一、环境介绍
对300台服务器进行登录,增加jumpserver管理里用户。由于所有服务器root禁止登录,导致需要多层交互。
二、思路
1、通过expect批量shell实现交互登录普通用户,切换root用户,并执行shell语句。
2、python实现
三、shell实现
ps:感觉白写了,交互速度大概5秒一台。服务器数量大于50,建议用python实现。
1.功能脚本
[root@jumpserver shell_sctipt]# cat shell_rebound.exp
#!/usr/bin/expect
set sentence1 [lindex $argv 0]
set sentence2 [lindex $argv 1]
set sentence3 [lindex $argv 2]
spawn ssh saas@$sentence1
expect "password:"
if { $sentence1==$sentence1 } {
send "$sentence2\r"
}
expect "$"
if { $sentence1==$sentence1 } {
send "su root\r"
}
expect "password:"
if { $sentence1==$sentence1 } {
send "$sentence3\r"
}
expect "#"
if { $sentence1==$sentence1 } {
send "useradd olym_jumpserver
su olym_jumpserver
cd ~/
mkdir .ssh
chmod 700 .ssh
cd .ssh/
(cat << EOF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhzIuxp6WPSZJ02ImwUFl/TqMjerbKIZIaEd6FB4ETRpspyLYCPA/1oJ4N2HDMe+RFYPsp4u8geni2VxvMx2LkABUfUrRnDgStCsFdQjHduE1wVSvEoYD0EmaqInbh4wkUYLdU+3iizrV+vr2wH6chAhRf+iDSq35x58QV5pxtfS6UrqhWabQUjFcJfLNAgLUr5xSRJwie2V4VVkSFrFbJgPMUob1CO7ISpXWvseq5H8cRPu08tNXjC21HCK5vIFtoFPcTzIxfHCIhcfa/ey1EpEVr0yKwACzKyub4DmwonFxcpO/ErsqhO/AVDp9HzMuc4/x3eiuti4OH8DuqbgHr olym_jumpserver@izwz98ft7tasnlfweupijmz
EOF
) > /home/olym_jumpserver/.ssh/authorized_keys
chmod 600 /home/olym_jumpserver/.ssh/authorized_keys
exit
chmod 700 /etc/sudoers
echo 'olym_jumpserver ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
chmod 400 /etc/sudoers\r"
}
expect eof
可以直接测试执行,或者再写一层调用方脚本
expect shell_rebound.exp 10.29.185.159 Kxvhanabcd f9e_dnoabcd
2.调用脚本
#!/bin/bash
##create by xingcheng
##20180608
#setup1:
#变量
num=0 #用于计算读取saas和root密码的索引
ip_list0=(10.160.33.139 10.160.35.135 10.160.34.114 10.173.225.80) #xxx
ip_list1=(10.171.194.133 10.168.142.10) #xxx
ip_list2=(10.117.198.171 10.117.190.163 10.168.111.133 10.168.111.53 10.117.203.57 10.117.186.10 10.168.217.51 10.117.28.183) #xxx
ip_list3=(10.117.14.254 10.117.216.72 10.117.199.196) #xxx
ip_list4=(10.168.166.201) #xxx
ip_list5=(10.25.67.203 10.51.18.254 10.51.24.30 10.51.19.199 10.161.141.119 10.117.215.34 10.175.202.149 10.51.0.162 10.251.236.43 10.162.72.86 10.162.60.92 10.168.115.68 10.168.114.246 10.117.21.209 10.168.220.150 10.168.25.117 10.168.64.114 10.168.14.218 10.252.127.189 10.132.70.114 10.122.68.241 10.251.249.135 10.161.231.223 10.162.57.104 10.132.11.130) #xxx
ip_list6=(10.168.19.142 10.162.96.34) #xxx
ip_list7=(10.165.101.149 10.160.4.181 10.161.218.92 10.161.179.88) #xxx
ip_list8=(10.162.103.18 10.51.0.124 10.252.164.128 10.251.255.128) #xxx
saas_pass=('Kxxxxxj2' 'uxxxxxZ' 'bxxxxxi' 'qxxxxx(' 'Qxxxxxx#' 'nxxxxxd' 'FxxxxxS' 'wxxxxxxd' 'txxxxxq') #如果含有特殊字符,要结合集体情况决定使用单引号还是双引号。这里非常容易导致脚本报错,或登录异常。
root_pass=('Lxxxxxh' "_B4xxxxxL" LxxxxxxS
'qu4&lB<b{R&(' 'QrxxxxxC#' 'qxxxxr#' 'Yxxxxk' 'txxxxx9' 'hyxxxxxe') #如果含有特殊字符,要结合集体情况决定使用单引号还是双引号。这里非常容易导致脚本报错,或登录异常。
#例如:root_pass=("L.f9e_h" "_B45N8\A=/&+S>C'z9J34eHL" 'LgC#sdfd!GoS' "I6E2deebSjPau" "v3qsdAH#xxj" 'qa34er#$YJT90' "YNwwewSXyLTgDKWk")
#setup2:
IP_LIST=()
for I in $(seq 0 8)
do
IP_LIST[$I]=ip_list$I
done
echo ${IP_LIST[@]}
#函数
next(){
for N in $(seq 0 $(eval echo $(echo '${#'$ip_list'[@]}'))) #计算数组元素个数并进行遍历
do
# echo $(eval echo '${'$ip_list'[$N]}') saas ${saas_pass[$num]} ${root_pass[$num]}
expect shell_rebound.exp $(eval echo '${'$ip_list'[$N]}') ${saas_pass[$num]} ${root_pass[$num]}
done
let num+=1
if [ $num -eq 9 ];then
exit
fi
}
first(){
num1=0 #用于表示所有数组,便于复制数组
for K in $(echo ${IP_LIST[@]})
do
ip_list=( ${IP_LIST[$num1]} ) #数组复制
eval echo '${'$ip_list'[@]}' #这里是数组名引用变量得用法
let num1+=1
next
done
}
#setup3:
first
四、决定换python实现
[root@jumpserver python_script]# cat !$
cat python_rebound.py
#!/usr/bin/env python
import time, paramiko, sys
def verification_ssh(host,username,password,port,root_pwd):
cmd='''useradd olym_jumpserver
su olym_jumpserver
cd ~/
mkdir .ssh
chmod 700 .ssh
cd .ssh/
(cat << EOF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhzIuxp6WPSZJ02ImwUFl/TqMjerbKIZIaEd6FB4ETRpspyLYCPA/1oJ4N2HDMe+RFYPsp4u8geni2VxvMx2LkABUfUrRnDgStCsFdQjHduE1wVSvEoYD0EmaqInbh4wkUYLdU+3iizrV+vr2wH6chAhRf+iDSq35x58QV5pxtfS6UrqhWabQUjFcJfLNAgLUr5xSRJwie2V4VVkSFrFbJgPMUob1CO7ISpXWvseq5H8cRPu08tNXjC21HCK5vIFtoFPcTzIxfHCIhcfa/ey1EpEVr0yKwACzKyub4DmwonFxcpO/ErsqhO/AVDp9HzMuc4/x3eiuti4OH8DuqbgHr olym_jumpserver@izwz98ft7tasnlfweupijmz
EOF
) > /home/olym_jumpserver/.ssh/authorized_keys
chmod 600 /home/olym_jumpserver/.ssh/authorized_keys
exit
chmod 700 /etc/sudoers
echo 'olym_jumpserver ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
chmod 400 /etc/sudoers
'''
s=paramiko.SSHClient()
s.load_system_host_keys()
s.set_missing_host_key_policy(paramiko.AutoAddPolicy())
s.connect(hostname = host,port=int(port),username=username, password=password)
if username != 'root':
ssh = s.invoke_shell()
time.sleep(0.1)
ssh.send('su - \n')
buff = ''
while not buff.endswith('Password: '):
resp = ssh.recv(9999)
buff +=resp
ssh.send(root_pwd)
ssh.send('\n')
buff = ''
while not buff.endswith('# '):
resp = ssh.recv(9999)
buff +=resp
ssh.send(cmd)
ssh.send('\n')
buff = ''
while not buff.endswith('# '):
resp = ssh.recv(9999)
buff +=resp
s.close()
result = buff
else:
stdin, stdout, stderr = s.exec_command(cmd)
str=''.join(stdout.read())
print str
result = stdout.read()
s.close()
return result
def main():
host = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
root_pwd = sys.argv[4]
verification_ssh(host,username,password,22,root_pwd)
if __name__ == "__main__":
main()