1、什么是SSH批量管理
在管理机产生公钥和私钥,然后把自己的公钥推送给需要被管理的服务器,然后就可以通过scp和ssh命令,无需输入密码即可管理

Web集群之SSH批量管理
锁=公钥,钥匙=私钥

企业里实现ssh方案:
1)直接root ssh key。
条件:系统允许root使用ssh
2)sudo提权来实现没有权限用户拷贝


实验环境:

hostname ip 描述
m01 172.16.1.61 管理机
web01 172.16.1.7 被管理
nfs 172.16.1.31 被管理
backup 172.16.1.41 被管理

所有机器系统环境统一

[root@m01 /]# cat /etc/redhat-release 
CentOS Linux release 7.5.1804 (Core) 
[root@m01 /]# uname -r
3.10.0-862.el7.x86_64

1.1 所有的服务器创建普通用户及密码

useradd xiaoli
echo "123456" |passwd --stdin xiaoli
id xiaoli
su - xiaoli  #<==统一切换到xiaoli用户

1.2 m01产生密钥
#使用xiaoli用户来创建私钥,并且分发公钥

[xiaoli@m01 ~]$ ssh-keygen -t dsa   #<==生成私钥(一路回车)
Generating public/private dsa key pair.
Enter file in which to save the key (/home/xiaoli/.ssh/id_dsa): 
Created directory '/home/xiaoli/.ssh'. #<==私钥存放的目录
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/xiaoli/.ssh/id_dsa.
Your public key has been saved in /home/xiaoli/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:/UtUhhM++KSQH9OgJyP+MCRz+LhdYfRt/r6384aVLzU xiaoli@m01
The key's randomart image is:
+---[DSA 1024]----+
|        . . .    |
|     . . + * o   |
|    + + O * X o  |
|     O o O O =   |
|    . = S + +   .|
|     o =   o . Eo|
|    . . .   o .+o|
|           . oo.+|
|            . o*=|
+----[SHA256]-----+

[xiaoli@m01 ~]$ pwd
/home/xiaoli
[xiaoli@m01 ~]$ ls .ssh/
id_dsa  id_dsa.pub
[xiaoli@m01 ~]$ ll .ssh/
total 8
-rw------- 1 xiaoli xiaoli 672 Nov  5 20:57 id_dsa #<==私钥
-rw-r--r-- 1 xiaoli xiaoli 600 Nov  5 20:57 id_dsa.pub  #<==公钥

1.3 管理机分发公钥给客户端
管理机推送公钥给backup

[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.41
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub"
The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established.
ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.
ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
xiaoli@172.16.1.41's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'xiaoli@172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.
#backup上查看是否收到公钥
[xiaoli@backup ~]$ ls .ssh/authorized_keys 
.ssh/authorized_key

#配置文件默认就是.ssh/authorized_key这个文件名,是由/etc/ssh/sshd_config这个配置文件所定义

[root@backup backup]$ grep authorized_keys /etc/ssh/sshd_config |egrep -v "^#"   
AuthorizedKeysFile      .ssh/authorized_keys

管理机推送公钥给nfs

[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.31
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub"
The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.
ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
xiaoli@172.16.1.31's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'xiaoli@172.16.1.31'"
and check to make sure that only the key(s) you wanted were added.

#nfs上查看是否收到公钥
[xiaoli@nfs ~]$ ls -l .ssh/
total 4
-rw------- 1 xiaoli xiaoli 600 Nov  5 21:16 authorized_keys

管理机推送公钥给web01

[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub xiaoli@172.16.1.7
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub"
The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established.
ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.
ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
xiaoli@172.16.1.7's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'xiaoli@172.16.1.7'"
and check to make sure that only the key(s) you wanted were added.

#web01查看是否收到公钥
[xiaoli@web01 ~]$ ls -l .ssh/
total 4
-rw------- 1 xiaoli xiaoli 600 Nov  5 21:20 authorized_keys

1.4 管理机实现批量获取参数
单独查看某一台客户端IP地址,如果端口号为22,就不需要加-p

[xiaoli@m01 ~]$ ssh xiaoli@172.16.1.31 /sbin/ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.31  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::7ef6:6b6b:fba4:c66c  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::f15a:916:1ee7:65e9  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:20:de:ec  txqueuelen 1000  (Ethernet)
        RX packets 68059  bytes 50182137 (47.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 32722  bytes 6712416 (6.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
#我们可以发现这时执行ssh就不需要输入密码

创建脚本查看三台客户端的IP地址

[xiaoli@m01 ~]$ mkdir seripts
[xiaoli@m01 ~]$ cd seripts
[xiaoli@m01 seripts]$ cat view_ip.sh   
#!/bin/sh
User=xiaoli
Ip=(
172.16.1.7
172.16.1.31
172.16.1.41
)
for ((i=0;i<${#Ip[*]};i++))
do
        ssh ${User}@${Ip[$i]} /sbin/ifconfig ens33
done

#执行脚本
[xiaoli@m01 seripts]$ sh view_ip.sh 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.7  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::7ef6:6b6b:fba4:c66c  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::b85a:6444:fdc7:90ef  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::f15a:916:1ee7:65e9  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:32:88:be  txqueuelen 1000  (Ethernet)
        RX packets 11633  bytes 2805754 (2.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6003  bytes 1047269 (1022.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.31  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::7ef6:6b6b:fba4:c66c  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::f15a:916:1ee7:65e9  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:20:de:ec  txqueuelen 1000  (Ethernet)
        RX packets 68065  bytes 50182545 (47.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 32726  bytes 6712704 (6.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.41  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::7ef6:6b6b:fba4:c66c  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::b85a:6444:fdc7:90ef  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::f15a:916:1ee7:65e9  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:21:a4:2a  txqueuelen 1000  (Ethernet)
        RX packets 123357  bytes 15582283 (14.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 130534  bytes 11862139 (11.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
上面结果为成功标志!连接所有机器,不提示密码直接可以操作

1.5 scp实现批量下发文件

每台服务器root权限下实施sudo
#切换到root用户,给xiaoli用户赋予有rsync的命令执行权限
echo "xiaoli ALL=(ALL) NOPASSWD:/usr/bin/rsync ">>/etc/sudoers
visudo -c

将/etc/hosts文件拷贝到家目录(xiaoli),并修改hosts文件内容

[xiaoli@m01 ~]$ cp /etc/hosts .

[xiaoli@m01 ~]$ tail -5  hosts
172.16.1.7 web01
172.16.1.41 backup
172.16.1.31 nfs
172.16.1.51 m01
################2018-11-5################

使用脚本批量分发hosts文件

[xiaoli@m01 ~]$  cat seripts/fenfa_file.sh 
#!/bin/sh
User=xiaoli
Ip=(
172.16.1.7
172.16.1.31
172.16.1.41
)
for ((i=0;i<${#Ip[*]};i++)) 
do
 scp ~/hosts ${User}@${Ip[$i]}:~
 ssh -t ${User}@${Ip[$i]} sudo rsync ~/hosts /etc/hosts 
done
#运行批量分发脚本
[xiaoli@m01 seripts]$ sh  fenfa_file.sh
hosts                                                                     100%  268   245.5KB/s   00:00    
Connection to 172.16.1.7 closed.
hosts                                                                     100%  268    47.6KB/s   00:00    
Connection to 172.16.1.31 closed.
hosts                                                                     100%  268   295.1KB/s   00:00    
Connection to 172.16.1.41 closed.

客户端查看结果

#以backup客户端为例展示结果:
[xiaoli@backup ~]$ tail -5 /etc/hosts
172.16.1.7 web01
172.16.1.41 backup
172.16.1.31 nfs
172.16.1.51 m01
################2018-11-5################

扩展:使用rsync通道模式,实现增量、加密

[xiaoli@m01 ~]$ rsync -avz hosts -e 'ssh -p 22' xiaoli@172.16.1.41
sending incremental file list
hosts

sent 214 bytes  received 35 bytes  498.00 bytes/sec
total size is 268  speedup is 1.08