ssh-key 免密碼驗證分發、管理、備份指南02
1.備份需求分析
要求所有服務器在同一用戶xiaoping系統用戶下,實現B.A機器從本地備份數據到C機器上,在備份過程
中不需要C的提示系統密碼驗證。
即實現從A.B服務器備份數據到Z備份存儲服務器的免密碼登陸驗證的解決方案
備份數據流方式如下:
A--->C
B-->C
想想比喻,即多把鑰匙(A\B)開一把鎖(C)
2.生成密鑰對
[xiaoping@clientC ~]$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/xiaoping/.ssh/id_dsa): Created directory '/home/xiaoping/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/xiaoping/.ssh/id_dsa. Your public key has been saved in /home/xiaoping/.ssh/id_dsa.pub. The key fingerprint is: db:c7:c4:95:66:00:06:b9:12:ca:72:e3:56:f6:08:e5 xiaoping@clientC The key's randomart image is: +--[ DSA 1024]----+ | .oo.. | | o .. . . | | . + . . = | | . * E . . + | | + = +S o | | o . .o o | | . . . o | | . | | | +-----------------+ [xiaoping@clientC ~]$ ls /home/xiaoping/.ssh/ id_dsa id_dsa.pub
3.分發私鑰(鑰匙)
特別強調:這裏是和分發數據方案不通的地方,分發數據方案中是把公鑰(鎖)從A拷貝到B、C端用戶加目錄各一份。而
在備份數據方案中,我們需要把私鑰發到X,Y server上,把公鑰(鎖)留在Z備份服務器本地。因爲,備份服務器本身就是“鎖”
[root@clientC .ssh]# grep \key /etc/ssh/sshd_config #HostKey /etc/ssh/ssh_host_key #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # Change to no to disable s/key passwords [root@clientC .ssh]# grep \key /etc/ssh/sshd_config #HostKey /etc/ssh/ssh_host_key #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # Change to no to disable s/key passwords [root@clientC .ssh]# ^C [root@clientC .ssh]# su xiaoping [xiaoping@clientC .ssh]$ ls -a . .. id_dsa id_dsa.pub known_hosts [xiaoping@clientC .ssh]$ mv id_dsa.pub authorized_keys [xiaoping@clientC .ssh]$ ls -a . .. authorized_keys id_dsa known_hosts [xiaoping@clientC .ssh]$ scp -p id_dsa [email protected]:~/.ssh/ [email protected]'s password: id_dsa 100% 668 0.7KB/s 00:00 在A端測試: [xiaoping@clientA .ssh]$ ssh [email protected] free -m The authenticity of host '192.168.20.25 (192.168.20.25)' can't be established. RSA key fingerprint is 6c:3a:ef:2b:3f:18:b7:db:83:b4:72:22:5b:07:23:50. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.20.25' (RSA) to the list of known hosts. total used free shared buffers cached Mem: 143 130 12 0 33 17 -/+ buffers/cache: 79 64 Swap: 1983 13 1970 [xiaoping@clientA .ssh]$ scp -p -r /xiaoping/ [email protected]:/tmp/ 22.sh 100% 0 0.0KB/s 00:00 111.sh 100% 0 0.0KB/s 00:00
【如何把遠端root的權限文件備份到C端】
先調整一下xiaoping用戶sudo權限
[xiaoping@clientA ~]$visudo xiaoping ALL=(ALL) NOPASSWD: /usr/bin/rsync,/usr/bin/scp,/bin/cp [root@clientA xiaoping]# su xiaoping [xiaoping@clientA ~]$ scp -p -r ./xiaoping [email protected]:~ ./xiaoping: No such file or directory [xiaoping@clientA ~]$ scp -p -r /home/xiaoping [email protected]:~ #先把文件考到家目錄下 manager.sh 100% 435 0.4KB/s 00:00 iplist 100% 28 0.0KB/s 00:00 .bash_history 100% 44 0.0KB/s 00:00 hoststatus.txt 100% 0 0.0KB/s 00:00 .bash_profile 100% 176 0.2KB/s 00:00 id_dsa 100% 668 0.7KB/s 00:00 known_hosts 100% 789 0.8KB/s 00:00 net.sh 100% 521 0.5KB/s 00:00 .bash_logout 100% 18 0.0KB/s 00:00 network.sh 100% 238 0.2KB/s 00:00 .bashrc 100% 124 0.1KB/s 00:00 [xiaoping@clientA ~]$ ssh -t -p 22 [email protected] sudo rsync -avz -p /home/xiaoping/xiaoping /root/ #再遠程到對端服務器在用sudo將文件考到root目錄下。 sending incremental file list xiaoping/ xiaoping/.bash_history xiaoping/.bash_logout xiaoping/.bash_profile xiaoping/.bashrc xiaoping/hoststatus.txt xiaoping/net.sh xiaoping/network.sh xiaoping/xiaogui xiaoping/xiaolai xiaoping/xiaoqi xiaoping/xiaozhou xiaoping/.ssh/ xiaoping/.ssh/id_dsa xiaoping/.ssh/known_hosts xiaoping/manager/ xiaoping/manager/iplist xiaoping/manager/manager.sh sent 3108 bytes received 309 bytes 6834.00 bytes/sec total size is 3041 speedup is 0.89 Connection to 192.168.20.25 closed. [xiaoping@clientA ~]$ #scp -p -r /home/xiaoping [email protected]:~ #ssh -t -p 22 [email protected] sudo rsync -avz -p /home/xiaoping/xiaoping /root/
scp -P22 -p -r /xiaping [email protected]:~
方法一:使用rsync服務,在備份服務器部署rsync守護進程,把所有備份節點作爲rsync客戶端,
出方案在生產環境常用的備份方案,對於特別碎的文件,要進行打包再傳輸。
方法二:ftp的方式,在備份服務器部署ftp守護進程,把所有備份節點做爲ftp客戶端,在本地備份完畢,把數據通過
ftp的方式推送到備份服務器上。也可以採用。
方法三NFS方式,在備份服務器部署NFS服務,部署NFS服務,把所有備份節點做爲NFS客戶端,在本地備用完畢(也可以直接備份到遠端的nfs server)
把數據通過掛載的方式把數據推送到NFS備用服務器上,此法也是個方案,機器少15臺左右可以採用,推薦不用。
方法四。scp加ssh key或者expect交互式的方法備份,作爲一個備份思路列在這裏,不推薦。
總結:無論使用哪個方案備份都不能完全保證數據備份正常,在我的工作中還對備份服務器上備份的內容通過腳本程序做檢查
定時發送郵件,甚至做定期的人工或自動化的還原數據測試操作(如:每週一次把數據自動還原測試機的WEB SERVER ,DB SERVER)
,然後備份及還原結果定時一般每日安排人工或自動的發送運維組相關人員的信箱。以確保備份的數據是真正有效的。
方案一,通過root用戶直接建立密鑰認證
方案二。普通用戶建立密鑰(通過sudo提權)
[root@clientC ~]# useradd 001 [root@clientC ~]# tail -l /etc/passwd rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin SambaServer:x:501:501::/home/SambaServer:/bin/false lily:x:502:502::/home/lily:/bin/bash lisan:x:503:502::/home/lisan:/bin/bash proadmin:x:504:504::/home/proadmin:/sbin/nologin prouser:x:505:504::/home/prouser:/sbin/nologin xiaoping:x:506:506::/home/xiaoping:/bin/bash 001:x:507:507::/home/001:/bin/bash [root@clientC ~]# echo "123456" | passwd --stdin 001 Changing password for user 001. passwd: all authentication tokens updated successfully. [root@clientC ~]# su -001 su: invalid option -- '0' Try `su --help' for more information. [root@clientC ~]# su 001 [001@clientC root]$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/001/.ssh/id_dsa): Created directory '/home/001/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/001/.ssh/id_dsa. Your public key has been saved in /home/001/.ssh/id_dsa.pub. The key fingerprint is: d4:44:da:62:a9:f1:af:c9:66:47:c2:09:ba:06:0e:b8 001@clientC The key's randomart image is: +--[ DSA 1024]----+ | .o | | * | | . * o | | .* . | |. ..oS. | |o . . +.. | | + . . o. | |E . o .oo. | | . o+. | +-----------------+ [001@clientC .ssh]$ ssh-copy-id -i id_dsa.pub "-p 22 [email protected]" The authenticity of host '192.168.20.5 (192.168.20.5)' can't be established. RSA key fingerprint is c1:28:b4:c3:f6:3d:85:bf:b2:df:59:17:d5:9f:65:2e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.20.5' (RSA) to the list of known hosts. [email protected]'s password: Now try logging into the machine, with "ssh '-p 22 [email protected]'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. [001@clientC .ssh]$ ssh [email protected] free -m total used free shared buffers cached Mem: 199 182 17 0 52 19 -/+ buffers/cache: 109 89 Swap: 1055 0 1055 [001@clientC .ssh]$ ssh [email protected] /sbin/ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:0C:29:D8:5D:8C inet addr:192.168.20.5 Bcast:192.168.20.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fed8:5d8c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:32979 errors:0 dropped:0 overruns:0 frame:0 TX packets:24899 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2999695 (2.8 MiB) TX bytes:6948512 (6.6 MiB) [001@clientC .ssh]$ mkdir /001/ mkdir: cannot create directory `/001/': Permission denied [001@clientC .ssh]$ mkdir 001 [001@clientC .ssh]$ cd 001 [001@clientC 001]$ touch 001 [001@clientC 001]$ touch 002 [001@clientC 001]$ echo 111 > 001 [001@clientC .ssh]$ scp -p -r 001 [email protected]:~ 001 100% 4 0.0KB/s 00:00 002 100% 0 0.0KB/s 00:00 [001@clientC .ssh]$ scp -p -r 001 [email protected]:/etc #A端沒有root權限需要提權。 scp: /etc/001: Permission denied [root@clientA xiaoping]# grep \001 /etc/sudoers #在A端添加sudo權限,爲下面拷貝做準備 001 ALL=(ALL) NOPASSWD: /usr/bin/rsync,/usr/bin/scp,/bin/cp [001@clientC .ssh]$ ssh -t [email protected] sudo rsync -avz -p 001 /etc/ sending incremental file list 001/ 001/001 001/002 sent 155 bytes received 54 bytes 418.00 bytes/sec total size is 4 speedup is 0.02 Connection to 192.168.20.5 closed. [root@clientC scirts]# mkdir /xp001/ -p [root@clientC scirts]# chown 001 /xp001/ -R [root@clientC scirts]# cp /etc/hosts /xp001/ [root@clientC scirts]# cd /xp001/ [root@clientC xp001]# ll total 4 -rw-r--r-- 1 root root 225 Feb 23 23:49 hosts [root@clientC xp001]# su 001 [001@clientC xp001]$ scp -p -r /xp001/hosts [email protected]:~ hosts 100% 225 0.2KB/s 00:00 [001@clientC xp001]$ ssh -t [email protected] sudo rsync -avz -P hosts /etc sending incremental file list hosts 225 100% 0.00kB/s 0:00:00 (xfer#1, to-check=0/1) sent 199 bytes received 31 bytes 460.00 bytes/sec total size is 225 speedup is 0.98 Connection to 192.168.20.5 closed. [001@clientC xp001]$ vi 001-fenfa.sh ##讓腳本自動分發 [001@clientC xp001]$ sh 001-fenfa.sh hosts hosts 100% 225 0.2KB/s 00:00 sending incremental file list sent 41 bytes received 12 bytes 106.00 bytes/sec total size is 225 speedup is 4.25 Connection to 192.168.20.5 closed. [001@clientC xp001]$ cat 001-fenfa.sh for ip in 192.168.20.5 do scp -p -r /xp001/hosts 001@$ip:~ ssh -t 001@$ip sudo rsync -avz -P $1 /etc done [001@clientC xp001]$ ##如果C端任何目錄考到C端任何目錄該任何呢! 1.c端也需要sudo提權,需要密碼,就相當本地root 和遠端001做認證。 ##??? 2.文件目錄用戶有讀取權限就可以拷貝了。 [root@clientC ~]# cp -ap /home/001/.ssh/ /root/ [root@clientC ~]# mkdir /lily [root@clientC ~]# chmod 700 /lily/ [root@clientC ~]# touch /lily/001 [root@clientC ~]# su 001 [001@clientC root]$ sudo -l Matching Defaults entries for 001 on this host: requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User 001 may run the following commands on this host: (ALL) NOPASSWD: /usr/bin/rsync, (ALL) /usr/bin/scp, (ALL) /bin/cp [001@clientC root]$ sudo scp -p -r /lily/001 [email protected]:~ scp: /home/001/001: Is a directory [001@clientC root]$ sudo scp -P22 -p -r /lily/ [email protected]:~ 001 100% 0 0.0KB/s 00:00 [root@clientC ~]# ll .ssh total 16 drwxrwxr-x 2 001 001 4096 Feb 23 23:36 001 -rw------- 1 001 001 668 Feb 23 23:30 id_dsa -rw-r--r-- 1 001 001 601 Feb 23 23:30 id_dsa.pub -rw-r--r-- 1 001 001 394 Feb 23 23:34 known_hosts [root@clientC .ssh]# diff id_dsa /home/001/.ssh/id_dsa #檢查密鑰是一致的 [root@clientC .ssh]# [root@clientC .ssh]# ssh -t [email protected] sudo rsync -avz -p /lily/ /etc/ sending incremental file list rsync: change_dir "/lily" failed: No such file or directory (2) sent 18 bytes received 12 bytes 60.00 bytes/sec total size is 0 speedup is 0.00 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1039) [sender=3.0.6] Connection to 192.168.20.5 closed.
方案三:普通用戶建立密鑰(setuid對命令提權操作)
[root@clientC .ssh]# which rsync /usr/bin/rsync [root@clientC .ssh]# chmod 4755 /usr/bin/rsync #設置setuid使用該命令用於root權限 [root@clientC .ssh]# ls /usr/bin/rsync -l -rwsr-xr-x. 1 root root 415544 Nov 11 2010 /usr/bin/rsync [root@clientC .ssh]# rsync -avz -P /xp001/001-fenfa.sh -e 'ssh' [email protected]:/etc sending incremental file list 001-fenfa.sh 107 100% 0.00kB/s 0:00:00 (xfer#1, to-check=0/1) rsync: mkstemp "/etc/.001-fenfa.sh.ld7zDj" failed: Permission denied (13) sent 183 bytes received 31 bytes 142.67 bytes/sec total size is 107 speedup is 0.50 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1039) [sender=3.0.6] [root@clientC .ssh]# [001@clientC .ssh]$ rsync -avz -p /etc/hosts -e 'ssh ' [email protected]:/etc sending incremental file list hosts rsync: mkstemp "/etc/.hosts.V7AS9m" failed: Permission denied (13) sent 188 bytes received 31 bytes 146.00 bytes/sec total size is 225 speedup is 1.03 rsync error: some files/attrs were not transferred (see previous errors) (code 2 [001@clientC .ssh]$ ^C [001@clientC .ssh]$ rsync -avz -p /etc/hosts -e 'ssh -p 22 ' [email protected]:/tmp/ sending incremental file list hosts sent 188 bytes received 31 bytes 146.00 bytes/sec total size is 225 speedup is 1.03
總結批量分發、部署、管理的解決方案:
【1】. secureCRT
借用SecureCRT的交互式交談窗口(其他遠程連接軟件也有類似的功能)
a.通過交互式交談窗口可以批量查看客戶端cpu、內存、負載、IP等。
b.批量部署客戶端如nagios、puppet等;交互式交談窗口。
c.分發文件
【2】.把要分發的文件放在一臺http server上,然後交互式交談窗口,統一wget url地址。
適合服務器200臺以內的環境,服務器太多,批量部署也會越麻煩。
【3】ssh密鑰的方案
簡單,易用,功能強大,分發,如果對於1000臺以下的機器,我們可以配置rsync daemon模式。
在客戶機上通過定時任務rsync命令去分發機上取(puppet ,cfengine都是這個思路)。
ssh key 密鑰認證實現批量分發、部署、管理的幾種方案:
a.通過root用戶直接建立密鑰認證。
優點:簡單,方便。缺點:及不安全。
b.普通用戶建立密鑰(需要通過sudo提權操作)
優點:簡單,方便,安全,缺點:需技術
c.普通用戶建立密鑰(setuid對命令提權操作)
[root@clientA tmp]# chmod 4755 /usr/bin/rsync #當普通用戶使用rsync命令具備root的權限 [root@clientA etc]# ll /usr/bin/rsync -rwsr-xr-x. 1 root root 410536 Apr 30 2014 /usr/bin/rsync
【4】expect
這裏可以直接用expect做批量分發管理,省了密鑰認證,交互式命令(結合rsync+scp+sudo),可實現普通用戶,root
用戶之間文件分發,批量部署及配置管理,查看信息。
優點:簡單、強大、缺點:難度略大,相對複雜,需開開發寫腳本。
【5】puppet
分發工具,分發和抓取。
缺點:複雜,特別在控制,批量部署方面實現複雜,大部分朋友僅僅實現了數據分發。
【6】cfengine
分發工具,分發和抓取。
缺點:複雜,特別在控制,批量部署方面實現複雜,大部分朋友僅僅實現了數據分發
【7】rsync
分發服務器上部署rsync daemon,然後客戶機上通過定時任務抓取的方式實現文件分發。
【8】lsyncd (sersync)
觸發式實時的抓取或推送。
【9】http 方式
http server+客戶機cron.實現文件分發。
【10】NFS網絡文件系統
把要分發的文件放在nfs上,然後在客戶端通過定時任務,複製到需要的目錄。