SSH免密码登录-批量分发服务器


:Mr.zhou  阅读: 2,763 次

  需求:NFS服务器兼做批量分发服务器。Backup 备份服务器、Lnmp-1 Web服务器为批量分发的客户端。 通过 NFS 服务器将编辑好的 hosts 文件批量分发到备份服务器和Web服务器的 /etc/下。使内网环境可以使用 /etc/hosts 文件做正向、反向的域名解析。

  由于 root 具有最大的权限,所以不建议使用 root 用户进行SSH免密码登陆,而是在所有的机器上建立相同的普通用户,通过普通用户的SSH免密码登陆,使用 scp 命令将 hosts 文件分发到客户端的该普通用户家目录下。在各客户端为该普通用户通过 sudo 对 cp 提权,使之可以将该用户家目录下收到的分发文件拷贝到/etc/目录下。

  演示环境:

  NFS兼批量分发服务器:

[root@nfs-server ~]# uname -nr
nfs-server.z-dig.com 2.6.32-504.el6.x86_64
[root@nfs-server ~]# ifconfig eth0|awk -F "[ :]+" 'NR==2{print $4}'
172.16.1.100
[root@nfs-server ~]# 

  Backup 备份服务器 批量分发客户端:

[root@backup-server ~]# uname -nr
backup-server.z-dig.com 2.6.32-504.el6.x86_64
[root@backup-server ~]# ifconfig eth0|awk -F "[ :]+" 'NR==2{print $4}'
172.16.1.101
[root@backup-server ~]# 

  Lnmp-1 Web服务器 批量分发客户端:

[root@lnmp-1 ~]# uname -nr
lnmp-1.z-dig.com 2.6.32-504.el6.x86_64
[root@lnmp-1 ~]# ifconfig eth0|awk -F "[ :]+" 'NR==2{print $4}'
172.16.1.10
[root@lnmp-1 ~]# 

一、在所有的机器中创建分发用的普通账户 distribute 并通过 sudo 对 distribute 用户使用 cp 命令时进行提权。 以下操作均在分发服务器上操作,使用 root 用户 ssh 密码验证执行命令。若服务器禁止了 root 远程登陆,则需要使用普通用户登录再切换到 root 。或者单独连接各机器进行配置。

[root@nfs-server ~]# useradd distribute
[root@nfs-server ~]# which --skip-alias cp
/bin/cp
[root@nfs-server ~]# which useradd
/usr/sbin/useradd
[root@nfs-server ~]# which passwd
/usr/bin/passwd
[root@nfs-server ~]# 
[root@nfs-server ~]# ssh -p 22 root@172.16.1.101 "/usr/sbin/useradd distribute&&echo '123456'|/usr/bin/passwd --stdin distribute&&echo 'distribute ALL=(ALL)       NOPASSWD:/bin/cp'>>/etc/sudoers"
root@172.16.1.101's password: 
Changing password for user distribute.
passwd: all authentication tokens updated successfully.
[root@nfs-server ~]# 
[root@nfs-server ~]# ssh -p 22 root@172.16.1.10 "/usr/sbin/useradd distribute&&echo '123456'|/usr/bin/passwd --stdin distribute&&echo 'distribute ALL=(ALL)       NOPASSWD:/bin/cp'>>/etc/sudoers" 
root@172.16.1.10's password: 
Changing password for user distribute.
passwd: all authentication tokens updated successfully.
[root@nfs-server ~]# 

  验证

[root@nfs-server ~]# ssh -t -p 22 distribute@172.16.1.101 "/bin/echo 'test sudo for distribute'> ~/test.txt&&sudo /bin/cp ~/test.txt /etc/;/bin/echo $?"
distribute@172.16.1.101's password: 
0
Connection to 172.16.1.101 closed.
[root@nfs-server ~]#
[root@nfs-server ~]# ssh -t -p 22 distribute@172.16.1.10 "/bin/echo 'test sudo for distribute'> ~/test.txt&&sudo /bin/cp ~/test.txt /etc/;/bin/echo $?" 
distribute@172.16.1.10's password: 
0
Connection to 172.16.1.10 closed.
[root@nfs-server ~]#

echo $? 返回值都为 0 ,验证成功

  二、在批量分发服务器上使用 distriute 用户生成密钥对并将公钥发送到各批量分发客户端:

[root@nfs-server ~]# su - distribute
[distribute@nfs-server ~]$ whoami 
distribute
[distribute@nfs-server ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/distribute/.ssh/id_dsa): 
Created directory '/home/distribute/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/distribute/.ssh/id_dsa.
Your public key has been saved in /home/distribute/.ssh/id_dsa.pub.
The key fingerprint is:
46:55:40:48:d6:d2:bc:37:11:26:2a:55:be:9c:36:e2 distribute@nfs-server.z-dig.com
The key's randomart image is:
+--[ DSA 1024]----+
|       .+B*o+.   |
|       oo++o.    |
|      . o... .   |
|       o ..oo    |
|        S *. .   |
|       o o .     |
|        E        |
|                 |
|                 |
+-----------------+
[distribute@nfs-server ~]$
[distribute@nfs-server ~]$ ssh-copy-id -i ./.ssh/id_dsa.pub distribute@172.16.1.101
The authenticity of host '172.16.1.101 (172.16.1.101)' can't be established.
RSA key fingerprint is 3f:7e:cf:2e:0a:58:3a:f0:a3:4e:8c:73:65:3b:35:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.101' (RSA) to the list of known hosts.
distribute@172.16.1.101's password: 
Now try logging into the machine, with "ssh 'distribute@172.16.1.101'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[distribute@nfs-server ~]$ 
[distribute@nfs-server ~]$ ssh-copy-id -i ./.ssh/id_dsa.pub distribute@172.16.1.10
The authenticity of host '172.16.1.10 (172.16.1.10)' can't be established.
RSA key fingerprint is 3f:7e:cf:2e:0a:58:3a:f0:a3:4e:8c:73:65:3b:35:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.10' (RSA) to the list of known hosts.
distribute@172.16.1.10's password: 
Now try logging into the machine, with "ssh 'distribute@172.16.1.10'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[distribute@nfs-server ~]$ 

  验证是否能使用 distribute 用户免密码登录到各分发客户端。

[distribute@nfs-server ~]$ ssh distribute@172.16.1.101
Last login: Wed Jun 24 13:42:36 2015 from 172.16.1.100
[distribute@backup-server ~]$ ls
test.txt
[distribute@backup-server ~]$ logout
Connection to 172.16.1.101 closed.
[distribute@nfs-server ~]$ ssh distribute@172.16.1.10
Last login: Wed Jun 24 12:13:30 2015 from 172.16.1.100
[distribute@lnmp-1 ~]$ ls
test.txt
[distribute@lnmp-1 ~]$ logout
Connection to 172.16.1.10 closed.
[distribute@nfs-server ~]$ 

  distribute 用户免密码登录成功。

  三、在批量分发服务器写脚本实现批量分发。要使用 distriubte 用户。

[distribute@nfs-server ~]$ whoami
distribute
[distribute@nfs-server ~]$ mkdir scripts
[distribute@nfs-server ~]$ 
[distribute@nfs-server ~]$ cat ./scripts/distribute.sh 
#!/bin/bash
# from oldboy change by mr.zhou
. /etc/init.d/functions
read -p "Please enter client number sum :" ipsum
read -p "Please enter client sshd port (default 22):" sshdport
read -p "Please enter client username (default distribute):" username
read -p "Please enter local file:" localfile
read -p "Please enter remote path:" remotepath
if [[ "$sshdport" == "" ]]
 then
  port=22
 else
  port=$sshdport
fi
if [[ "$username" == "" ]]
 then
  user=distribute
 else
  user=$username
fi
for i in `seq $ipsum`
 do
  thisip=ip$i
  read -p "Please enter client no.$i 's ip address :" thisip
  if [ $i -eq "1" ]
   then
    echo "$thisip" >/tmp/distribute.ip
   else
    echo "$thisip" >>/tmp/distribute.ip
  fi
done
for ip in `cat /tmp/distribute.ip`
 do
  scp -P $port -r $localfile $user@$ip:~ >/dev/null 2>&1 &&\
  if [[ "$remotepath" == "~" || "$remotepath" == "/home/$user" ]]
   then
    sleep 1
   else
    ssh -t $user@$ip sudo /bin/cp $localfile $remotepath >/dev/null 2>&1
  fi
  if [[ "$?" == "0" ]]
   then
    action "$ip Distributed success!" /bin/true
   else
    action "$ip Distributed false!!!" /bin/false
  fi
done
[distribute@nfs-server ~]$ 

  测试:

[distribute@nfs-server ~]$ ssh distribute@172.16.1.101 "/bin/uname -n&&/bin/ls ~"
backup-server.z-dig.com
test.txt
[distribute@nfs-server ~]$ ssh distribute@172.16.1.10 "/bin/uname -n&&/bin/ls ~" 
lnmp-1.z-dig.com
test.txt
[distribute@nfs-server ~]$ 
[distribute@nfs-server ~]$ uname -n&&pwd
nfs-server.z-dig.com
/home/distribute
[distribute@nfs-server ~]$ 
[distribute@nfs-server ~]$ echo "Distribute this file to all client">distribute.txt     
[distribute@nfs-server ~]$ cat distribute.txt 
Distribute this file to all client
[distribute@nfs-server ~]$
[distribute@nfs-server ~]$ sh ./scripts/distribute.sh 
Please enter client number sum :2
Please enter client sshd port (default 22):
Please enter client username (default distribute):
Please enter local file:./distribute.txt
Please enter remote path:~
Please enter client no.1 's ip address :172.16.1.101
Please enter client no.2 's ip address :172.16.1.10
172.16.1.101 Distributed success!                          [  OK  ]
172.16.1.10 Distributed success!                           [  OK  ]
[distribute@nfs-server ~]$ 
[distribute@nfs-server ~]$ ssh distribute@172.16.1.101 /bin/cat ./distribute.txt
Distribute this file to all client
[distribute@nfs-server ~]$ ssh distribute@172.16.1.10 /bin/cat ./distribute.txt 
Distribute this file to all client
[distribute@nfs-server ~]$ 

  测试成功,已将 批量分发服务器新建的 distribute.txt 分发到了个分发客户端的家目录下。

  四、终极测试。将批量分发服务器中编辑好的 hosts 文件分发到各分发客户端。

[distribute@nfs-server ~]$ ssh distribute@172.16.1.101 /bin/cat /etc/hosts           
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.101 backup-server.z-dig.com
[distribute@nfs-server ~]$ 
[distribute@nfs-server ~]$ ssh distribute@172.16.1.10 /bin/cat /etc/hosts 
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.10 lnmp-1.z-dig.com
[distribute@nfs-server ~]$ 
[distribute@nfs-server ~]$ uname -n&&pwd
nfs-server.z-dig.com
/home/distribute
[distribute@nfs-server ~]$ cat hosts 
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.10 lnmp-1.z-dig.com
172.16.1.100 nfs-server.z-dig.com
172.16.1.101 backup-server.z-dig.com
[distribute@nfs-server ~]$ 
[distribute@nfs-server ~]$ sh ./scripts/distribute.sh 
Please enter client number sum :2
Please enter client sshd port (default 22):
Please enter client username (default distribute):
Please enter local file:./hosts
Please enter remote path:/etc/hosts
Please enter client no.1 's ip address :172.16.1.101
Please enter client no.2 's ip address :172.16.1.10
172.16.1.101 Distributed success!                          [  OK  ]
172.16.1.10 Distributed success!                           [  OK  ]
[distribute@nfs-server ~]$ 
[distribute@nfs-server ~]$ ssh distribute@172.16.1.101 /bin/cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.10 lnmp-1.z-dig.com
172.16.1.100 nfs-server.z-dig.com
172.16.1.101 backup-server.z-dig.com
[distribute@nfs-server ~]$ ssh distribute@172.16.1.10 /bin/cat /etc/hosts 
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.10 lnmp-1.z-dig.com
172.16.1.100 nfs-server.z-dig.com
172.16.1.101 backup-server.z-dig.com
[distribute@nfs-server ~]$

  批量分发 hosts 文件 成功!


转载请注明原文链接:http://www.z-dig.com/ssh-password-free-log-bulk-distributor.html



正文部分到此结束