rsa与das区别:
rsa:是一种加密算法,是由Ron Rivest、Adi Shamir和LeonardAdleman这三个名称的第一个字母连接起来。
dsa:就是数字签名算法的英文全称的简写,即DigitalSignature Algorithm
测试环境:
机器 IP
Cl1 a 192.168.2.30
Cl2 b 192.168.2.31
Cl3 c 192.168.2.32
密钥分发:
操作步骤:
1、准备3台虚拟机,打开CRT交互端口,批量添加建立寄居蟹的用户zdw,并设置密码
2、在cl1中切换到zdw用户下,建立密钥对。
命令为:ssh-key –t dsa,一直回车。
3、 在cl1中分别执行ssh-copy-id-i .ssh/id_dsa.pub "-p 52113 zdw@192.168.2.31"和
ssh-copy-id -i .ssh/id_dsa.pub"-p 52113 zdw@192.168.2.32"
执行上面的命令把公钥文件拷贝到cl2,cl3服务器上。
ssh-copy-id的原理(ssh-copy-id –I .ssh/id_dsa.pub“-p 52113 zdw@192.168.2.31”)
就是把.ssh/id_dsa.pub复制到192.168.2.31下面的.ssh目录(提前创建权限700)下,并做了更改名字的操作,名字改为authorized_keys,权限变为600了。
下面是具体的操作:
创建:
[zdw@a ~]$ ss ss ssh-add ssh-copy-id ssh-keygen ssltap ssh ssh-agent sshd ssh-keyscan [zdw@a ~]$ ssh-keygen -t dsa #一路回车,不给密码 Generating public/private dsa key pair. Enter file in which to save the key(/home/zdw/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in/home/zdw/.ssh/id_dsa. Your public key has been saved in/home/zdw/.ssh/id_dsa.pub. The key fingerprint is: 62:eb:f9:7d:1d:16:5a:f0:88:fa:6b:3f:35:3c:3a:dfzdw@a The key's randomart p_w_picpath is: +--[ DSA 1024]----+ | | | . | | . + | | . . + | | o S. + . | | . o. . B | | . . = + | | . . .o = .. | | o...o+.+. E| +-----------------+ [zdw@a ~]$ ll ~/ -al #出现.ssh文件夹 total 28 drwx------. 3 zdw zdw 4096 Jul 11 22:34 . drwxr-xr-x. 3 root root 4096 Jul 11 22:04.. -rw-------. 1 zdw zdw 108 Jul 11 23:14 .bash_history -rw-r--r--. 1 zdw zdw 18 Jul 18 2013 .bash_logout -rw-r--r--. 1 zdw zdw 176 Jul 18 2013 .bash_profile -rw-r--r--. 1 zdw zdw 124 Jul 18 2013 .bashrc drwx------.2 zdw zdw 4096 Jul 11 23:14 .ssh [zdw@a ~]$ ls -l .ssh/ #查看里面的文件有id的二个文件 total 12 -rw-------. 1 zdw zdw 668 Jul 11 23:14id_dsa #仅钥 -rw-r--r--. 1 zdw zdw 595 Jul 11 23:14id_dsa.pub #公钥 -rw-r--r--. 1 zdw zdw 402 Jul 11 22:34known_hosts [zdw@a ~]$ ls -ld .ssh/ drwx------. 2 zdw zdw 4096 Jul 11 23:14.ssh/
分发公钥:
[zdw@a ~]$ ssh-copy-id -i .ssh/id_dsa.pub"-p 52113 zdw@192.168.2.31" #发到31上 zdw@192.168.2.31's password: Now try logging into the machine, with"ssh '-p 52113 zdw@192.168.2.31'", and check in: .ssh/authorized_keys to make sure we haven't added extra keysthat you weren't expecting. [zdw@a ~]$ 注意:"-p 52113 zdw@192.168.2.31"要用””给引上。 [zdw@a ~]$ ssh-copy-id -i .ssh/id_dsa.pub"-p 52113 zdw@192.168.2.32" #发到32上 The authenticity of host'[192.168.2.32]:52113 ([192.168.2.32]:52113)' can't be established. RSA key fingerprint is e1:7f:b5:7d:2c:48:e6:f8:e1:20:06:cf:e4:3a:ee:ab. Are you sure you want to continueconnecting (yes/no)? yes #输入yes按回车 Warning: Permanently added'[192.168.2.32]:52113' (RSA) to the list of known hosts. zdw@192.168.2.32's password: Now try logging into the machine, with"ssh '-p 52113 zdw@192.168.2.32'", and check in: .ssh/authorized_keys #出现.ssh表示成功 to make sure we haven't added extra keysthat you weren't expecting.
Cl2机器上: [zdw@b ~]$ ll .ssh/ total 8 -rw-------. 1 zdw zdw 595 Jul 11 23:26authorized_keys -rw-r--r--. 1 zdw zdw 402 Jul 11 23:37known_hosts Cl3机器上: [zdw@c ~]$ ll .ssh/ total 8 -rw-------. 1 zdw zdw 595 Jul 11 23:32authorized_keys -rw-r--r--. 1 zdw zdw 804 Jul 12 23:18known_hosts
注:我们发的是id_dsa.pub为什么出现的是authorized_keys?
因为默认的配置是这样,如下
[root@a ~]# grep authorized_keys /etc/ssh/sshd_config
#AuthorizedKeysFile .ssh/authorized_keys
也就是只有把authorized_keys放到.ssh下,才能生效,放到别处没用
上面完成了key的分发,下面实验一下:
SSH连接时,直接接命令,查看B32的IP
[zdw@a ~]$ ssh -p52113 zdw@192.168.2.32 /sbin/ifconfig eth0 eth0 Link encap:Ethernet HWaddr00:0C:29:07:EE:74 inet addr:192.168.2.32 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe07:ee74/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:19910 errors:0 dropped:0 overruns:0 frame:0 TX packets:845 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1701472 (1.6 MiB) TXbytes:106026 (103.5 KiB) [zdw@a ~]$
分发文件:
[zdw@a ~]$ scp -P52113 a.txt zdw@192.168.2.31:~ #发到31上的家目录 a.txt 100% 4 0.0KB/s 00:00 [zdw@a ~]$ scp -P52113 a.txt zdw@192.168.2.32:~ #发到32上的家目录 a.txt 100% 4 0.0KB/s 00:00 cl2机器上 [zdw@b ~]$ ls a.txt cl3机器上 [zdw@c ~]$ ls a.txt
小技巧:
如果有很多台服务器,这样操作会很不方便,可以在cl2或3机器上,打包ssh_key.tar.gz文件,放到一台服务器上,当有别的服务器时,下载这个文件放在指定目录中就可以了。下面是操作方法:
[zdw@cl3 ~]$ tar zcvf ssh_key.tar.gz .ssh/authorized_keys #打包 .ssh/authorized_keys [zdw@cl3 ~]$ ll ssh_key.tar.gz #查看 -rw-rw-r--. 1 zdw zdw 622 Jul 14 17:24 ssh_key.tar.gz [zdw@cl3 ~]$
免密码登录小结:
1) 免密码登录验证是单向的。
2) 基于用户的,最好不要跨不同的用户。
3) ssh连接慢的问题。
4) 批量分发1000台初始都需要输入一次密码,并且第一次连接要确认(expect)。
下面是脚本的使用:
批量查看机器IP及内存等的脚本:
[zdw@cl1 ~]$ cat view.sh #查看的脚本 #!/bin/sh if [ $# -ne 1 ] then echo "USAGE:/bin/sh $0 arg1" exit 1 fi for n in 31 32 do ssh -p52113 zdw@192.168.2.$n $1 done [zdw@cl1 ~]$ /sbin/ifconfig eth0|sed -rn's#^.*dr:(.*) Bc.*$#\1#gp' #命令 192.168.2.30
查看IP:
[zdw@cl1 ~]$ sh view.sh"/sbin/ifconfig eth0"|sed -rne 's#^.*dr:(.*) Bc.*$#\1#gp' 192.168.2.31 192.168.2.32 [zdw@cl1 ~]$ sh view.sh"/sbin/ifconfig eth0|grep 192.168.2" inet addr:192.168.2.31 Bcast:192.168.2.255 Mask:255.255.255.0 inet addr:192.168.2.32 Bcast:192.168.2.255 Mask:255.255.255.0 [zdw@cl1 ~]$ sh view.sh"/sbin/ifconfig eth0|sed -n '2p'" inet addr:192.168.2.31 Bcast:192.168.2.255 Mask:255.255.255.0 inet addr:192.168.2.32 Bcast:192.168.2.255 Mask:255.255.255.0
查看内存:
[zdw@cl1 ~]$ sh view.sh"/usr/bin/free" total used free shared buffers cached Mem: 1004412 187328 817084 0 49972 37656 -/+ buffers/cache: 99700 904712 Swap: 2031608 0 2031608 total used free shared buffers cached Mem: 1004412 186080 818332 0 47808 38660 -/+ buffers/cache: 99612 904800 Swap: 2031608 0 2031608
批量分发文件放在家目录:
[zdw@cl1 ~]$ cat hosts #先把hosts复制到家目录进行更改 127.0.0.1 localhostlocalhost.localdomain localhost4 localhost4.localdomain4 ::1 localhostlocalhost.localdomain localhost6 localhost6.localdomain6 ######### ############ [zdw@cl1 ~]$ vi fenfa1.sh #脚本 if [ $? -q 0 ] #!/bin/sh file="$1" remotedir="$2" . /etc/init.d/functions if [ $# -ne 2 ] then echo "USAGE:/bin/sh$0 arg1 arg2" exit 1 fi for n in 31 32 do scp -P52113 -rp $1zdw@192.168.2.$n:~ >/dev/null 2>&1 if [ $? -eq 0 ] then action "scp$file to $remotedir is ok" /bin/true else action "scp$file to $remotedir is fail" /bin/false fi done ~ ~ ~ ~ ~ "fenfa1.sh" 21L, 375C written [zdw@cl1 ~]$ sh fenfa1.sh hosts /home/zdw/ #执行脚本,把cl1家目录的hosts分发到cl2&cl3的家目录下 scp hosts to /home/zdw/ is ok [ OK ] scp hosts to /home/zdw/ is ok [ OK ] [zdw@cl2 ~]$ cat hosts #cl2查看,分发成功 127.0.0.1 localhostlocalhost.localdomain localhost4 localhost4.localdomain4 ::1 localhostlocalhost.localdomain localhost6 localhost6.localdomain6 ######### ############
批量分发文件,放在/etc下:
单独分发:
解决思路:visudo提权,让普通用户可以用root的权限做事情,但他还是普通用户
[root@cl1 ~]# visudo #编辑visudo,赋权给zdw用户cp到root目录下的权限 98gg回车 #跳到98行,复制该行到最后,改成如下 zdw ALL=(ALL) NOPASSWD: /bin/cp [zdw@cl1 ~]$ sudo –l #测试一下 Matching Defaults entries for zdw on thishost: requiretty, !visiblepw, always_set_home, env_reset,env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIMELC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User zdw may run the following commands onthis host: (ALL) NOPASSWD: /bin/cp [zdw@cl1 ~]$ cp hosts /etc/ #cp复制hosts到/etc目录下,提示没有权限 cp: cannot create regular file`/etc/hosts': Permission denied [zdw@cl1 ~]$ sudo cp hosts /etc/ #提权复制到/etc没问题 [zdw@cl1 ~]$ cat /etc/hosts #查看/etc/hosts文件,没问题 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.2.30 cl1 192.168.2.31 cl2 192.168.2.32 cl3 [zdw@cl1 ~]$
打开交互窗口对另外二台执行:
echo "zdw ALL=(ALL) NOPASSWD: /bin/cp">>/etc/sudoers
执行此句的意思是,那二台机器上,zdw使用cp就相当于有了root的权限。
在cl2和cl3机器上检查语法
[root@cl3 ~]# visudo -c #添加后检查语法
/etc/sudoers:parsed OK
单文件分发:
visudo,用远程sudo把hosts文件放到31的/etc上。
# Disable "ssh hostname sudo<cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#
Defaults requiretty
查看visudo上面这条控制着,sudo命令禁止远程执行,如果想远程执行sudo,加-t或把Defaults requiretty注释掉(有安全隐患)。
错误: [zdw@cl1 ~]$ ssh -p52113 zdw@192.168.2.31 sudo /bin/cp ~/hosts /etc/hosts sudo: sorry, you must have a tty to runsudo 正确执行加-t: [zdw@cl1 ~]$ ssh -p52113 -t zdw@192.168.2.31 sudo/bin/cp ~/hosts /etc/hosts Connection to 192.168.2.31 closed. 验证: [zdw@cl2 ~]$ cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.2.30 cl1 192.168.2.31 cl2 192.168.2.32 cl3
脚本批量实现方法:
实际只需要这二条,就可以不用在root下就可以往/etc里放文件了。
scp -P52113 -rp hosts zdw@192.168.2.31:~
ssh -p52113 -t zdw@192.168.2.31 sudo/bin/cp ~/hosts /etc/hosts
[zdw@cl1 ~]$ vi fenfa2.sh #!/bin/sh file="$1" remotedir="$2" . /etc/init.d/functions if [ $# -ne 2 ] then echo "USAGE:/bin/sh$0 arg1 arg2" exit 1 fi for n in 31 32 do scp -P52113 -rp $filezdw@192.168.2.$n:~ >/dev/null 2>&1 &&\ ssh -p52113 -t zdw@192.168.2.$n sudo/bin/cp ~/$file $remotedir if [ $? -eq 0 ] then action "scp$file to $remotedir is ok" /bin/true else action "scp $fileto $remotedir is fail" /bin/false fi done ~ ~ ~ ~ "fenfa2.sh" 22L, 447C written [zdw@cl1 ~]$ sh fenfa2.sh hosts /etc Connection to 192.168.2.31 closed. scp hosts to /etc is ok [ OK ] Connection to 192.168.2.32 closed. scp hosts to /etc is ok [ OK ] 验证: [zdw@cl3 ~]$ cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.2.30 cl1 192.168.2.31 cl2 192.168.2.32 cl3
提示:如果不想要这个提示Connection to 192.168.2.31 closed.,可如下更改:
ssh -p52113 -t zdw@192.168.2.$n sudo/bin/cp ~/$file $remotedir &>/dev/n
ull
执行脚本时,发现没有那个提示了:
[zdw@cl1 ~]$ sh fenfa2.sh hosts /etc scp hosts to /etc is ok [ OK ] scp hosts to /etc is ok [ OK ]
再次说明:
此方法的理念是,先用普通用户拷到家目录,这样一定可以使用,然后再用sudo提权,这样不至于权限过大,又起到copy做用。
rsync批量分发实验:
rsync命令赋权,三台机器都操作
chmod 4755 `which rsync`使用suid里的知识
[root@cl1 ~]# chmod 4755 `which rsync`
[root@cl2 ~]# chmod 4755 `which rsync`
[root@cl3 ~]# chmod 4755 `which rsync`
[root@cl3 ~]# ll `which rsync`
-rwsr-xr-x. 1 root root 410536 Apr 30 2014 /usr/bin/rsync
[zdw@cl3 ~]$ find /usr/bin -type f -perm 4755 -exec ls -l {} \; #-rwsr-xr-x.有s了
-rwsr-xr-x. 1 root root 71480 Dec 8 2011 /usr/bin/gpasswd
-rwsr-xr-x. 1 root root 51784 Nov 23 2013 /usr/bin/crontab
-rwsr-xr-x. 1 root root 36144 Dec 8 2011 /usr/bin/newgrp
-rwsr-xr-x. 1 root root 30768 Feb 22 2012 /usr/bin/passwd
-rwsr-xr-x. 1 root root 410536 Apr 30 2014 /usr/bin/rsync
-rwsr-xr-x. 1 root root 66352 Dec 8 2011 /usr/bin/chageCl1机器上写fenfa3.sh脚本
提前在hosts上加入###zdw用于分发后的对比
[zdw@cl1 ~]$ cp fenfa2.sh fenfa3.sh [zdw@cl1 ~]$ vi fenfa3.sh ssh -p52113 zdw@192.168.2.$n sudo/bin/cp ~/$file $remotedir &>/dev/nul #!/bin/sh file="$1" remotedir="$2" . /etc/init.d/functions if [ $# -ne 2 ] then echo "USAGE:/bin/sh $0 arg1 arg2" exit 1 fi for n in 31 32 do scp -P52113 -rp $file zdw@192.168.2.$n:~ >/dev/null 2>&1&&\ ssh -p52113zdw@192.168.2.$n /usr/bin/rsync ~/$file $remotedir &>/dev/nu ll if [ $? -eq 0 ] then action "scp $file to $remotedir is ok" /bin/true else action "scp $file to $remotedir is fail" /bin/false fi done ~ ~ ~ "fenfa3.sh" 22L, 458Cwritten
执行
[zdw@cl1 ~]$ sh fenfa3.sh hosts /etc scp hosts to /etc is ok [ OK ] scp hosts to /etc is ok [ OK ] cl2机器上验证 [zdw@cl2 ~]$ cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.2.30 cl1 192.168.2.31 cl2 192.168.2.32 cl3 ###zdw
SSH批量分发与管理方案小结:
1、 利用root做ssh key验证。
优点:简单,易用
缺点:安全差,同时无法禁止root远程连接。
企业应用:80%的企业。
2、 利用普通用户如zdw来做,思路是先把分发的文件拷贝到服务器用户家目录,然后sudo提权拷贝到服务器的对应权限目录。
优点:安全。
缺点:配置复杂。
3、 拓展:同方案2,只是不用sudo,而是设置suid对固定命令提权。
优点:相对安全
缺点:复杂,安全性较差。任何人都可以处理带有suid权限的命令。
实现cl1和cl2到cl3不要密码
之前的操作实现了cl1到cl2&cl3上不用输入密码。如果要实现cl1&cl2到cl3不要密码,就把cl1上的.ssh/id_dsa复制到cl2上
[zdw@cl1~]$ scp -P52113 .ssh/id_dsa zdw@192.168.2.31:~/.ssh/ id_dsa 100% 668 0.7KB/s 00:00 [zdw@cl2~]$ ll .ssh total 12 -rw-------.1 zdw zdw 595 Jul 11 23:26 authorized_keys -rw-------.1 zdw zdw 668 Jul 14 22:40 id_dsa -rw-r--r--.1 zdw zdw 804 Jul 14 19:08 known_hosts
使用cl2查看cl3的IP不需要密码了
[zdw@cl2~]$ ssh -p52113 zdw@192.168.2.32 /sbin/ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:0C:29:07:EE:74 inet addr:192.168.2.32 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr:fe80::20c:29ff:fe07:ee74/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:77736 errors:0 dropped:0overruns:0 frame:0 TX packets:3703 errors:0 dropped:0overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:8452736 (8.0 MiB) TX bytes:440448 (430.1 KiB)
小提示:vi编辑器中,输入o回车自动跳到下一行,shift+inser是粘贴
批量分发,不用root
scp -P52113 -p hosts 192.168.2.31:~
ssh -p52113 -t 192.168.2.31 sudo cp /etc/hosts /etc/hosts.$(date +%F)
ssh -p52113 -t 192.168.2.31 sudo cp ~/hosts /etc/
学习自:
老男孩Linux
