SSH 免密码登录—批量分发服务器

SSH 免密码登录——批量分发服务器

需求:nfs服务器兼做批量分发服务器。backup备份服务器、mb01服务为批量分发的客户端。通过NFS服务器讲编辑好的hosts文件批量分发到备份服务器和mb01服务器的、/etc/下。使内网环境可以使用/etc/hosts 文件做正向、反向的域名解析。

由于root具有最大的权限,所以不建议使用root用户进行SSH免密码登录,而是在所有的机器上建立相同的普通用户,通过普通用户的SSH免密码登录,使用scp 命令将hosts文件分发到客户端的该普通用户的家目录下。在各客户端为该普通用户通过sudo对cp赋予提权,才能将该用户家目录下收到的分发文件拷贝到/etc/目录下。

环境:

mb01批量分发客户端服务器:

[root@mb01 ~]# uname -nr

mb01 2.6.32-573.el6.x86_64

[root@mb01 ~]# ifconfig eth1|awk -F "[ :]+" 'NR==2{print $4}'

172.16.1.61

[root@mb01 ~]#

backup 备份服务器

[root@backup ~]# uname -nr

backup 2.6.32-573.el6.x86_64

[root@backup ~]# ifconfig eth1|awk -F "[ :]+" 'NR==2{print $4}'

172.16.1.99

[root@backup ~]#

nfs 服务器

[root@nfs ~]# uname -nr

nfs 2.6.32-573.el6.x86_64

[root@nfs ~]# ifconfig eth1|awk -F "[ :]+" 'NR==2 {print $4}'

172.16.1.66

[root@nfs ~]#

一、在所有的机器中创建分发用户的普通账户 friendship 并通过 sudo 对 friendship 用户使用cp 命令时进行提权。以下操作均为分发服务器上操作,使用 root 用户 ssh 密码验证执行命令。若服务器禁止了 root 远程登录,则需要使用普通用户登录在切换到root。 或单独连接各机器进行配置。

############以下可以整合一条命令行这行(全路径)###########

ssh -p 22 root@172.16.1.66 "/usr/sbin/useradd friendship&&echo '123456'|/usr/bin/passwd --stdin friendship&&echo 'friendship ALL=(ALL) NOPASSWD: /bin/cp'>>/etc/sudoers"

1、在所有机器上创建用户 friendship

useradd friendship

2、给friendship 设置密码:

echo '123456'|/usr/bin/passwd --stdin friendship

3、对friendship用户 sudo 授权

echo 'friendship ALL=(ALL) NOPASSWD: /bin/cp'>>/etc/sudoers

backup 服务器

[root@mb01 ~]# ssh -p 22 root@172.16.1.99 "/usr/sbin/useradd friendship&&echo '123456'|/usr/bin/passwd --stdin friendship&&echo 'friendship ALL=(ALL) NOPASSWD: /bin/cp'>>/etc/sudoers"

The authenticity of host '172.16.1.99 (172.16.1.99)' can't be established.

RSA key fingerprint is 59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.1.99' (RSA) to the list of known hosts.

Address 172.16.1.99 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

root@172.16.1.99's password:

Changing password for user friendship.

nfs 服务器

[root@mb01 ~]# ssh -p 22 root@172.16.1.66 "/usr/sbin/useradd friendship&&echo '123456'|/usr/bin/passwd --stdin friendship&&echo 'friendship ALL=(ALL) NOPASSWD: /bin/cp'>>/etc/sudoers"

The authenticity of host '172.16.1.66 (172.16.1.66)' can't be established.

RSA key fingerprint is 59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.1.66' (RSA) to the list of known hosts.

Address 172.16.1.66 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

root@172.16.1.66's password:

Changing password for user friendship.

passwd: all authentication tokens updated successfully.

测试

echo $? 返回值都为0 验证成功

[root@mb01 ~]# ssh -t -p 22 friendship@172.16.1.66 "/bin/echo 'test sudo for friendship'>~/good.txt&&sudo /bin/cp ~/good.txt /etc/;/bin/echo $?"

Address 172.16.1.66 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

friendship@172.16.1.66's password:

0

Connection to 172.16.1.66 closed.

[root@mb01 ~]#

[root@mb01 ~]# ssh -t -p 22 friendship@172.16.1.99 "/bin/echo 'test sudo for friendship'>~/good.txt&&sudo /bin/cp ~/good.txt /etc/;/bin/echo $?"

Address 172.16.1.99 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

friendship@172.16.1.99's password:

0

Connection to 172.16.1.99 closed.

[root@mb01 ~]#

二、在批量分发服务器上使用 friendship 用户生成密匙对 并将公匙发送到各服务器

1、生成密匙对

[friendship@mb01 ~]$ whoami

friendship

[friendship@mb01 ~]$ ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/home/friendship/.ssh/id_dsa):

Created directory '/home/friendship/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/friendship/.ssh/id_dsa.

Your public key has been saved in /home/friendship/.ssh/id_dsa.pub.

The key fingerprint is:

64:e4:49:75:74:09:9e:62:77:e2:d0:9b:bc:ff:2a:0b friendship@mb01

The key's randomart image is:

+--[ DSA 1024]----+

| o...+... |

| + . + o. |

| = + * . |

| o . * = |

| S = |

| . |

| E . |

| ... |

| .ooo.|

+-----------------+

[friendship@mb01 ~]$

发送密匙到分发服务器

nfs 服务器

[friendship@mb01 ~]$ ssh-copy-id -i ./.ssh/id_dsa.pub friendship@172.16.1.66

The authenticity of host '172.16.1.66 (172.16.1.66)' can't be established.

RSA key fingerprint is 59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.1.66' (RSA) to the list of known hosts.

Address 172.16.1.66 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

friendship@172.16.1.66's password:

Now try logging into the machine, with "ssh 'friendship@172.16.1.66'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[friendship@mb01 ~]$

backup 服务器

[friendship@mb01 ~]$ ssh-copy-id -i ./.ssh/id_dsa.pub friendship@172.16.1.99

The authenticity of host '172.16.1.99 (172.16.1.99)' can't be established.

RSA key fingerprint is 59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.1.99' (RSA) to the list of known hosts.

Address 172.16.1.99 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

friendship@172.16.1.99's password:

Now try logging into the machine, with "ssh 'friendship@172.16.1.99'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[friendship@mb01 ~]$

验证是否能(friendship)用户免密码登陆到各服务器

mb01面密码连接到nfs

[friendship@mb01 ~]$ ssh friendship@172.16.1.66

Address 172.16.1.66 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Last login: Sat May 7 05:44:25 2016 from 172.16.1.61

[friendship@nfs ~]$ ls

good.txt

[friendship@nfs ~]$ cat /etc/ssh/sshd_config

cat: /etc/ssh/sshd_config: Permission denied

[friendship@nfs ~]$ tail -2 /etc/passwd

tcpdump:x:72:72::/:/sbin/nologin

friendship:x:500:500::/home/friendship:/bin/bash

mb01免密码连接到backup

[friendship@mb01 ~]$ ssh friendship@172.16.1.99

Address 172.16.1.99 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Last login: Sat May 7 05:52:00 2016 from 172.16.1.61

[friendship@backup ~]$ ls

good.txt

[friendship@backup ~]$ tail /etc/passwd

dbus:x:81:81:System message bus:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

abrt:x:173:173::/etc/abrt:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin

postfix:x:89:89::/var/spool/postfix:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

tcpdump:x:72:72::/:/sbin/nologin

friendship:x:500:500::/home/friendship:/bin/bash

[friendship@backup ~]$

三、在批量分发服务器mb01 写脚本实现批量分发。使用 friendship 用户

批量分发hosts 文件

1、拷贝一个文件hosts到家目录下 查看hosts内容

cp /etc/hosts .

[friendship@mb01 ~]$ cat hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

172.16.1.5 lb01

172.16.1.6 lb02

172.16.1.7 web02

172.16.1.8 web01

172.16.1.51 db01 db01.etiantian.org

172.16.1.31 nfs01

172.16.1.41 backup

172.16.1.61 m01

=========20140708==============

[friendship@mb01 ~]$

2、写脚本 vim fenfa.sh

#!/bin/sh

for n in 66 99

do

echo "==172.16.1.$n=="

scp -P22 hosts 172.16.1.$n:~

done

~

3、执行脚本

[friendship@mb01 ~]$ /bin/sh fenfa.sh

==172.16.1.66==

Address 172.16.1.66 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

hosts 100% 384 0.4KB/s 00:00

==172.16.1.99==

Address 172.16.1.99 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

hosts 100% 384 0.4KB/s 00:00

fenfa.sh: line 10: /home/friendship: is a directory

fenfa.sh: line 14: command not found

[friendship@mb01 ~]$

4、看分发结果

nfs服务端

[friendship@nfs ~]$ ls

hosts

[friendship@nfs ~]$ cat hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

172.16.1.5 lb01

172.16.1.6 lb02

172.16.1.7 web02

172.16.1.8 web01

172.16.1.51 db01 db01.etiantian.org

172.16.1.31 nfs01

172.16.1.41 backup

172.16.1.61 m01

=========20140708==============

[friendship@nfs ~]$

backup服务端

[friendship@backup ~]$ ls

hosts

[friendship@backup ~]$ cat hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

172.16.1.5 lb01

172.16.1.6 lb02

172.16.1.7 web02

172.16.1.8 web01

172.16.1.51 db01 db01.etiantian.org

172.16.1.31 nfs01

172.16.1.41 backup

172.16.1.61 m01

=========20140708==============

[friendship@backup ~]$

测试成功 已将hosts文件批量分发到指定服务器的家目录下

wen, zhongjie

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: