsync
[root@C64-7-C ~]# ll /usr/bin/rsync
-rwsr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[ssher@C64-5-S ~]$ rsync -avzP ./hosts -e 'ssh -p 52113' ssher@2.2.2.6:/etc
sending incremental file list
sent 45 bytes received 12 bytes 114.00 bytes/sec
total size is 205 speedup is 3.60
[root@C64-6-B ~]# ll /etc/hosts
-rw-r--r-- 1 ssher ssher 205 Sep 23 13:37 /etc/hosts
写在最后
批量分发、部署、管理的始终方案
1.Secboy
2.SecureCRT
3.ssh免秘钥
(1)通过root用户直接建立秘钥认证
(2)普通用户建立秘钥(通过sudo进行提权操作)
(3)普通用户建立秘钥(setuid对命令授权)
4.expect
5.puppet
6.cfengine
7.rsync
8.lsyncd(sersync)
9.http方式
10.NFS网络文件系统