SSH是專門爲遠程登錄會話和其他網絡服務提供安全性的協議,利用SSH協議可以有效防止遠程管理中的信息泄露問題。
默認情況下,SSH本身提供兩個服務功能:一個是類似telnet的遠程聯機shell服務,另一個是sftp-server,可以提供安全的FTP服務。
SSH提供兩種級別的安全認證
1.基於口令的安全驗證
利用賬號和口令進行驗證,並登陸到遠程主機,所有傳輸的數據都會被加密
2.基於祕鑰的安全驗證
用戶需要爲自己創建一對祕鑰,並把公用祕鑰放在需要訪問的服務器上,如果需要利用SSH連接服務器,客戶端SSH軟件就會向服務器發送請求利用祕鑰進行安全驗證,服務器端在接收到請求後,在服務器端用戶主目錄下尋找公用祕鑰,並用它和你發過來的祕鑰進行對比,如果一致,服務器端就用公用祕鑰加密“質詢”並把它發送給客戶端。
一、分發數據
1.檢查環境
[root@C64-5-S ~]# cat /etc/redhat-release
CentOS release 6.10 (Final)
[root@C64-5-S ~]# uname -mi
x86_64 x86_64
[root@C64-5-S ~]# uname -r
2.6.32-754.2.1.el6.x86_64
2.添加用戶(這裏我們準備相同的三個服務器,分別是Server(2.2.2.5)B-Client(2.2.2.6) C-Client(2.2.2.7))
[root@C64-5-S ~]# useradd syner
[root@C64-5-S ~]# echo "syner"|passwd --stdin syner
Changing password for user syner.
passwd: all authentication tokens updated successfully.
[root@C64-5-S ~]# tail -1 /etc/passwd
syner:x:514:514::/home/syner:/bin/bash
[root@C64-6-B ~]# useradd syner
[root@C64-6-B ~]# echo "syner"|passwd --stdin syner
Changing password for user syner.
passwd: all authentication tokens updated successfully.
[root@C64-6-B ~]# tail -1 /etc/passwd
syner:x:514:514::/home/syner:/bin/bash
[root@C64-7-C ~]# useradd syner
[root@C64-7-C ~]# echo "syner"|passwd --stdin syner
Changing password for user syner.
passwd: all authentication tokens updated successfully.
[root@C64-7-C ~]# tail -1 /etc/passwd
syner:x:514:514::/home/syner:/bin/bash
3.生成祕鑰對
[root@C64-5-S ~]# su - syner
[syner@C64-5-S ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/syner/.ssh/id_dsa):
Created directory '/home/syner/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/syner/.ssh/id_dsa.
Your public key has been saved in /home/syner/.ssh/id_dsa.pub.
The key fingerprint is:
ba:19:34:a6:2a:8c:fa:48:28:03:3f:b2:73:f1:44:e7 syner@C64-5-S
The key's randomart image is:
+--[ DSA 1024]----+
| |
| |
| |
| . . |
|. . o+ S |
|o.. .+Eo |
|B.o+. o |
|**.o. + |
|==o o |
+-----------------+
[syner@C64-5-S ~]$ tree .ssh
.ssh
├── id_dsa
└── id_dsa.pub
0 directories, 2 files
[syner@C64-5-S ~]$ ls -al
total 28
drwx------ 4 syner syner 4096 Sep 22 22:04 .
drwxr-xr-x. 17 root root 4096 Sep 22 19:58 ..
drwx------ 2 syner syner 4096 Sep 22 22:04 .ssh
[syner@C64-5-S ~]$ ls -al .ssh
total 16
drwx------ 2 syner syner 4096 Sep 22 22:04 .
drwx------ 4 syner syner 4096 Sep 22 22:04 ..
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 id_dsa.pub
在創建祕鑰時,會在用戶家目錄下生成一個.ssh的隱藏目錄,並在目錄中存放公鑰和私鑰
這裏的.ssh目錄權限是700,公鑰權限是644,私鑰權限是600
4.分發公鑰
把公鑰拷貝的B、C端用戶家目錄中
[syner@C64-5-S .ssh]$ ssh-copy-id -i id_dsa.pub "-p 52113 [email protected]"
The authenticity of host '[2.2.2.6]:52113 ([2.2.2.6]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.6]:52113' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '-p 52113 [email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
這裏由於我們的ssh端口之前修改過,所以在參數中加上 -p 52113
檢查公鑰是否發佈成功
[test@C64-6-B ~]$ su - syner
Password:
[syner@C64-6-B ~]$
[syner@C64-6-B ~]$
[syner@C64-6-B ~]$ ls -al
total 28
drwx------ 4 syner syner 4096 Sep 22 22:42 .
drwxr-xr-x. 17 root root 4096 Sep 22 19:58 ..
-rw-r--r-- 1 syner syner 18 Mar 23 2017 .bash_logout
-rw-r--r-- 1 syner syner 176 Mar 23 2017 .bash_profile
-rw-r--r-- 1 syner syner 124 Mar 23 2017 .bashrc
drwxr-xr-x 2 syner syner 4096 Nov 12 2010 .gnome2
drwx------ 2 syner syner 4096 Sep 22 22:42 .ssh
[syner@C64-6-B ~]$ cd .ssh/
[syner@C64-6-B .ssh]$ ls -al
total 12
drwx------ 2 syner syner 4096 Sep 22 22:42 .
drwx------ 4 syner syner 4096 Sep 22 22:42 ..
-rw------- 1 syner syner 603 Sep 22 22:42 authorized_keys
將公鑰發佈到另外一臺機器上
[syner@C64-5-S .ssh]$ ssh-copy-id -i id_dsa.pub "-p 52113 [email protected]"
The authenticity of host '[2.2.2.7]:52113 ([2.2.2.7]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.7]:52113' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '-p 52113 [email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
檢查是否發佈成功
[root@C64-7-C ~]# su - syner
[syner@C64-7-C ~]$ ls -al
total 28
drwx------ 4 syner syner 4096 Sep 22 22:46 .
drwxr-xr-x. 17 root root 4096 Sep 22 19:58 ..
-rw-r--r-- 1 syner syner 18 Mar 23 2017 .bash_logout
-rw-r--r-- 1 syner syner 176 Mar 23 2017 .bash_profile
-rw-r--r-- 1 syner syner 124 Mar 23 2017 .bashrc
drwxr-xr-x 2 syner syner 4096 Nov 12 2010 .gnome2
drwx------ 2 syner syner 4096 Sep 22 22:46 .ssh
[syner@C64-7-C ~]$ ls -al .ssh/
total 12
drwx------ 2 syner syner 4096 Sep 22 22:46 .
drwx------ 4 syner syner 4096 Sep 22 22:46 ..
-rw------- 1 syner syner 603 Sep 22 22:46 authorized_keys
查看ssh配置文件
[root@C64-5-S ~]# cat /etc/ssh/sshd_config | grep AuthorizedKeysFile
#AuthorizedKeysFile .ssh/authorized_keys
5.遠程登錄執行命令測試
[syner@C64-5-S ~]$ ssh -p 52113 [email protected] /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:79:36:89
inet addr:2.2.2.6 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe79:3689/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23456 errors:0 dropped:0 overruns:0 frame:0
TX packets:890 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1457992 (1.3 MiB) TX bytes:88259 (86.1 KiB)
[syner@C64-5-S ~]$ ssh -p 52113 [email protected] /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:BA:45:99
inet addr:2.2.2.7 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feba:4599/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23234 errors:0 dropped:0 overruns:0 frame:0
TX packets:761 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1439707 (1.3 MiB) TX bytes:73715 (71.9 KiB)
二、備份
我們將B、C機器備份到Server端
1.生成祕鑰
[syner@C64-5-S ~]$ ls -al .ssh
total 20
drwx------ 2 syner syner 4096 Sep 22 22:42 .
drwx------ 4 syner syner 4096 Sep 22 22:50 ..
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 id_dsa.pub
-rw-r--r-- 1 syner syner 794 Sep 22 22:46 known_hosts
由於之前生成過祕鑰,這裏我們就不重新生成了
與之前分發不同,這次方向是反的,我們是需要B、C機器能夠免祕鑰ssh到S上面,所以我們這次要將私鑰分發給B、C
2.分發祕鑰
[syner@C64-5-S ~]$ scp -P52113 -p .ssh/id_dsa [email protected]:~/.ssh/
id_dsa 100% 668 0.7KB/s 00:00
檢查是否分發成功
[syner@C64-6-B ~]$ ls -al .ssh
total 16
drwx------ 2 syner syner 4096 Sep 23 09:57 .
drwx------ 4 syner syner 4096 Sep 22 23:46 ..
-rw------- 1 syner syner 603 Sep 22 22:42 authorized_keys
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
分發到另一臺服務器上
[syner@C64-5-S ~]$ scp -P52113 -p .ssh/id_dsa [email protected]:~/.ssh/
id_dsa 100% 668 0.7KB/s 00:00
檢查分發是否成功
[syner@C64-7-C ~]$ ls -al .ssh
total 16
drwx------ 2 syner syner 4096 Sep 23 09:59 .
drwx------ 4 syner syner 4096 Sep 22 23:46 ..
-rw------- 1 syner syner 603 Sep 22 22:46 authorized_keys
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
這裏我們要將S服務器端公鑰的名字改成ssh配置文件中默認的文件名
[syner@C64-5-S ~]$ cd .ssh/
[syner@C64-5-S .ssh]$ ll
total 12
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 id_dsa.pub
-rw-r--r-- 1 syner syner 794 Sep 22 22:46 known_hosts
[syner@C64-5-S .ssh]$ mv id_dsa.pub authorized_keys
[syner@C64-5-S .ssh]$ ll
total 12
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 authorized_keys
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 794 Sep 22 22:46 known_hosts
3.測試連通性
[syner@C64-6-B ~]$ ssh -p 52113 [email protected] /sbin/ifconfig eth0
The authenticity of host '[2.2.2.5]:52113 ([2.2.2.5]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.5]:52113' (RSA) to the list of known hosts.
eth0 Link encap:Ethernet HWaddr 00:0C:29:CA:07:AA
inet addr:2.2.2.5 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feca:7aa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30133 errors:0 dropped:0 overruns:0 frame:0
TX packets:2995 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1937162 (1.8 MiB) TX bytes:478213 (467.0 KiB)
[syner@C64-7-C ~]$ ssh -p 52113 [email protected] /sbin/ifconfig eth0
The authenticity of host '[2.2.2.5]:52113 ([2.2.2.5]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.5]:52113' (RSA) to the list of known hosts.
eth0 Link encap:Ethernet HWaddr 00:0C:29:CA:07:AA
inet addr:2.2.2.5 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feca:7aa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30166 errors:0 dropped:0 overruns:0 frame:0
TX packets:3021 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1941659 (1.8 MiB) TX bytes:483082 (471.7 KiB)
4.進行備份
[syner@C64-6-B ~]$ scp -P52113 -rp /etc [email protected]:/tmp
rsync 100% 332 0.3KB/s 00:00
rc.local 100% 345 0.3KB/s 00:00
utmp.conf 100% 564 0.6KB/s 00:00
pthread.conf 100% 7686 7.5KB/s 00:00
latrace.conf 100% 74 0.1KB/s 00:00
syscall.conf 100% 6342 6.2KB/s 00:00
備份的幾種思路
1.使用rsync,在備份服務器部署rsync守護進程,把所有節點作爲rsync客戶端,生產環境中常用的方法
2.使用FTP,在備份服務器部署FTP守護進程,把所有節點作爲FTP客戶端,把數據通過FTP方式推送到備份服務器上
3.使用NFS,在備份服務器部署NFS服務,把所有節點作爲NFS客戶端,在客戶端服務器上通過掛載的方式把數據推送到NFS備份服務器上,不推薦使用(機器太多時不好用)
4.SCP+SSH KEY或expect交互式備份,不推薦
實例一:通過root用戶直接建立祕鑰認證(不推薦)
服務器S向B、C客戶端分發
在服務器端建立祕鑰對
[root@C64-5-S ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
1a:07:e9:8b:ee:f8:72:da:22:51:33:f4:28:37:ab:c6 root@C64-5-S
The key's randomart image is:
+--[ DSA 1024]----+
| |
| . . |
| . o o |
|. B .. . |
| + = o S |
|. . . = |
|.o . o |
|oEo+. |
|..oB= |
+-----------------+
[root@C64-5-S ~]#
[root@C64-5-S ~]# ls -al .ssh
total 16
drwx------ 2 root root 4096 Sep 23 11:58 .
dr-xr-x---. 5 root root 4096 Sep 23 11:58 ..
-rw------- 1 root root 668 Sep 23 11:58 id_dsa
-rw-r--r-- 1 root root 602 Sep 23 11:58 id_dsa.pub
由於之前我們設置過不允許root用戶遠程登錄,因此我們先取消這個設置
[root@C64-5-S ~]# vi /etc/ssh/sshd_config
PermitRootLogin yes
[root@C64-5-S ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@C64-6-B ~]# vi /etc/ssh/sshd_config
PermitRootLogin yes
[root@C64-6-B ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@C64-7-C ~]# vi /etc/ssh/sshd_config
PermitRootLogin yes
[root@C64-7-C ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
然後我們對公鑰進行分發
[root@C64-5-S ~]# ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 2.2.2.6"
[email protected]'s password:
Now try logging into the machine, with "ssh '-p 52113 2.2.2.6'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@C64-5-S ~]# ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 2.2.2.7"
The authenticity of host '[2.2.2.7]:52113 ([2.2.2.7]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.7]:52113' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '-p 52113 2.2.2.7'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
測試連通性
[root@C64-5-S ~]# ssh -p 52113 2.2.2.6 /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:79:36:89
inet addr:2.2.2.6 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe79:3689/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37907 errors:0 dropped:0 overruns:0 frame:0
TX packets:24863 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2687536 (2.5 MiB) TX bytes:25927411 (24.7 MiB)
[root@C64-5-S ~]# ssh -p 52113 2.2.2.7 /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:BA:45:99
inet addr:2.2.2.7 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feba:4599/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29755 errors:0 dropped:0 overruns:0 frame:0
TX packets:1449 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1880516 (1.7 MiB) TX bytes:151824 (148.2 KiB)
我們試着寫一個管理腳本並運行,查看B、C客戶端的運行情況
[root@C64-5-S ~]# vi manage.sh
#!/bin/sh
for ip in `cat iplist`
do
echo "======$ip======"
ssh -p 52113 $ip $1
done
創建ip列表文件
[root@C64-5-S ~]# echo "2.2.2.6">>iplist
[root@C64-5-S ~]# echo "2.2.2.7">>iplist
[root@C64-5-S ~]# more iplist
2.2.2.6
2.2.2.7
執行管理命令
[root@C64-5-S ~]# sh manage.sh "df -h"
======2.2.2.6======
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 7.1G 2.2G 4.6G 32% /
tmpfs 937M 0 937M 0% /dev/shm
/dev/sda1 190M 65M 115M 37% /boot
======2.2.2.7======
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 7.1G 2.2G 4.6G 32% /
tmpfs 937M 0 937M 0% /dev/shm
/dev/sda1 190M 65M 115M 37% /boot
[root@C64-5-S ~]# sh manage.sh "free -m"
======2.2.2.6======
total used free shared buffers cached
Mem: 2001 336 1665 0 44 166
-/+ buffers/cache: 125 1876
Swap: 511 0 511
======2.2.2.7======
total used free shared buffers cached
Mem: 2001 320 1681 0 43 151
-/+ buffers/cache: 124 1876
Swap: 511 0 511
[root@C64-5-S ~]# sh manage.sh "uptime"
======2.2.2.6======
12:27:26 up 10:06, 1 user, load average: 0.00, 0.00, 0.00
======2.2.2.7======
12:27:26 up 10:05, 1 user, load average: 0.00, 0.00, 0.00
寫一個分發腳本
[root@C64-5-S ~]# cp manage.sh fenfa.sh
[root@C64-5-S ~]# vi fenfa.sh
#!/bin/sh
for ip in `cat iplist`
do
echo "======$ip======"
scp -rp -P52113 $1 $ip:$2
done
執行分發命令
[root@C64-5-S ~]# sh fenfa.sh /etc /tmp
======2.2.2.6======
sudo.conf 100% 1786 1.7KB/s 00:00
rsync 100% 332 0.3KB/s 00:00
rc.local 100% 314 0.3KB/s 00:00
======2.2.2.7======
sudo.conf 100% 1786 1.7KB/s 00:00
rsync 100% 332 0.3KB/s 00:00
rc.local 100% 314 0.3KB/s 00:00
最後我們將之前的配置刪除
[root@C64-5-S ~]# rm -rf .ssh/
[root@C64-5-S ~]# vi /etc/ssh/sshd_config
PermitRootLogin no
[root@C64-6-B ~]# rm -rf .ssh/
[root@C64-6-B ~]# vi /etc/ssh/sshd_config
PermitRootLogin no
[root@C64-7-C ~]# rm -rf .ssh/
[root@C64-7-C ~]# vi /etc/ssh/sshd_config
PermitRootLogin no
實例二:普通用戶建立的祕鑰(通過sudo提權操作)(推薦用這種方法)
這裏我們還是實現服務端S到客戶端B、C的分發
[root@C64-5-S ~]# useradd ssher
[root@C64-5-S ~]# echo "ssher"|passwd --stdin ssher
Changing password for user ssher.
passwd: all authentication tokens updated successfully.
[root@C64-6-B ~]# useradd ssher
[root@C64-6-B ~]# echo "ssher"|passwd --stdin ssher
Changing password for user ssher.
passwd: all authentication tokens updated successfully.
[root@C64-7-C ~]# useradd ssher
[root@C64-7-C ~]# echo "ssher"|passwd --stdin ssher
Changing password for user ssher.
passwd: all authentication tokens updated successfully.
[ssher@C64-5-S ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/ssher/.ssh/id_dsa):
Created directory '/home/ssher/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ssher/.ssh/id_dsa.
Your public key has been saved in /home/ssher/.ssh/id_dsa.pub.
The key fingerprint is:
6a:7d:b9:64:48:ea:68:39:a9:ee:57:33:e4:a8:f0:4e ssher@C64-5-S
The key's randomart image is:
+--[ DSA 1024]----+
| |
| |
| |
| . |
| + S |
|. . == . . |
| oE. ++oo = |
| .o *+ + . |
| +=+... . |
+-----------------+
[ssher@C64-5-S ~]$
[ssher@C64-5-S ~]$ ls -al .ssh
total 16
drwx------ 2 ssher ssher 4096 Sep 23 12:55 .
drwx------ 4 ssher ssher 4096 Sep 23 12:55 ..
-rw------- 1 ssher ssher 668 Sep 23 12:55 id_dsa
-rw-r--r-- 1 ssher ssher 603 Sep 23 12:55 id_dsa.pub
[ssher@C64-5-S ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 [email protected]"
The authenticity of host '[2.2.2.6]:52113 ([2.2.2.6]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.6]:52113' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '-p 52113 [email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[ssher@C64-5-S ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 [email protected]"
The authenticity of host '[2.2.2.7]:52113 ([2.2.2.7]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.7]:52113' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '-p 52113 [email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[ssher@C64-6-B ~]$ ll .ssh
total 4
-rw------- 1 ssher ssher 603 Sep 23 12:58 authorized_keys
[ssher@C64-7-C ~]$ ll .ssh
total 4
-rw------- 1 ssher ssher 603 Sep 23 12:59 authorized_keys
[ssher@C64-5-S ~]$ ssh [email protected] /sbin/ifconfig eth0
ssh: connect to host 2.2.2.6 port 22: Connection refused
[ssher@C64-5-S ~]$ ssh -p 52113 [email protected] /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:79:36:89
inet addr:2.2.2.6 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe79:3689/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:51775 errors:0 dropped:0 overruns:0 frame:0
TX packets:29482 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14179418 (13.5 MiB) TX bytes:26427845 (25.2 MiB)
[ssher@C64-5-S ~]$ ssh -p 52113 [email protected] /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:BA:45:99
inet addr:2.2.2.7 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feba:4599/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:44991 errors:0 dropped:0 overruns:0 frame:0
TX packets:6580 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15031942 (14.3 MiB) TX bytes:707150 (690.5 KiB)
分發實現
[ssher@C64-5-S ~]$ mkdir ssher
[ssher@C64-5-S ~]$ touch ssher/tt.txt
[ssher@C64-5-S ~]$ tree
.
└── ssher
└── tt.txt
1 directory, 1 file
[ssher@C64-5-S ~]$ scp -P52113 -rp ssher [email protected]:~
tt.txt 100% 0 0.0KB/s 00:00
到這裏普通用戶的分發就做完了,但是如果執行的操作超過了客戶端機器用戶權限,就需要在客戶端機器上做sudo提權了
[root@C64-5-S ~]# echo "ssher ALL=(ALL) NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp" >>/etc/sudoers
[root@C64-5-S ~]# visudo -c
/etc/sudoers: parsed OK
[root@C64-5-S ~]# su - ssher
[ssher@C64-5-S ~]$ sudo -l
Matching Defaults entries for ssher on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User ssher may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp
[root@C64-6-B ~]# echo "ssher ALL=(ALL) NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp" >>/etc/sudoers
[root@C64-6-B ~]# visudo -c
/etc/sudoers: parsed OK
[root@C64-6-B ~]# su - ssher
[ssher@C64-6-B ~]$ sudo -l
Matching Defaults entries for ssher on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User ssher may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp
[root@C64-7-C ~]# echo "ssher ALL=(ALL) NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp" >>/etc/sudoers
[root@C64-7-C ~]# visudo -c
/etc/sudoers: parsed OK
[root@C64-7-C ~]# su - ssher
[ssher@C64-7-C ~]$ sudo -l
Matching Defaults entries for ssher on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User ssher may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp
這時我們的分發就分兩步走,第一步將文件或目錄推送到目標機器的家目錄,第二步利用sudo提權命令將文件或目錄二次分配到其他的目錄
[ssher@C64-5-S ~]$ scp -P52113 -rp ssher/ [email protected]:~
tt.txt 100% 0 0.0KB/s 00:00
[ssher@C64-5-S ~]$ ssh -t -p 52113 [email protected] sudo rsync -avzP ssher /etc
sending incremental file list
ssher/
ssher/tt.txt
0 100% 0.00kB/s 0:00:00 (xfer#1, to-check=0/2)
sent 109 bytes received 35 bytes 288.00 bytes/sec
total size is 0 speedup is 0.00
Connection to 2.2.2.6 closed.
[ssher@C64-6-B etc]$ ll ssher
total 0
-rw-rw-r-- 1 ssher ssher 0 Sep 23 13:04 tt.txt
通過腳本執行分發命令
[ssher@C64-5-S ~]$ vi putongfenfa.sh
scp -P52113 -rp $1 ssher@$ip:~
for ip in `cat iplist`
for ip in `cat iplist`
do
scp -P52113 -rp $1 ssher@$ip:~
ssh -t -p 52113 ssher@$ip sudo rsync -avzP $1 /etc
done
~
[ssher@C64-5-S ~]$ echo "2.2.2.6" >> iplist
[ssher@C64-5-S ~]$ echo "2.2.2.7" >> iplist
[ssher@C64-5-S ~]$ cat iplist
2.2.2.6
2.2.2.7
[ssher@C64-5-S ~]$ cp /etc/hosts ./
[ssher@C64-5-S ~]$ ll
total 16
-rw-r--r-- 1 ssher ssher 166 Sep 23 13:37 hosts
-rw-rw-r-- 1 ssher ssher 16 Sep 23 13:35 iplist
-rw-rw-r-- 1 ssher ssher 119 Sep 23 13:35 putongfenfa.sh
drwxrwxr-x 2 ssher ssher 4096 Sep 23 13:04 ssher
[ssher@C64-5-S ~]$ vi hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 C64-5-S
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
######################################
[ssher@C64-5-S ~]$ sh putongfenfa.sh /home/ssher/hosts
hosts 100% 205 0.2KB/s 00:00
sending incremental file list
hosts
205 100% 0.00kB/s 0:00:00 (xfer#1, to-check=0/1)
sent 151 bytes received 31 bytes 364.00 bytes/sec
total size is 205 speedup is 1.13
Connection to 2.2.2.6 closed.
hosts 100% 205 0.2KB/s 00:00
sending incremental file list
hosts
205 100% 0.00kB/s 0:00:00 (xfer#1, to-check=0/1)
sent 151 bytes received 31 bytes 364.00 bytes/sec
total size is 205 speedup is 1.13
Connection to 2.2.2.7 closed.
檢查推送是否成功
[ssher@C64-6-B ~]$ more /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 C64-5-S
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
######################################
[ssher@C64-7-C ~]$ more /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 C64-5-S
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
######################################
實例三:普通用戶建立祕鑰(setuid對命令提權操作)
修改rsync的setuid權限
[root@C64-5-S ~]# ll /usr/bin/rsync
-rwxr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[root@C64-5-S ~]# chmod 4755 /usr/bin/rsync
[root@C64-5-S ~]# ll /usr/bin/rsync
-rwsr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[root@C64-6-B ~]# ll /usr/bin/rsync
-rwxr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[root@C64-6-B ~]# chmod 4755 /usr/bin/rsync
[root@C64-6-B ~]# ll /usr/bin/rsync
-rwsr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[root@C64-7-C ~]# ll /usr/bin/rsync
-rwxr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[root@C64-7-C ~]# chmod 4755 /usr/bin/rsync
[root@C64-7-C ~]# ll /usr/bin/rsync
-rwsr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[ssher@C64-5-S ~]$ rsync -avzP ./hosts -e 'ssh -p 52113' [email protected]:/etc
sending incremental file list
sent 45 bytes received 12 bytes 114.00 bytes/sec
total size is 205 speedup is 3.60
[root@C64-6-B ~]# ll /etc/hosts
-rw-r--r-- 1 ssher ssher 205 Sep 23 13:37 /etc/hosts
寫在最後
批量分發、部署、管理的始終方案
1.Secboy
2.SecureCRT
3.ssh免祕鑰
(1)通過root用戶直接建立祕鑰認證
(2)普通用戶建立祕鑰(通過sudo進行提權操作)
(3)普通用戶建立祕鑰(setuid對命令授權)
4.expect
5.puppet
6.cfengine
7.rsync
8.lsyncd(sersync)
9.http方式
10.NFS網絡文件系統