SSH 免密码登录—批量分发服务器
需求:nfs服务器兼做批量分发服务器。backup备份服务器、mb01服务为批量分发的客户端。通过NFS服务器讲编辑好的hosts文件批量分发到备份服务器和mb01服务器的、/etc/下。使内网环境可以使用/etc/hosts 文件做正向、反向的域名解析。
由于root具有最大的权限,所以不建议使用root用户进行SSH免密码登录,而是在所有的机器上建立相同的普通用户,通过普通用户的SSH免密码登录,使用scp 命令将hosts文件分发到客户端的该普通用户的家目录下。在各客户端为该普通用户通过sudo对cp赋予提权,才能将该用户家目录下收到的分发文件拷贝到/etc/目录下。
环境:
mb01批量分发客户端服务器:
[root@mb01 ~]# uname -nr
mb01 2.6.32-573.el6.x86_64
[root@mb01 ~]# ifconfig eth1|awk -F “[ :]+” ‘NR==2{print $4}’
172.16.1.61
[root@mb01 ~]#
backup 备份服务器
[root@backup ~]# uname -nr
backup 2.6.32-573.el6.x86_64
[root@backup ~]# ifconfig eth1|awk -F “[ :]+” ‘NR==2{print $4}’
172.16.1.99
[root@backup ~]#
nfs 服务器
[root@nfs ~]# uname -nr
nfs 2.6.32-573.el6.x86_64
[root@nfs ~]# ifconfig eth1|awk -F “[ :]+” ‘NR==2 {print $4}’
172.16.1.66
[root@nfs ~]#
一、在所有的机器中创建分发用户的普通账户 friendship 并通过 sudo 对 friendship 用户使用cp 命令时进行提权。以下操作均为分发服务器上操作,使用 root 用户 ssh 密码验证执行命令。若服务器禁止了 root 远程登录,则需要使用普通用户登录在切换到root。 或单独连接各机器进行配置。
############以下可以整合一条命令行这行(全路径)###########
ssh -p 22 root@172.16.1.66 “/usr/sbin/useradd friendship&&echo ‘123456’|/usr/bin/passwd –stdin friendship&&echo ‘friendship ALL=(ALL) NOPASSWD: /bin/cp’>>/etc/sudoers”
1、在所有机器上创建用户 friendship
useradd friendship
2、给friendship 设置密码:
echo ‘123456’|/usr/bin/passwd –stdin friendship
3、对friendship用户 sudo 授权
echo ‘friendship ALL=(ALL) NOPASSWD: /bin/cp’>>/etc/sudoers
backup 服务器
[root@mb01 ~]# ssh -p 22 root@172.16.1.99 “/usr/sbin/useradd friendship&&echo ‘123456’|/usr/bin/passwd –stdin friendship&&echo ‘friendship ALL=(ALL) NOPASSWD: /bin/cp’>>/etc/sudoers”
The authenticity of host ‘172.16.1.99 (172.16.1.99)’ can’t be established.
RSA key fingerprint is 59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.16.1.99’ (RSA) to the list of known hosts.
Address 172.16.1.99 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
root@172.16.1.99’s password:
Changing password for user friendship.
nfs 服务器
[root@mb01 ~]# ssh -p 22 root@172.16.1.66 “/usr/sbin/useradd friendship&&echo ‘123456’|/usr/bin/passwd –stdin friendship&&echo ‘friendship ALL=(ALL) NOPASSWD: /bin/cp’>>/etc/sudoers”
The authenticity of host ‘172.16.1.66 (172.16.1.66)’ can’t be established.
RSA key fingerprint is 59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.16.1.66’ (RSA) to the list of known hosts.
Address 172.16.1.66 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
root@172.16.1.66’s password:
Changing password for user friendship.
passwd: all authentication tokens updated successfully.
测试
echo $? 返回值都为0 验证成功
[root@mb01 ~]# ssh -t -p 22 friendship@172.16.1.66 “/bin/echo ‘test sudo for friendship’>~/good.txt&&sudo /bin/cp ~/good.txt /etc/;/bin/echo $?”
Address 172.16.1.66 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
friendship@172.16.1.66’s password:
0
Connection to 172.16.1.66 closed.
[root@mb01 ~]#
[root@mb01 ~]# ssh -t -p 22 friendship@172.16.1.99 “/bin/echo ‘test sudo for friendship’>~/good.txt&&sudo /bin/cp ~/good.txt /etc/;/bin/echo $?”
Address 172.16.1.99 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
friendship@172.16.1.99’s password:
0
Connection to 172.16.1.99 closed.
[root@mb01 ~]#
二、在批量分发服务器上使用 friendship 用户生成密匙对 并将公匙发送到各服务器
1、生成密匙对
[friendship@mb01 ~]$ whoami
friendship
[friendship@mb01 ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/friendship/.ssh/id_dsa):
Created directory ‘/home/friendship/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/friendship/.ssh/id_dsa.
Your public key has been saved in /home/friendship/.ssh/id_dsa.pub.
The key fingerprint is:
64:e4:49:75:74:09:9e:62:77:e2:d0:9b:bc:ff:2a:0b friendship@mb01
The key’s randomart image is:
+–[ DSA 1024]—-+
| o…+… |
| + . + o. |
| = + * . |
| o . * = |
| S = |
| . |
| E . |
| … |
| .ooo.|
+—————–+
[friendship@mb01 ~]$
发送密匙到分发服务器
nfs 服务器
[friendship@mb01 ~]$ ssh-copy-id -i ./.ssh/id_dsa.pub friendship@172.16.1.66
The authenticity of host ‘172.16.1.66 (172.16.1.66)’ can’t be established.
RSA key fingerprint is 59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.16.1.66’ (RSA) to the list of known hosts.
Address 172.16.1.66 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
friendship@172.16.1.66’s password:
Now try logging into the machine, with “ssh ‘friendship@172.16.1.66′”, and check in:
.ssh/authorized_keys
to make sure we haven’t added extra keys that you weren’t expecting.
[friendship@mb01 ~]$
backup 服务器
[friendship@mb01 ~]$ ssh-copy-id -i ./.ssh/id_dsa.pub friendship@172.16.1.99
The authenticity of host ‘172.16.1.99 (172.16.1.99)’ can’t be established.
RSA key fingerprint is 59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.16.1.99’ (RSA) to the list of known hosts.
Address 172.16.1.99 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
friendship@172.16.1.99’s password:
Now try logging into the machine, with “ssh ‘friendship@172.16.1.99′”, and check in:
.ssh/authorized_keys
to make sure we haven’t added extra keys that you weren’t expecting.
[friendship@mb01 ~]$
验证是否能(friendship)用户免密码登陆到各服务器
mb01面密码连接到nfs
[friendship@mb01 ~]$ ssh friendship@172.16.1.66
Address 172.16.1.66 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
Last login: Sat May 7 05:44:25 2016 from 172.16.1.61
[friendship@nfs ~]$ ls
good.txt
[friendship@nfs ~]$ cat /etc/ssh/sshd_config
cat: /etc/ssh/sshd_config: Permission denied
[friendship@nfs ~]$ tail -2 /etc/passwd
tcpdump:x:72:72::/:/sbin/nologin
friendship:x:500:500::/home/friendship:/bin/bash
mb01免密码连接到backup
[friendship@mb01 ~]$ ssh friendship@172.16.1.99
Address 172.16.1.99 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
Last login: Sat May 7 05:52:00 2016 from 172.16.1.61
[friendship@backup ~]$ ls
good.txt
[friendship@backup ~]$ tail /etc/passwd
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
friendship:x:500:500::/home/friendship:/bin/bash
[friendship@backup ~]$
三、在批量分发服务器mb01 写脚本实现批量分发。使用 friendship 用户
批量分发hosts 文件
1、拷贝一个文件hosts到家目录下 查看hosts内容
cp /etc/hosts .
[friendship@mb01 ~]$ cat hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.5 lb01
172.16.1.6 lb02
172.16.1.7 web02
172.16.1.8 web01
172.16.1.51 db01 db01.etiantian.org
172.16.1.31 nfs01
172.16.1.41 backup
172.16.1.61 m01
=========20140708==============
[friendship@mb01 ~]$
2、写脚本 vim fenfa.sh
#!/bin/sh
for n in 66 99
do
echo “==172.16.1.$n==”
scp -P22 hosts 172.16.1.$n:~
done
~
3、执行脚本
[friendship@mb01 ~]$ /bin/sh fenfa.sh
==172.16.1.66==
Address 172.16.1.66 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
hosts 100% 384 0.4KB/s 00:00
==172.16.1.99==
Address 172.16.1.99 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
hosts 100% 384 0.4KB/s 00:00
fenfa.sh: line 10: /home/friendship: is a directory
fenfa.sh: line 14: command not found
[friendship@mb01 ~]$
4、看分发结果
nfs服务端
[friendship@nfs ~]$ ls
hosts
[friendship@nfs ~]$ cat hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.5 lb01
172.16.1.6 lb02
172.16.1.7 web02
172.16.1.8 web01
172.16.1.51 db01 db01.etiantian.org
172.16.1.31 nfs01
172.16.1.41 backup
172.16.1.61 m01
=========20140708==============
[friendship@nfs ~]$
backup服务端
[friendship@backup ~]$ ls
hosts
[friendship@backup ~]$ cat hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.5 lb01
172.16.1.6 lb02
172.16.1.7 web02
172.16.1.8 web01
172.16.1.51 db01 db01.etiantian.org
172.16.1.31 nfs01
172.16.1.41 backup
172.16.1.61 m01
=========20140708==============
[friendship@backup ~]$
测试成功 已将hosts文件批量分发到指定服务器的家目录下