ssh批量分发服务搭建

SSH批量分发服务

1. 系统环境

[root@A ~]# uname -aLinux A 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 2203:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux[root@A ~]# ifconfig eth0 | grep 'inet addr' |awk'{print $2}'|awk -F':' '{print $2}'10.0.0.3[root@A ~]#[root@B ~]# uname -aLinux B 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 2203:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux[root@B ~]# ifconfig eth0 | grep 'inet addr' |awk'{print $2}'|awk -F':' '{print $2}'10.0.0.4[root@B ~]#[deng@C ~]$ uname -aLinux C 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 2203:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux[deng@C ~]$ ifconfig eth0 | grep 'inet addr' |awk'{print $2}'|awk -F':' '{print $2}'10.0.0.5[deng@C ~]$

2.部署图示

3.创建用于批量分发的用户

这里选择在A.B.C三台服务器中创建三个相同用户。[root@A ~]# useradd gao[root@A ~]# echo asdasd|passwd --stdin gaoChanging password for user gao.passwd: all authentication tokens updatedsuccessfully.[root@A ~]# tail -1 /etc/passwdgao:x:500:500::/home/gao:/bin/bash[root@B ~]# useradd gao[root@B ~]# echo asdasd|passwd --stdin gaoChanging password for user gao.passwd: all authentication tokens updatedsuccessfully.[root@B ~]# tail -1 /etc/passwdgao:x:500:500::/home/gao:/bin/bash[root@C ~]# useradd gao[root@C ~]# echo asdasd|passwd --stdin gaoChanging password for user gao.passwd: all authentication tokens updatedsuccessfully.[root@C ~]# tail -1 /etc/passwdgao:x:500:500::/home/gao:/bin/bash

4.生成密钥

三台服务器都切到gao用户下！在A中生成密钥，在把A的公钥分别发给B和C中的deng用户的家目录在A中生成密钥对[root@A ~]# su – deng[gao@A ~]$ ssh-keygen -t dsaGenerating public/private dsa key pair. Enter file in which to save the key(/home/gao/.ssh/id_dsa): Created directory '/home/gao/.ssh'.Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in/home/gao/.ssh/id_dsa.Your public key has been saved in/home/gao/.ssh/id_dsa.pub.The key fingerprint is:08:3b:9f:fd:f2:49:61:26:3a:fd:27:ed:dd:ca:2a:65gao@AThe key's randomart image is:+--[ DSA 1024]----+| || || . || o. || o . S+ || o = +.E || = o.+ || ..+o.oo . || o==o.+..|+-----------------+[gao@A ~]$查看密钥对[gao@A ~]$ ls -al .ssh/total 16drwx------. 2 gao gao 4096 Jul 20 14:03 .drwx------. 3 gao gao 4096 Jul 20 14:03 ..-rw-------. 1 gao gao 668 Jul 20 14:03 id_dsa-rw-r--r--. 1 gao gao 595 Jul 20 14:03 id_dsa.pub（公钥）[gao@A ~]$ ls -al .ssh/ -ddrwx------. 2 gao gao 4096 Jul 20 14:03 .ssh/[gao@A ~]$分发发送公钥到B和C的gao的家目录[gao@A ~]$ ssh-copy-id -i .ssh/id_dsa.pub"-p22 gao@10.0.0.4"The authenticity of host '10.0.0.4 (10.0.0.4)'can't be established.RSA key fingerprint iscc:1b:7f:cc:a7:61:4f:ab:c3:60:df:f8:3a:17:b8:44.Are you sure you want to continue connecting(yes/no)? yesWarning: Permanently added '10.0.0.4' (RSA) to thelist of known hosts.gao@10.0.0.4's password:Now try logging into the machine, with "ssh'-p22 gao@10.0.0.4'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that youweren't expecting. [gao@A ~]$ ssh-copy-id -i .ssh/id_dsa.pub gao@10.0.0.5The authenticity of host '10.0.0.5 (10.0.0.5)'can't be established.RSA key fingerprint is cc:1b:7f:cc:a7:61:4f:ab:c3:60:df:f8:3a:17:b8:44.Are you sure you want to continue connecting(yes/no)? yesWarning: Permanently added '10.0.0.5' (RSA) to thelist of known hosts.gao@10.0.0.5's password:Now try logging into the machine, with "ssh'gao@10.0.0.5'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that youweren't expecting. [gao@A ~]$查看B和C下gao的家目录，是否存在A的公钥[gao@B ~]$ ls .ssh/ -ltotal 4-rw-------. 1 gao gao 595 Jul 20 14:07 authorized_keys[gao@B ~]$[gao@C ~]$ ls .ssh/authorized_keys[gao@C ~]$ ls .ssh/ -ltotal 4-rw-------. 1 gao gao 595 Jul 20 17:02 authorized_keys[gao@C ~]$对比可以发现，A的公钥发送过来，不仅名称改变了，文件权限也改变了。所以如果日后不适用ssh-copy-id发送密钥，就需要把公钥改为authorized_keys且权限为600c才可以。 把公钥正确发送到B和C，A就可以单线免密钥批量分发和管理B和C了。下面进行测试在A中免密钥查看B和C的IP地址
^C[gao@A ~]$ ssh -p22 gao@10.0.0.4 /sbin/ifconfigeth0|grep 'inet addr' inet addr:10.0.0.4 Bcast:10.0.0.255 Mask:255.255.255.0[gao@A ~]$ ssh -p22 gao@10.0.0.5 /sbin/ifconfigeth0|grep 'inet addr' inet addr:10.0.0.5 Bcast:10.0.0.255 Mask:255.255.255.0[gao@A ~]$ ssh -p22 gao@10.0.0.5 /sbin/ifconfig eth0 | grep 'inet addr'|awk'{print $2}'|awk -F ':' '{print $2}'10.0.0.5[gao@A ~]$ ssh -p22 gao@10.0.0.4 /sbin/ifconfig eth0 | grep 'inet addr'|awk'{print $2}'|awk -F ':' '{print $2}' 10.0.0.4证明免密钥分发成功！适用脚本分发文件
[gao@A ~]$ sh fengfa.sh fengfa.shfengfa.sh 100% 120 0.1KB/s 00:00 fengfa.sh 100% 120 0.1KB/s 00:00 [gao@A ~]$ cat fengfa.sh if [ $# -ne 1 ] thenecho "USAGE:/bin/sh $0 arg1" exit 1fifor n in 4 5doscp -P22 -rp $1 gao@10.0.0.$n:~/done[gao@A ~]$适用脚本批量管理服务器
[gao@A ~]$ sh guangli.sh /sbin/ifconfig eth0 Link encap:Ethernet HWaddr00:0C:29:61:34:C0 inet addr:10.0.0.4 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe61:34c0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RXpackets:146015 errors:0 dropped:0 overruns:0 frame:0 TXpackets:273645 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RXbytes:21283373 (20.2 MiB) TXbytes:16164642 (15.4 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UPLOOPBACK RUNNING MTU:16436 Metric:1 RXpackets:131107 errors:0 dropped:0 overruns:0 frame:0 TXpackets:131107 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RXbytes:5507564 (5.2 MiB) TX bytes:5507564(5.2 MiB) eth0 Link encap:Ethernet HWaddr00:0C:29:04:9C:CB inet addr:10.0.0.5 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe04:9ccb/64 Scope:Link UPBROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RXpackets:3379 errors:0 dropped:0 overruns:0 frame:0 TXpackets:1738 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RXbytes:478398 (467.1 KiB) TX bytes:276437(269.9 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UPLOOPBACK RUNNING MTU:16436 Metric:1 RXpackets:28 errors:0 dropped:0 overruns:0 frame:0 TXpackets:28 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RXbytes:4610 (4.5 KiB) TX bytes:4610 (4.5KiB) [gao@A ~]$ cat guangli.shif [ $# -ne 1 ] thenecho "USAGE:/bin/sh $0 arg1" exit 1fi for n in 4 5dossh -p22 gao@10.0.0.$n $1done[gao@A ~]$

5. sudo分发文件或目录到普通用户没有权限的目录下

步骤如下：修改每个服务器的/etc/sudoers文件，让普通用户具有在所以目录复制的功能
先发文件到对方的家目录
使用特殊的ssh命令，格式为：用 ssh -t user@IP “sudo 命令”（记得要带参数-t）
下面使用生产环境中最常用的例子作为实例，把hosts目录统一分发到所以服务器的/etc/hosts下 所有服务器都切到root用户下。执行下面命令
echo 'gao ALL=(ALL) NOPASSWD: /bin/cp'>>/etc/sudoerstail -5 /etc/sudoersvisudo –cA切换到gao(普通用户)下，把host文件分别发到B.C目录下。并使用ssh命令，把文件推到/etc/下面
[gao@A ~]$ scp -P22 hosts gao@10.0.0.4:~/ hosts 100% 219 0.2KB/s 00:00 [gao@A ~]$ ssh -t -P22 gao@10.0.0.4 "sudo/bin/cp hosts /etc/"Connection to 10.0.0.4 closed.[gao@A ~]$[gao@A ~]$ scp -P22 hosts gao@10.0.0.5:~/ hosts 100% 219 0.2KB/s 00:00 [gao@A ~]$ ssh -t -P22 gao@10.0.0.5 "sudo/bin/cp hosts /etc/"Connection to 10.0.0.5 closed.[gao@A ~]$ 上面的2可以用下面脚本实现[gao@A ~]$ vi tfengfa.sh #!/bin/shfile="$1"remotedir="$2". /etc/init.d/functionsif [ $# -ne 2 ] thenecho "USAGE:/bin/sh $0 file path" exit 1fi for n in 4 5do scp-P22 -rp $file gao@10.0.0.$n:~/ ssh-t -p22 gao@10.0.0.$n "sudo /bin/cp ~/$file $remotedir " if [$? -eq 0 ] then action "scp $file to $remotedir is ok" /bin/true else action "scp $file to $remotedir is fail" /bin/false fi done [gao@A ~]$ sh tfengfa.sh hosts /root/ hosts 100% 219 0.2KB/s 00:00 Connection to 10.0.0.4 closed.scp hosts to /root/ is ok [ OK ]hosts 100% 219 0.2KB/s 00:00 Connection to 10.0.0.5 closed.scp hosts to /root/ is ok [ OK ][gao@A ~]$

6. suid分发文件到特殊文件夹

在所有把rsync命令授权4755或者u+s
[root@A ~]# which rsync/usr/bin/rsync[root@A ~]# chmod u+s `which rsync` [root@A ~]# ll `which rsync`-rwsr-xr-x. 1 root root 415000 Oct 31 2013 /usr/bin/rsync[root@A ~]#[root@B ~]# chmod 4755 /usr/bin/rsync[root@B ~]# ll /usr/bin/rsync-rwsr-xr-x. 1 root root 415000 Oct 31 2013 /usr/bin/rsync[root@B ~]#[root@C ~]# chmod 4755 /usr/bin/rsync[root@C ~]# ll /usr/bin/rsync-rwsr-xr-x. 1 root root 415000 Oct 31 2013 /usr/bin/rsync[root@C ~]#把要分发的文件分发到服务器的家目录
[gao@A ~]$ echo asdasdaf >gao.txt[gao@A ~]$ scp -P22 -rp gao.txt gao@10.0.0.5:~/gao.txt 100% 9 0.0KB/s 00:00 [gao@A ~]$scp -P22 -rp gao.txt gao@10.0.0.4:~/gao.txt 100% 9 0.0KB/s 00:00 [gao@B ~]$ lltotal 12-rw-r--r--. 1 gao gao 120 Jul 20 14:22 fengfa.sh-rw-rw-r--. 1 gao gao 9 Jul 20 18:59 gao.txt-rw-r--r--. 1 gao gao 219 Jul 20 18:31 hosts[gao@B ~]$ cat gao.txtasdasdaf[gao@B ~]$[gao@C ~]$ lltotal 88-rw-r--r--. 1 gao gao 120 Jul 20 14:22 fengfa.sh-rw-rw-r--. 1 gao gao 9 Jul 20 22:02 gao.txt-rw-r--r--. 1 gao gao 219 Jul 20 18:31 hosts-rwxr-xr-x. 1 gao gao 73936 May 10 2012 ifconfig[gao@C ~]$ cat gao.txtasdasdaf[gao@C ~]$ 直接用ssh和/usr/bin/rsync命令把家目录中的文件分发到特殊目录了。
[gao@A ~]$ ssh -p22 gao@10.0.0.5 "/usr/bin/rsync ~/gao.txt /root/"[gao@A ~]$[root@B ~]# cat gao.txtasdasdaf[root@B ~]#[gao@A ~]$ ssh -p22 gao@10.0.0.4 "/usr/bin/rsync ~/gao.txt /root/"[gao@A ~]$[root@C ~]# lsanaconda-ks.cfg gao.txt hosts install.log install.log.syslog[root@C ~]# cat gao.txtasdasdaf[root@C ~]# 脚本实现
[gao@A ~]$ echo aaaaaaaaa>guo.txt[gao@A ~]$ sh tfengfa1.sh guo.txt /etc/guo.txt 100% 10 0.0KB/s 00:00 Connection to 10.0.0.4 closed.scp guo.txt to /etc/ is ok [ OK ]guo.txt 100% 10 0.0KB/s 00:00 Connection to 10.0.0.5 closed.scp guo.txt to /etc/ is ok [ OK ][gao@A ~]$[gao@A ~]$[gao@A ~]$ cat tfengfa1.sh#!/bin/shfile="$1"remotedir="$2". /etc/init.d/functionsif [ $# -ne 2 ] thenecho "USAGE:/bin/sh $0 file path" exit 1fi for n in 4 5do scp-P22 -rp $file gao@10.0.0.$n:~/ ssh-t -p22 gao@10.0.0.$n "/usr/bin/rsync ~/$file $remotedir " if [$? -eq 0 ] then action "scp $file to $remotedir is ok" /bin/true else action "scp $file to $remotedir is fail" /bin/false fi done [gao@A ~]$