SSH 免密码登录——批量分发服务器

 

需求：nfs服务器兼做批量分发服务器。backup备份服务器、mb01服务为批量分发的客户端。通过NFS服务器讲编辑好的hosts文件批量分发到备份服务器和mb01服务器的、/etc/下。使内网环境可以使用/etc/hosts 文件做正向、反向的域名解析。

由于root具有最大的权限，所以不建议使用root用户进行SSH免密码登录，而是在所有的机器上建立相同的普通用户，通过普通用户的SSH免密码登录，使用scp 命令将hosts文件分发到客户端的该普通用户的家目录下。在各客户端为该普通用户通过sudo对cp赋予提权，才能将该用户家目录下收到的分发文件拷贝到/etc/目录下。

 

 

 环境：

mb01批量分发客户端服务器：

[root@mb01 ~]# uname -nr

mb01 2.6.32-573.el6.x86_64

[root@mb01 ~]# ifconfig eth1|awk -F"[ :]+" 'NR==2{print $4}'

172.16.1.61

[root@mb01 ~]#

 

 backup 备份服务器

[root@backup ~]# uname -nr

backup 2.6.32-573.el6.x86_64

[root@backup ~]# ifconfig eth1|awk-F "[ :]+" 'NR==2{print $4}'

172.16.1.99

[root@backup ~]#

 

nfs 服务器

[root@nfs ~]# uname -nr

nfs 2.6.32-573.el6.x86_64

[root@nfs ~]# ifconfig eth1|awk -F"[ :]+" 'NR==2 {print $4}'

172.16.1.66

[root@nfs ~]#

 

一、在所有的机器中创建分发用户的普通账户 friendship 并通过 sudo 对 friendship 用户使用cp 命令时进行提权。以下操作均为分发服务器上操作，使用 root 用户 ssh 密码验证执行命令。若服务器禁止了 root 远程登录，则需要使用普通用户登录在切换到root。或单独连接各机器进行配置。

############以下可以整合一条命令行这行（全路径）###########

 ssh -p 22 root@172.16.1.66"/usr/sbin/useradd friendship&&echo '123456'|/usr/bin/passwd--stdin friendship&&echo 'friendship ALL=(ALL)  NOPASSWD: /bin/cp'>>/etc/sudoers"

 

1、在所有机器上创建用户  friendship

useradd friendship

2、给friendship 设置密码：

echo '123456'|/usr/bin/passwd --stdin friendship

3、对friendship用户 sudo 授权

echo 'friendship ALL=(ALL) NOPASSWD: /bin/cp'>>/etc/sudoers

 

 backup 服务器

[root@mb01 ~]# ssh -p 22 root@172.16.1.99"/usr/sbin/useradd friendship&&echo '123456'|/usr/bin/passwd--stdin friendship&&echo 'friendship ALL=(ALL)  NOPASSWD: /bin/cp'>>/etc/sudoers"

The authenticity of host'172.16.1.99 (172.16.1.99)' can't be established.

RSA key fingerprint is59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.

Are you sure you want to continueconnecting (yes/no)? yes

Warning: Permanently added'172.16.1.99' (RSA) to the list of known hosts.

Address 172.16.1.99 maps to bogon,but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

root@172.16.1.99's password:

Changing password for userfriendship.

 

nfs 服务器

[root@mb01 ~]# ssh -p 22 root@172.16.1.66"/usr/sbin/useradd friendship&&echo '123456'|/usr/bin/passwd--stdin friendship&&echo 'friendship ALL=(ALL)  NOPASSWD: /bin/cp'>>/etc/sudoers"

The authenticity of host'172.16.1.66 (172.16.1.66)' can't be established.

RSA key fingerprint is59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.

Are you sure you want to continueconnecting (yes/no)? yes

Warning: Permanently added'172.16.1.66' (RSA) to the list of known hosts.

Address 172.16.1.66 maps to bogon,but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

root@172.16.1.66's password:

Changing password for userfriendship.

passwd: all authentication tokensupdated successfully.

 

测试

echo $? 返回值都为0 验证成功

 

[root@mb01 ~]# ssh -t -p 22friendship@172.16.1.66 "/bin/echo 'test sudo forfriendship'>~/good.txt&&sudo /bin/cp ~/good.txt /etc/;/bin/echo$?"

Address 172.16.1.66 maps to bogon,but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

friendship@172.16.1.66's password:

0

Connection to 172.16.1.66 closed.

[root@mb01 ~]#

 

[root@mb01 ~]# ssh -t -p 22friendship@172.16.1.99 "/bin/echo 'test sudo forfriendship'>~/good.txt&&sudo /bin/cp ~/good.txt /etc/;/bin/echo$?"

Address 172.16.1.99 maps to bogon,but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

friendship@172.16.1.99's password:

0

Connection to 172.16.1.99 closed.

[root@mb01 ~]#

 

 

二、在批量分发服务器上使用 friendship 用户生成密匙对并将公匙发送到各服务器

1、生成密匙对

[friendship@mb01 ~]$ whoami

friendship

[friendship@mb01 ~]$ ssh-keygen -t dsa

Generating public/private dsa keypair.

Enter file in which to save the key(/home/friendship/.ssh/id_dsa):

Created directory'/home/friendship/.ssh'.

Enter passphrase (empty for nopassphrase):

Enter same passphrase again:

Your identification has been savedin /home/friendship/.ssh/id_dsa.

Your public key has been saved in/home/friendship/.ssh/id_dsa.pub.

The key fingerprint is:

64:e4:49:75:74:09:9e:62:77:e2:d0:9b:bc:ff:2a:0bfriendship@mb01

The key's randomart p_w_picpath is:

+--[ DSA 1024]----+

|        o...+... |

|       + . + o. |

|        = + * . |

|       o . * =  |

|        S  =    |

|             .  |

|          E .   |

|           ...  |

|            .ooo.|

+-----------------+

[friendship@mb01 ~]$

 

发送密匙到分发服务器

nfs 服务器

[friendship@mb01 ~]$ ssh-copy-id -i./.ssh/id_dsa.pub  friendship@172.16.1.66

The authenticity of host'172.16.1.66 (172.16.1.66)' can't be established.

RSA key fingerprint is59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.

Are you sure you want to continueconnecting (yes/no)? yes

Warning: Permanently added'172.16.1.66' (RSA) to the list of known hosts.

Address 172.16.1.66 maps to bogon,but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

friendship@172.16.1.66's password:

Now try logging into the machine,with "ssh 'friendship@172.16.1.66'", and check in:

 

 .ssh/authorized_keys

 

to make sure we haven't added extrakeys that you weren't expecting.

 

[friendship@mb01 ~]$

 

backup 服务器

 

[friendship@mb01 ~]$ ssh-copy-id -i./.ssh/id_dsa.pub  friendship@172.16.1.99

The authenticity of host'172.16.1.99 (172.16.1.99)' can't be established.

RSA key fingerprint is59:90:3c:db:11:3e:99:7a:4f:f6:02:b8:96:ad:4d:f9.

Are you sure you want to continueconnecting (yes/no)? yes

Warning: Permanently added'172.16.1.99' (RSA) to the list of known hosts.

Address 172.16.1.99 maps to bogon,but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

friendship@172.16.1.99's password:

Now try logging into the machine,with "ssh 'friendship@172.16.1.99'", and check in:

 

 .ssh/authorized_keys

 

to make sure we haven't added extrakeys that you weren't expecting.

 

[friendship@mb01 ~]$

 

验证是否能（friendship）用户免密码登陆到各服务器

 

mb01面密码连接到nfs

 

[friendship@mb01 ~]$ ssh friendship@172.16.1.66

Address 172.16.1.66 maps to bogon,but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Last login: Sat May  7 05:44:25 2016 from 172.16.1.61

[friendship@nfs ~]$ ls

good.txt

[friendship@nfs ~]$ cat/etc/ssh/sshd_config

cat: /etc/ssh/sshd_config:Permission denied

[friendship@nfs ~]$ tail -2/etc/passwd

tcpdump:x:72:72::/:/sbin/nologin

friendship:x:500:500::/home/friendship:/bin/bash

 

mb01免密码连接到backup

 

[friendship@mb01 ~]$ ssh friendship@172.16.1.99

Address 172.16.1.99 maps to bogon,but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Last login: Sat May  7 05:52:00 2016 from 172.16.1.61

[friendship@backup ~]$ ls

good.txt

[friendship@backup ~]$ tail/etc/passwd

dbus:x:81:81:System messagebus:/:/sbin/nologin

vcsa:x:69:69:virtual console memoryowner:/dev:/sbin/nologin

abrt:x:173:173::/etc/abrt:/sbin/nologin

haldaemon:x:68:68:HALdaemon:/:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

saslauth:x:499:76:Saslauthduser:/var/empty/saslauth:/sbin/nologin

postfix:x:89:89::/var/spool/postfix:/sbin/nologin

sshd:x:74:74:Privilege-separatedSSH:/var/empty/sshd:/sbin/nologin

tcpdump:x:72:72::/:/sbin/nologin

friendship:x:500:500::/home/friendship:/bin/bash

[friendship@backup ~]$

 

三、在批量分发服务器mb01 写脚本实现批量分发。使用 friendship 用户

     批量分发hosts 文件

 

1、拷贝一个文件hosts到家目录下  查看hosts内容

 

cp /etc/hosts .

[friendship@mb01 ~]$ cat hosts

127.0.0.1   localhost localhost.localdomain localhost4localhost4.localdomain4

::1         localhost localhost.localdomainlocalhost6 localhost6.localdomain6

172.16.1.5      lb01

172.16.1.6      lb02

172.16.1.7      web02

172.16.1.8      web01

172.16.1.51     db01 db01.etiantian.org

172.16.1.31     nfs01

172.16.1.41     backup

172.16.1.61     m01

 

=========20140708==============

[friendship@mb01 ~]$

 

 

 

2、写脚本  vim fenfa.sh

 

#!/bin/sh

 

 

 

for n in 66 99

do

 echo "==172.16.1.$n=="

 scp -P22 hosts 172.16.1.$n:~

done

~

 

 

3、执行脚本

[friendship@mb01 ~]$ /bin/sh fenfa.sh

==172.16.1.66==

Address 172.16.1.66 maps to bogon,but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

hosts                                                                           100%  384     0.4KB/s  00:00   

==172.16.1.99==

Address 172.16.1.99 maps to bogon,but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

hosts                                                                           100%  384     0.4KB/s  00:00   

fenfa.sh: line 10: /home/friendship:is a directory

fenfa.sh: line 14: command not found

[friendship@mb01 ~]$

 

4、看分发结果

 

nfs服务端

[friendship@nfs ~]$ ls

hosts 

[friendship@nfs ~]$ cat hosts

127.0.0.1   localhost localhost.localdomain localhost4localhost4.localdomain4

::1         localhost localhost.localdomainlocalhost6 localhost6.localdomain6

172.16.1.5      lb01

172.16.1.6      lb02

172.16.1.7      web02

172.16.1.8      web01

172.16.1.51     db01 db01.etiantian.org

172.16.1.31     nfs01

172.16.1.41     backup

172.16.1.61     m01

 

 

 

=========20140708==============

[friendship@nfs ~]$

 

 

backup服务端

 

[friendship@backup ~]$ ls

hosts 

[friendship@backup ~]$ cat hosts

127.0.0.1   localhost localhost.localdomain localhost4localhost4.localdomain4

::1         localhost localhost.localdomainlocalhost6 localhost6.localdomain6

172.16.1.5      lb01

172.16.1.6      lb02

172.16.1.7      web02

172.16.1.8      web01

172.16.1.51     db01 db01.etiantian.org

172.16.1.31     nfs01

172.16.1.41     backup

172.16.1.61     m01

 

 

 

=========20140708==============

[friendship@backup ~]$

 

 

测试成功已将hosts文件批量分发到指定服务器的家目录下