1, 什么是 SSH 批量管理
在管理机产生公钥和私钥, 然后把自己的公钥推送给需要被管理的服务器, 然后就可以通过 scp 和 SSH 命令, 无需输入密码即可管理
锁 = 公钥, 钥匙 = 私钥
企业里实现 SSH 方案:
1) 直接 root SSH key.
条件: 系统允许 root 使用 SSH
2)sudo 提权来实现没有权限用户拷贝
实验环境:
hostname | ip | 描述 |
---|---|---|
m01 | 172.16.1.61 | 管理机 |
web01 | 172.16.1.7 | 被管理 |
nfs | 172.16.1.31 | 被管理 |
backup | 172.16.1.41 | 被管理 |
所有机器系统环境统一
- [root@m01 /]# cat /etc/RedHat-release
- CentOS Linux release 7.5.1804 (Core)
- [root@m01 /]# uname -r
- 3.10.0-862.el7.x86_64
1.1 所有的服务器创建普通用户及密码
- useradd xiaoli
- echo "123456" |passwd --stdin xiaoli
- id xiaoli
- su - xiaoli #<== 统一切换到 xiaoli 用户
1.2 m01 产生密钥
- # 使用 xiaoli 用户来创建私钥, 并且分发公钥
- [xiaoli@m01 ~]$ SSH-keygen -t dsa #<== 生成私钥 (一路回车)
- Generating public/private dsa key pair.
- Enter file in which to save the key (/home/xiaoli/.SSH/id_dsa):
- Created directory '/home/xiaoli/.ssh'. #<== 私钥存放的目录
- Enter passphrase (empty for no passphrase):
- Enter same passphrase again:
- Your identification has been saved in /home/xiaoli/.SSH/id_dsa.
- Your public key has been saved in /home/xiaoli/.SSH/id_dsa.pub.
- The key fingerprint is:
- SHA256:/UtUhhM++KSQH9OgJyP+MCRz+LhdYfRt/r6384aVLzU xiaoli@m01
- The key's randomart image is:
- +---[DSA 1024]----+
| . . . |
| . . + * o |
- | + + O * X o |
- | O o O O = |
- | . = S + + .|
- | o = o . Eo|
| . . . o .+o|
- | . oo.+|
- | . o*=|
- +----[SHA256]-----+
- [xiaoli@m01 ~]$ pwd
- /home/xiaoli
- [xiaoli@m01 ~]$ ls .SSH/
- id_dsa id_dsa.pub
- [xiaoli@m01 ~]$ ll .SSH/
- total 8
- -rw------- 1 xiaoli xiaoli 672 Nov 5 20:57 id_dsa #<== 私钥
- -rw-r--r-- 1 xiaoli xiaoli 600 Nov 5 20:57 id_dsa.pub #<== 公钥
1.3 管理机分发公钥给客户端
管理机推送公钥给 backup
- [xiaoli@m01 ~]$ SSH-copy-id -i .SSH/id_dsa.pub xiaoli@172.16.1.41
- /bin/SSH-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub"
- The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established.
- ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.
- ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.
- Are you sure you want to continue connecting (yes/no)? yes
- /bin/SSH-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
- /bin/SSH-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
- xiaoli@172.16.1.41's password:
- Number of key(s) added: 1
- Now try logging into the machine, with: "ssh'xiaoli@172.16.1.41'"
- and check to make sure that only the key(s) you wanted were added.
- #backup 上查看是否收到公钥
- [xiaoli@backup ~]$ ls .SSH/authorized_keys
- .SSH/authorized_key
- # 配置文件默认就是. SSH/authorized_key 这个文件名, 是由 / etc/SSH/sshd_config 这个配置文件所定义
- [root@backup backup]$ grep authorized_keys /etc/SSH/sshd_config |egrep -v "^#"
- AuthorizedKeysFile .SSH/authorized_keys
管理机推送公钥给 nfs
- [xiaoli@m01 ~]$ SSH-copy-id -i .SSH/id_dsa.pub xiaoli@172.16.1.31
- /bin/SSH-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub"
- The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
- ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.
- ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.
- Are you sure you want to continue connecting (yes/no)? yes
- /bin/SSH-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
- /bin/SSH-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
- xiaoli@172.16.1.31's password:
- Number of key(s) added: 1
- Now try logging into the machine, with: "ssh'xiaoli@172.16.1.31'"
- and check to make sure that only the key(s) you wanted were added.
- #nfs 上查看是否收到公钥
- [xiaoli@nfs ~]$ ls -l .SSH/
- total 4
- -rw------- 1 xiaoli xiaoli 600 Nov 5 21:16 authorized_keys
管理机推送公钥给 web01
- [xiaoli@m01 ~]$ SSH-copy-id -i .SSH/id_dsa.pub xiaoli@172.16.1.7
- /bin/SSH-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub"
- The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established.
- ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.
- ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.
- Are you sure you want to continue connecting (yes/no)? yes
- /bin/SSH-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
- /bin/SSH-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
- xiaoli@172.16.1.7's password:
- Number of key(s) added: 1
- Now try logging into the machine, with: "ssh'xiaoli@172.16.1.7'"
- and check to make sure that only the key(s) you wanted were added.
- #web01 查看是否收到公钥
- [xiaoli@web01 ~]$ ls -l .SSH/
- total 4
- -rw------- 1 xiaoli xiaoli 600 Nov 5 21:20 authorized_keys
1.4 管理机实现批量获取参数
单独查看某一台客户端 IP 地址, 如果端口号为 22, 就不需要加 - p
- [xiaoli@m01 ~]$ SSH xiaoli@172.16.1.31 /sbin/ifconfig ens33
- ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
- .NET 10.0.0.31 netmask 255.255.255.0 broadcast 10.0.0.255
- inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen 64 scopeid 0x20<link>
- inet6 fe80::f15a:916:1ee7:65e9 prefixlen 64 scopeid 0x20<link>
- ether 00:50:56:20:de:ec txqueuelen 1000 (Ethernet)
- RX packets 68059 bytes 50182137 (47.8 MiB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 32722 bytes 6712416 (6.4 MiB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- # 我们可以发现这时执行 SSH 就不需要输入密码
创建脚本查看三台客户端的 IP 地址
- [xiaoli@m01 ~]$ mkdir seripts
- [xiaoli@m01 ~]$ cd seripts
- [xiaoli@m01 seripts]$ cat view_ip.sh
- #!/bin/sh
- User=xiaoli
- Ip=(
- 172.16.1.7
- 172.16.1.31
- 172.16.1.41
- )
- for ((i=0;i<${
- #Ip[*]
- };i++))
- do
- SSH ${
- User
- }@${
- Ip[$i]
- } /sbin/ifconfig ens33
- done
- # 执行脚本
- [xiaoli@m01 seripts]$ sh view_ip.sh
- ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
- .NET 10.0.0.7 netmask 255.255.255.0 broadcast 10.0.0.255
- inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen 64 scopeid 0x20<link>
- inet6 fe80::b85a:6444:fdc7:90ef prefixlen 64 scopeid 0x20<link>
- inet6 fe80::f15a:916:1ee7:65e9 prefixlen 64 scopeid 0x20<link>
- ether 00:50:56:32:88:be txqueuelen 1000 (Ethernet)
- RX packets 11633 bytes 2805754 (2.6 MiB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 6003 bytes 1047269 (1022.7 KiB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
- .NET 10.0.0.31 netmask 255.255.255.0 broadcast 10.0.0.255
- inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen 64 scopeid 0x20<link>
- inet6 fe80::f15a:916:1ee7:65e9 prefixlen 64 scopeid 0x20<link>
- ether 00:50:56:20:de:ec txqueuelen 1000 (Ethernet)
- RX packets 68065 bytes 50182545 (47.8 MiB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 32726 bytes 6712704 (6.4 MiB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
- .NET 10.0.0.41 netmask 255.255.255.0 broadcast 10.0.0.255
- inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen 64 scopeid 0x20<link>
- inet6 fe80::b85a:6444:fdc7:90ef prefixlen 64 scopeid 0x20<link>
- inet6 fe80::f15a:916:1ee7:65e9 prefixlen 64 scopeid 0x20<link>
- ether 00:50:56:21:a4:2a txqueuelen 1000 (Ethernet)
- RX packets 123357 bytes 15582283 (14.8 MiB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 130534 bytes 11862139 (11.3 MiB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
上面结果为成功标志! 连接所有机器, 不提示密码直接可以操作
1.5 scp 实现批量下发文件
每台服务器 root 权限下实施 sudo
- # 切换到 root 用户, 给 xiaoli 用户赋予有 rsync 的命令执行权限
- echo "xiaoli ALL=(ALL) NOPASSWD:/usr/bin/rsync">>/etc/sudoers
- visudo -c
将 / etc/hosts 文件拷贝到家目录 (xiaoli), 并修改 hosts 文件内容
- [xiaoli@m01 ~]$ cp /etc/hosts .
- [xiaoli@m01 ~]$ tail -5 hosts
- 172.16.1.7 web01
- 172.16.1.41 backup
- 172.16.1.31 nfs
- 172.16.1.51 m01
- ################2018-11-5################
使用脚本批量分发 hosts 文件
- [xiaoli@m01 ~]$ cat seripts/fenfa_file.sh
- #!/bin/sh
- User=xiaoli
- Ip=(
- 172.16.1.7
- 172.16.1.31
- 172.16.1.41
- )
- for ((i=0;i<${
- #Ip[*]
- };i++))
- do
- scp ~/hosts ${
- User
- }@${
- Ip[$i]
- }:~
- SSH -t ${
- User
- }@${
- Ip[$i]
- } sudo rsync ~/hosts /etc/hosts
- done
- # 运行批量分发脚本
- [xiaoli@m01 seripts]$ sh fenfa_file.sh
- hosts 100% 268 245.5KB/s 00:00
- Connection to 172.16.1.7 closed.
- hosts 100% 268 47.6KB/s 00:00
- Connection to 172.16.1.31 closed.
- hosts 100% 268 295.1KB/s 00:00
- Connection to 172.16.1.41 closed.
客户端查看结果
- # 以 backup 客户端为例展示结果:
- [xiaoli@backup ~]$ tail -5 /etc/hosts
- 172.16.1.7 web01
- 172.16.1.41 backup
- 172.16.1.31 nfs
- 172.16.1.51 m01
- ################2018-11-5################
扩展: 使用 rsync 通道模式, 实现增量, 加密
- [xiaoli@m01 ~]$ rsync -avz hosts -e 'ssh -p 22' xiaoli@172.16.1.41
- sending incremental file list
- hosts
- sent 214 bytes received 35 bytes 498.00 bytes/sec
- total size is 268 speedup is 1.08
来源: http://blog.51cto.com/12643266/2314340