1、什么是SSH批量管理
在管理机产生公钥和私钥,然后把自己的公钥推送给需要被管理的服务器,然后就可以通过scp和ssh命令,无需输入密码即可管理


锁=公钥,钥匙=私钥

企业里实现ssh方案:
1)直接root ssh key。
条件:系统允许root使用ssh
2)sudo提权来实现没有权限用户拷贝


实验环境:

hostname ip 描述
m01 172.16.1.61 管理机
web01 172.16.1.7 被管理
nfs 172.16.1.31 被管理
backup 172.16.1.41 被管理

所有机器系统环境统一

[root@m01 /]# cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core) [root@m01 /]# uname -r 3.10.0-862.el7.x86_64

1.1 所有的服务器创建普通用户及密码

useradd xiaoli echo "123456" |passwd --stdin xiaoli id xiaoli su - xiaoli #<==统一切换到xiaoli用户

1.2 m01产生密钥
#使用xiaoli用户来创建私钥,并且分发公钥

[xiaoli@m01 ~]$ ssh-keygen -t dsa #<==生成私钥(一路回车) Generating public/private dsa key pair. Enter file in which to save the key (/home/xiaoli/.ssh/id_dsa): Created directory '/home/xiaoli/.ssh'. #<==私钥存放的目录 Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/xiaoli/.ssh/id_dsa. Your public key has been saved in /home/xiaoli/.ssh/id_dsa.pub. The key fingerprint is: SHA256:/UtUhhM++KSQH9OgJyP+MCRz+LhdYfRt/r6384aVLzU xiaoli@m01 The key's randomart image is: +---[DSA 1024]----+ | . . . | | . . + * o | | + + O * X o | | O o O O = | | . = S + + .| | o = o . Eo| | . . . o .+o| | . oo.+| | . o*=| +----[SHA256]-----+ [xiaoli@m01 ~]$ pwd /home/xiaoli [xiaoli@m01 ~]$ ls .ssh/ id_dsa id_dsa.pub [xiaoli@m01 ~]$ ll .ssh/ total 8 -rw------- 1 xiaoli xiaoli 672 Nov 5 20:57 id_dsa #<==私钥 -rw-r--r-- 1 xiaoli xiaoli 600 Nov 5 20:57 id_dsa.pub #<==公钥

1.3 管理机分发公钥给客户端
管理机推送公钥给backup

[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.41 /bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub" The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established. ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ. ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a. Are you sure you want to continue connecting (yes/no)? yes /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys xiaoli@172.16.1.41's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'xiaoli@172.16.1.41'" and check to make sure that only the key(s) you wanted were added. #backup上查看是否收到公钥 [xiaoli@backup ~]$ ls .ssh/authorized_keys .ssh/authorized_key #配置文件默认就是.ssh/authorized_key这个文件名,是由/etc/ssh/sshd_config这个配置文件所定义 [root@backup backup]$ grep authorized_keys /etc/ssh/sshd_config |egrep -v "^#" AuthorizedKeysFile .ssh/authorized_keys

管理机推送公钥给nfs

[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.31 /bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub" The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established. ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ. ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a. Are you sure you want to continue connecting (yes/no)? yes /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys xiaoli@172.16.1.31's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'xiaoli@172.16.1.31'" and check to make sure that only the key(s) you wanted were added. #nfs上查看是否收到公钥 [xiaoli@nfs ~]$ ls -l .ssh/ total 4 -rw------- 1 xiaoli xiaoli 600 Nov 5 21:16 authorized_keys

管理机推送公钥给web01

[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.7 /bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub" The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established. ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ. ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a. Are you sure you want to continue connecting (yes/no)? yes /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys xiaoli@172.16.1.7's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'xiaoli@172.16.1.7'" and check to make sure that only the key(s) you wanted were added. #web01查看是否收到公钥 [xiaoli@web01 ~]$ ls -l .ssh/ total 4 -rw------- 1 xiaoli xiaoli 600 Nov 5 21:20 authorized_keys

1.4 管理机实现批量获取参数
单独查看某一台客户端IP地址,如果端口号为22,就不需要加-p

[xiaoli@m01 ~]$ ssh xiaoli@172.16.1.31 /sbin/ifconfig ens33 ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.0.31 netmask 255.255.255.0 broadcast 10.0.0.255 inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen 64 scopeid 0x20<link> inet6 fe80::f15a:916:1ee7:65e9 prefixlen 64 scopeid 0x20<link> ether 00:50:56:20:de:ec txqueuelen 1000 (Ethernet) RX packets 68059 bytes 50182137 (47.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 32722 bytes 6712416 (6.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 #我们可以发现这时执行ssh就不需要输入密码

创建脚本查看三台客户端的IP地址

[xiaoli@m01 ~]$ mkdir seripts [xiaoli@m01 ~]$ cd seripts [xiaoli@m01 seripts]$ cat view_ip.sh #!/bin/sh User=xiaoli Ip=( 172.16.1.7 172.16.1.31 172.16.1.41 ) for ((i=0;i<${#Ip[*]};i++)) do ssh ${User}@${Ip[$i]} /sbin/ifconfig ens33 done #执行脚本 [xiaoli@m01 seripts]$ sh view_ip.sh ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.0.7 netmask 255.255.255.0 broadcast 10.0.0.255 inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen 64 scopeid 0x20<link> inet6 fe80::b85a:6444:fdc7:90ef prefixlen 64 scopeid 0x20<link> inet6 fe80::f15a:916:1ee7:65e9 prefixlen 64 scopeid 0x20<link> ether 00:50:56:32:88:be txqueuelen 1000 (Ethernet) RX packets 11633 bytes 2805754 (2.6 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6003 bytes 1047269 (1022.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.0.31 netmask 255.255.255.0 broadcast 10.0.0.255 inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen 64 scopeid 0x20<link> inet6 fe80::f15a:916:1ee7:65e9 prefixlen 64 scopeid 0x20<link> ether 00:50:56:20:de:ec txqueuelen 1000 (Ethernet) RX packets 68065 bytes 50182545 (47.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 32726 bytes 6712704 (6.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.0.41 netmask 255.255.255.0 broadcast 10.0.0.255 inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen 64 scopeid 0x20<link> inet6 fe80::b85a:6444:fdc7:90ef prefixlen 64 scopeid 0x20<link> inet6 fe80::f15a:916:1ee7:65e9 prefixlen 64 scopeid 0x20<link> ether 00:50:56:21:a4:2a txqueuelen 1000 (Ethernet) RX packets 123357 bytes 15582283 (14.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 130534 bytes 11862139 (11.3 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 上面结果为成功标志!连接所有机器,不提示密码直接可以操作

1.5 scp实现批量下发文件

每台服务器root权限下实施sudo #切换到root用户,给xiaoli用户赋予有rsync的命令执行权限 echo "xiaoli ALL=(ALL) NOPASSWD:/usr/bin/rsync ">>/etc/sudoers visudo -c

将/etc/hosts文件拷贝到家目录(xiaoli),并修改hosts文件内容

[xiaoli@m01 ~]$ cp /etc/hosts . [xiaoli@m01 ~]$ tail -5 hosts 172.16.1.7 web01 172.16.1.41 backup 172.16.1.31 nfs 172.16.1.51 m01 ################2018-11-5################

使用脚本批量分发hosts文件

[xiaoli@m01 ~]$ cat seripts/fenfa_file.sh #!/bin/sh User=xiaoli Ip=( 172.16.1.7 172.16.1.31 172.16.1.41 ) for ((i=0;i<${#Ip[*]};i++)) do scp ~/hosts ${User}@${Ip[$i]}:~ ssh -t ${User}@${Ip[$i]} sudo rsync ~/hosts /etc/hosts done #运行批量分发脚本 [xiaoli@m01 seripts]$ sh fenfa_file.sh hosts 100% 268 245.5KB/s 00:00 Connection to 172.16.1.7 closed. hosts 100% 268 47.6KB/s 00:00 Connection to 172.16.1.31 closed. hosts 100% 268 295.1KB/s 00:00 Connection to 172.16.1.41 closed.

客户端查看结果

#以backup客户端为例展示结果: [xiaoli@backup ~]$ tail -5 /etc/hosts 172.16.1.7 web01 172.16.1.41 backup 172.16.1.31 nfs 172.16.1.51 m01 ################2018-11-5################

扩展:使用rsync通道模式,实现增量、加密

[xiaoli@m01 ~]$ rsync -avz hosts -e 'ssh -p 22' xiaoli@172.16.1.41 sending incremental file list hosts sent 214 bytes received 35 bytes 498.00 bytes/sec total size is 268 speedup is 1.08