SSH 免密码登录—批量分发服务器

SSH 免密码登录——批量分发服务器

需求：nfs服务器兼做批量分发服务器。backup备份服务器、mb01服务为批量分发的客户端。通过NFS服务器讲编辑好的hosts文件批量分发到备份服务器和mb01服务器的、/etc/下。使内网环境可以使用/etc/hosts 文件做正向、反向的域名解析。

由于root具有最大的权限，所以不建议使用root用户进行SSH免密码登录，而是在所有的机器上建立相同的普通用户，通过普通用户的SSH免密码登录，使用scp 命令将hosts文件分发到客户端的该普通用户的家目录下。在各客户端为该普通用户通过sudo对cp赋予提权，才能将该用户家目录下收到的分发文件拷贝到/etc/目录下。

环境：

mb01批量分发客户端服务器：

[root@mb01 ~]# uname -nr

mb01 2.6.32-573.el6.x86_64

[root@mb01 ~]# ifconfig eth1|awk -F “[ :]+” ‘NR==2{print $4}’

172.16.1.61

[root@mb01 ~]#

backup 备份服务器

[root@backup ~]# uname -nr

backup 2.6.32-573.el6.x86_64

[root@backup ~]# ifconfig eth1|awk -F “[ :]+” ‘NR==2{print $4}’

172.16.1.99

[root@backup ~]#

nfs 服务器

[root@nfs ~]# uname -nr

nfs 2.6.32-573.el6.x86_64

[root@nfs ~]# ifconfig eth1|awk -F “[ :]+” ‘NR==2 {print $4}’

172.16.1.66

[root@nfs ~]#

一、在所有的机器中创建分发用户的普通账户 friendship 并通过 sudo 对 friendship 用户使用cp 命令时进行提权。以下操作均为分发服务器上操作，使用 root 用户 ssh 密码验证执行命令。若服务器禁止了 root 远程登录，则需要使用普通用户登录在切换到root。或单独连接各机器进行配置。

############以下可以整合一条命令行这行（全路径）###########

ssh -p 22 root@172.16.1.66 “/usr/sbin/useradd friendship&&echo ‘123456’|/usr/bin/passwd –stdin friendship&&echo ‘friendship ALL=(ALL) NOPASSWD: /bin/cp’>>/etc/sudoers”

1、在所有机器上创建用户 friendship

useradd friendship

2、给friendship 设置密码：

echo ‘123456’|/usr/bin/passwd –stdin friendship

3、对friendship用户 sudo 授权

echo ‘friendship ALL=(ALL) NOPASSWD: /bin/cp’>>/etc/sudoers

backup 服务器

[root@mb01 ~]# ssh -p 22 root@172.16.1.99 “/usr/sbin/useradd friendship&&echo ‘123456’|/usr/bin/passwd –stdin friendship&&echo ‘friendship ALL=(ALL) NOPASSWD: /bin/cp’>>/etc/sudoers”

The authenticity of host ‘172.16.1.99 (172.16.1.99)’ can’t be established.

RSA key fingerprint is 59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘172.16.1.99’ (RSA) to the list of known hosts.

Address 172.16.1.99 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!

root@172.16.1.99’s password:

Changing password for user friendship.

nfs 服务器

[root@mb01 ~]# ssh -p 22 root@172.16.1.66 “/usr/sbin/useradd friendship&&echo ‘123456’|/usr/bin/passwd –stdin friendship&&echo ‘friendship ALL=(ALL) NOPASSWD: /bin/cp’>>/etc/sudoers”

The authenticity of host ‘172.16.1.66 (172.16.1.66)’ can’t be established.

RSA key fingerprint is 59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘172.16.1.66’ (RSA) to the list of known hosts.

Address 172.16.1.66 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!

root@172.16.1.66’s password:

Changing password for user friendship.

passwd: all authentication tokens updated successfully.

测试

echo $? 返回值都为0 验证成功

[root@mb01 ~]# ssh -t -p 22 friendship@172.16.1.66 “/bin/echo ‘test sudo for friendship’>~/good.txt&&sudo /bin/cp ~/good.txt /etc/;/bin/echo $?”

Address 172.16.1.66 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!

friendship@172.16.1.66’s password:

Connection to 172.16.1.66 closed.

[root@mb01 ~]#

[root@mb01 ~]# ssh -t -p 22 friendship@172.16.1.99 “/bin/echo ‘test sudo for friendship’>~/good.txt&&sudo /bin/cp ~/good.txt /etc/;/bin/echo $?”

Address 172.16.1.99 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!

friendship@172.16.1.99’s password:

Connection to 172.16.1.99 closed.

[root@mb01 ~]#

二、在批量分发服务器上使用 friendship 用户生成密匙对并将公匙发送到各服务器

1、生成密匙对

[friendship@mb01 ~]$ whoami

friendship

[friendship@mb01 ~]$ ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/home/friendship/.ssh/id_dsa):

Created directory ‘/home/friendship/.ssh’.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/friendship/.ssh/id_dsa.

Your public key has been saved in /home/friendship/.ssh/id_dsa.pub.

The key fingerprint is:

64:e4:49:75:74:09:9e:62:77:e2:d0:9b:bc:ff:2a:0b friendship@mb01

The key’s randomart image is:

+–[ DSA 1024]—-+

| o…+… |

| + . + o. |

| = + * . |

| o . * = |

| S = |

| . |

| E . |

| … |

| .ooo.|

+—————–+

[friendship@mb01 ~]$

发送密匙到分发服务器

nfs 服务器

[friendship@mb01 ~]$ ssh-copy-id -i ./.ssh/id_dsa.pub friendship@172.16.1.66

The authenticity of host ‘172.16.1.66 (172.16.1.66)’ can’t be established.

RSA key fingerprint is 59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘172.16.1.66’ (RSA) to the list of known hosts.

Address 172.16.1.66 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!

friendship@172.16.1.66’s password:

Now try logging into the machine, with “ssh ‘friendship@172.16.1.66′”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

[friendship@mb01 ~]$

backup 服务器

[friendship@mb01 ~]$ ssh-copy-id -i ./.ssh/id_dsa.pub friendship@172.16.1.99

The authenticity of host ‘172.16.1.99 (172.16.1.99)’ can’t be established.

RSA key fingerprint is 59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘172.16.1.99’ (RSA) to the list of known hosts.

Address 172.16.1.99 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!

friendship@172.16.1.99’s password:

Now try logging into the machine, with “ssh ‘friendship@172.16.1.99′”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

[friendship@mb01 ~]$

验证是否能（friendship）用户免密码登陆到各服务器

mb01面密码连接到nfs

[friendship@mb01 ~]$ ssh friendship@172.16.1.66

Address 172.16.1.66 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!

Last login: Sat May 7 05:44:25 2016 from 172.16.1.61

[friendship@nfs ~]$ ls

good.txt

[friendship@nfs ~]$ cat /etc/ssh/sshd_config

cat: /etc/ssh/sshd_config: Permission denied

[friendship@nfs ~]$ tail -2 /etc/passwd

tcpdump:x:72:72::/:/sbin/nologin

friendship:x:500:500::/home/friendship:/bin/bash

mb01免密码连接到backup

[friendship@mb01 ~]$ ssh friendship@172.16.1.99

Address 172.16.1.99 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!

Last login: Sat May 7 05:52:00 2016 from 172.16.1.61

[friendship@backup ~]$ ls

good.txt

[friendship@backup ~]$ tail /etc/passwd

dbus:x:81:81:System message bus:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

abrt:x:173:173::/etc/abrt:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin

postfix:x:89:89::/var/spool/postfix:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

tcpdump:x:72:72::/:/sbin/nologin

friendship:x:500:500::/home/friendship:/bin/bash

[friendship@backup ~]$

三、在批量分发服务器mb01 写脚本实现批量分发。使用 friendship 用户

批量分发hosts 文件

1、拷贝一个文件hosts到家目录下查看hosts内容

cp /etc/hosts .

[friendship@mb01 ~]$ cat hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

172.16.1.5 lb01

172.16.1.6 lb02

172.16.1.7 web02

172.16.1.8 web01

172.16.1.51 db01 db01.etiantian.org

172.16.1.31 nfs01

172.16.1.41 backup

172.16.1.61 m01

=========20140708==============

[friendship@mb01 ~]$

2、写脚本 vim fenfa.sh

#!/bin/sh

for n in 66 99

echo “==172.16.1.$n==”

scp -P22 hosts 172.16.1.$n:~

done

3、执行脚本

[friendship@mb01 ~]$ /bin/sh fenfa.sh

==172.16.1.66==

Address 172.16.1.66 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!

hosts 100% 384 0.4KB/s 00:00

==172.16.1.99==

Address 172.16.1.99 maps to bogon, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!

hosts 100% 384 0.4KB/s 00:00

fenfa.sh: line 10: /home/friendship: is a directory

fenfa.sh: line 14: command not found

[friendship@mb01 ~]$

4、看分发结果

nfs服务端

[friendship@nfs ~]$ ls

hosts

[friendship@nfs ~]$ cat hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

172.16.1.5 lb01

172.16.1.6 lb02

172.16.1.7 web02

172.16.1.8 web01

172.16.1.51 db01 db01.etiantian.org

172.16.1.31 nfs01

172.16.1.41 backup

172.16.1.61 m01

=========20140708==============

[friendship@nfs ~]$

backup服务端

[friendship@backup ~]$ ls

hosts

[friendship@backup ~]$ cat hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

172.16.1.5 lb01

172.16.1.6 lb02

172.16.1.7 web02

172.16.1.8 web01

172.16.1.51 db01 db01.etiantian.org

172.16.1.31 nfs01

172.16.1.41 backup

172.16.1.61 m01

=========20140708==============

[friendship@backup ~]$

测试成功已将hosts文件批量分发到指定服务器的家目录下

wenzhongxiang

295

环境：

mb01批量分发客户端服务器：

backup 备份服务器

nfs 服务器

1、在所有机器上创建用户 friendship

2、给friendship 设置密码：

3、对friendship用户 sudo 授权

backup 服务器

nfs 服务器

测试

二、在批量分发服务器上使用 friendship 用户生成密匙对 并将公匙发送到各服务器

1、生成密匙对

发送密匙到分发服务器

nfs 服务器

backup 服务器

验证是否能（friendship）用户免密码登陆到各服务器

mb01面密码连接到nfs

mb01免密码连接到backup

三、在批量分发服务器mb01 写脚本实现批量分发。使用 friendship 用户

1、拷贝一个文件hosts到家目录下 查看hosts内容

2、写脚本 vim fenfa.sh

3、执行脚本

4、看分发结果

nfs服务端

backup服务端

wenzhongxiang

发表评论 取消回复

二、在批量分发服务器上使用 friendship 用户生成密匙对并将公匙发送到各服务器

1、拷贝一个文件hosts到家目录下查看hosts内容

发表评论取消回复