、什么是SSH批量管理
在管理机产生公钥和私钥,然后把自己的公钥推送给需要被管理的服务器,然后就可以通过scp和ssh命令,无需输入密码即可管理
锁=公钥,钥匙=私钥
企业里实现ssh方案:
1)直接root ssh key。
条件:系统允许root使用ssh
2)sudo提权来实现没有权限用户拷贝
实验环境:
hostnameip描述
m01172.16.1.61管理机
web01172.16.1.7被管理
nfs172.16.1.31被管理
backup172.16.1.41被管理
所有机器系统环境统一
[root@m01 /]# cat /etc/redhat-release CentOS Linux release7.5.1804(Core) [root@m01 /]# uname -r3.10.0-862.el7.x86_64
1.1 所有的服务器创建普通用户及密码
useradd xiaoliecho"123456"|passwd --stdin xiaoliid xiaolisu - xiaoli#<==统一切换到xiaoli用户
1.2 m01产生密钥
#使用xiaoli用户来创建私钥,并且分发公钥
[xiaoli@m01 ~]$ ssh-keygen -t dsa#<==生成私钥(一路回车)Generatingpublic/privatedsa key pair.Enter fileinwhich to save thekey(/home/xiaoli/.ssh/id_dsa): Created directory '/home/xiaoli/.ssh'. #<==私钥存放的目录Enterpassphrase(emptyforno passphrase): Enter same passphrase again: Your identification has been savedin/home/xiaoli/.ssh/id_dsa.Yourpublickey has been savedin/home/xiaoli/.ssh/id_dsa.pub.The key fingerprintis:SHA256:/UtUhhM++KSQH9OgJyP+MCRz+LhdYfRt/r6384aVLzU xiaoli@m01The key's randomart imageis:+---[DSA 1024]----+| . . . || . . + * o || + + O * X o || O o O O= || . = S + + .|| o = o . Eo|| . . . o .+o|| . oo.+|| . o*=|+----[SHA256]-----+[xiaoli@m01 ~]$ pwd/home/xiaoli[xiaoli@m01 ~]$ ls .ssh/id_dsa id_dsa.pub[xiaoli@m01 ~]$ ll .ssh/total8-rw-------1xiaoli xiaoli672Nov520:57id_dsa#<==私钥-rw-r--r--1xiaoli xiaoli600Nov520:57id_dsa.pub#<==公钥
1.3 管理机分发公钥给客户端
管理机推送公钥给backup
[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.41/bin/ssh-copy-id: INFO: Sourceofkey(s) to be installed:".ssh/id_dsa.pub"The authenticityofhost'172.16.1.41 (172.16.1.41)'can't be established.
ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.
ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
xiaoli@172.16.1.41's password: Numberofkey(s) added:1Nowtrylogging into the machine, with:"ssh 'xiaoli@172.16.1.41'"andcheck to make sure that only the key(s) you wanted were added.#backup上查看是否收到公钥[xiaoli@backup ~]$ ls .ssh/authorized_keys .ssh/authorized_key#配置文件默认就是.ssh/authorized_key这个文件名,是由/etc/ssh/sshd_config这个配置文件所定义[root@backup backup]$ grep authorized_keys /etc/ssh/sshd_config |egrep -v"^#"AuthorizedKeysFile .ssh/authorized_keys
管理机推送公钥给nfs
[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.31/bin/ssh-copy-id: INFO: Sourceofkey(s) to be installed:".ssh/id_dsa.pub"The authenticityofhost'172.16.1.31 (172.16.1.31)'can't be established.
ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.
ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
xiaoli@172.16.1.31's password: Numberofkey(s) added:1Nowtrylogging into the machine, with:"ssh 'xiaoli@172.16.1.31'"andcheck to make sure that only the key(s) you wanted were added.#nfs上查看是否收到公钥[xiaoli@nfs ~]$ ls -l .ssh/total4-rw-------1xiaoli xiaoli600Nov521:16authorized_keys
管理机推送公钥给web01
[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.7/bin/ssh-copy-id: INFO: Sourceofkey(s) to be installed:".ssh/id_dsa.pub"The authenticityofhost'172.16.1.7 (172.16.1.7)'can't be established.
ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.
ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
xiaoli@172.16.1.7's password: Numberofkey(s) added:1Nowtrylogging into the machine, with:"ssh 'xiaoli@172.16.1.7'"andcheck to make sure that only the key(s) you wanted were added.#web01查看是否收到公钥[xiaoli@web01 ~]$ ls -l .ssh/total4-rw-------1xiaoli xiaoli600Nov521:20authorized_keys
1.4 管理机实现批量获取参数
单独查看某一台客户端IP地址,如果端口号为22,就不需要加-p
[xiaoli@m01 ~]$ ssh xiaoli@172.16.1.31/sbin/ifconfig ens33ens33:flags=4163 mtu1500inet10.0.0.31netmask255.255.255.0broadcast10.0.0.255inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen64scopeid0x20 inet6 fe80::f15a:916:1ee7:65e9 prefixlen64scopeid0x20 ether00:50:56:20:de:ectxqueuelen1000(Ethernet) RX packets68059bytes50182137(47.8MiB) RX errors0dropped0overruns0frame0TX packets32722bytes6712416(6.4MiB) TX errors0dropped0overruns0carrier0collisions0#我们可以发现这时执行ssh就不需要输入密码
创建脚本查看三台客户端的IP地址
[xiaoli@m01 ~]$ mkdir seripts[xiaoli@m01 ~]$ cd seripts[xiaoli@m01 seripts]$ cat view_ip.sh#!/bin/shUser=xiaoliIp=(172.16.1.7
172.16.1.31
172.16.1.41
)
for ((i=0;i<${#Ip[*]};i++))
do
ssh ${User}@${Ip[$i]} /sbin/ifconfig ens33
done
#执行脚本 货运APP找上海捌跃网络科技有限公司QQ3343874032
[xiaoli@m01 seripts]$ sh view_ip.sh
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500inet10.0.0.7netmask255.255.255.0broadcast10.0.0.255inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen64scopeid0x20 inet6 fe80::b85a:6444:fdc7:90ef prefixlen64scopeid0x20 inet6 fe80::f15a:916:1ee7:65e9 prefixlen64scopeid0x20 ether00:50:56:32:88:betxqueuelen1000(Ethernet) RX packets11633bytes2805754(2.6MiB) RX errors0dropped0overruns0frame0TX packets6003bytes1047269(1022.7KiB) TX errors0dropped0overruns0carrier0collisions0ens33:flags=4163 mtu1500inet10.0.0.31netmask255.255.255.0broadcast10.0.0.255inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen64scopeid0x20 inet6 fe80::f15a:916:1ee7:65e9 prefixlen64scopeid0x20 ether00:50:56:20:de:ectxqueuelen1000(Ethernet) RX packets68065bytes50182545(47.8MiB) RX errors0dropped0overruns0frame0TX packets32726bytes6712704(6.4MiB) TX errors0dropped0overruns0carrier0collisions0ens33:flags=4163 mtu1500inet10.0.0.41netmask255.255.255.0broadcast10.0.0.255inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen64scopeid0x20 inet6 fe80::b85a:6444:fdc7:90ef prefixlen64scopeid0x20 inet6 fe80::f15a:916:1ee7:65e9 prefixlen64scopeid0x20 ether00:50:56:21:a4:2a txqueuelen1000(Ethernet) RX packets123357bytes15582283(14.8MiB) RX errors0dropped0overruns0frame0TX packets130534bytes11862139(11.3MiB) TX errors0dropped0overruns0carrier0collisions0上面结果为成功标志!连接所有机器,不提示密码直接可以操作
1.5 scp实现批量下发文件
每台服务器root权限下实施sudo#切换到root用户,给xiaoli用户赋予有rsync的命令执行权限echo"xiaoli ALL=(ALL) NOPASSWD:/usr/bin/rsync ">>/etc/sudoersvisudo -c
将/etc/hosts文件拷贝到家目录(xiaoli),并修改hosts文件内容
[xiaoli@m01 ~]$ cp /etc/hosts .[xiaoli@m01 ~]$ tail-5hosts172.16.1.7web01172.16.1.41backup172.16.1.31nfs172.16.1.51m01################2018-11-5################
使用脚本批量分发hosts文件
[xiaoli@m01 ~]$ cat seripts/fenfa_file.sh#!/bin/shUser=xiaoliIp=(172.16.1.7172.16.1.31172.16.1.41)for((i=0;i<${#Ip[*]};i++))doscp ~/hosts${User}@${Ip[$i]}:~ ssh -t${User}@${Ip[$i]}sudo rsync ~/hosts /etc/hostsdone#运行批量分发脚本[xiaoli@m01 seripts]$ sh fenfa_file.shhosts 100% 268 245.5KB/s 00:00 Connection to 172.16.1.7 closed.hosts 100% 268 47.6KB/s 00:00 Connection to 172.16.1.31 closed.hosts 100% 268 295.1KB/s 00:00 Connection to 172.16.1.41 closed.
客户端查看结果
#以backup客户端为例展示结果:[xiaoli@backup ~]$ tail-5/etc/hosts172.16.1.7web01172.16.1.41backup172.16.1.31nfs172.16.1.51m01################2018-11-5################
扩展:使用rsync通道模式,实现增量、加密
[xiaoli@m01 ~]$ rsync -avz hosts -e'ssh -p 22'xiaoli@172.16.1.41sending incremental file listhostssent214bytes received35bytes498.00bytes/sectotal sizeis268speedupis1.08
转自:http://blog.51cto.com/12643266/2314340