ssh-key 免密码验证分发、管理、备份指南02
1.备份需求分析
要求所有服务器在同一用户xiaoping系统用户下,实现B.A机器从本地备份数据到C机器上,在备份过程
中不需要C的提示系统密码验证。
即实现从A.B服务器备份数据到Z备份存储服务器的免密码登陆验证的解决方案
备份数据流方式如下:
A--->C
B-->C
想想比喻,即多把钥匙(A\B)开一把锁(C)
2.生成密钥对
[xiaoping@clientC ~]$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/xiaoping/.ssh/id_dsa): Created directory '/home/xiaoping/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/xiaoping/.ssh/id_dsa. Your public key has been saved in /home/xiaoping/.ssh/id_dsa.pub. The key fingerprint is: db:c7:c4:95:66:00:06:b9:12:ca:72:e3:56:f6:08:e5 xiaoping@clientC The key's randomart p_w_picpath is: +--[ DSA 1024]----+ | .oo.. | | o .. . . | | . + . . = | | . * E . . + | | + = +S o | | o . .o o | | . . . o | | . | | | +-----------------+ [xiaoping@clientC ~]$ ls /home/xiaoping/.ssh/ id_dsa id_dsa.pub
3.分发私钥(钥匙)
特别强调:这里是和分发数据方案不通的地方,分发数据方案中是把公钥(锁)从A拷贝到B、C端用户加目录各一份。而
在备份数据方案中,我们需要把私钥发到X,Y server上,把公钥(锁)留在Z备份服务器本地。因为,备份服务器本身就是“锁”
[root@clientC .ssh]# grep \key /etc/ssh/sshd_config #HostKey /etc/ssh/ssh_host_key #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # Change to no to disable s/key passwords [root@clientC .ssh]# grep \key /etc/ssh/sshd_config #HostKey /etc/ssh/ssh_host_key #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # Change to no to disable s/key passwords [root@clientC .ssh]# ^C [root@clientC .ssh]# su xiaoping [xiaoping@clientC .ssh]$ ls -a . .. id_dsa id_dsa.pub known_hosts [xiaoping@clientC .ssh]$ mv id_dsa.pub authorized_keys [xiaoping@clientC .ssh]$ ls -a . .. authorized_keys id_dsa known_hosts [xiaoping@clientC .ssh]$ scp -p id_dsa xiaoping@192.168.20.5:~/.ssh/ xiaoping@192.168.20.5's password: id_dsa 100% 668 0.7KB/s 00:00 在A端测试: [xiaoping@clientA .ssh]$ ssh xiaoping@192.168.20.25 free -m The authenticity of host '192.168.20.25 (192.168.20.25)' can't be established. RSA key fingerprint is 6c:3a:ef:2b:3f:18:b7:db:83:b4:72:22:5b:07:23:50. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.20.25' (RSA) to the list of known hosts. total used free shared buffers cached Mem: 143 130 12 0 33 17 -/+ buffers/cache: 79 64 Swap: 1983 13 1970 [xiaoping@clientA .ssh]$ scp -p -r /xiaoping/ xiaoping@192.168.20.25:/tmp/ 22.sh 100% 0 0.0KB/s 00:00 111.sh 100% 0 0.0KB/s 00:00
【如何把远端root的权限文件备份到C端】
先调整一下xiaoping用户sudo权限
[xiaoping@clientA ~]$visudo xiaoping ALL=(ALL) NOPASSWD: /usr/bin/rsync,/usr/bin/scp,/bin/cp [root@clientA xiaoping]# su xiaoping [xiaoping@clientA ~]$ scp -p -r ./xiaoping xiaoping@192.168.20.25:~ ./xiaoping: No such file or directory [xiaoping@clientA ~]$ scp -p -r /home/xiaoping xiaoping@192.168.20.25:~ #先把文件考到家目录下 manager.sh 100% 435 0.4KB/s 00:00 iplist 100% 28 0.0KB/s 00:00 .bash_history 100% 44 0.0KB/s 00:00 hoststatus.txt 100% 0 0.0KB/s 00:00 .bash_profile 100% 176 0.2KB/s 00:00 id_dsa 100% 668 0.7KB/s 00:00 known_hosts 100% 789 0.8KB/s 00:00 net.sh 100% 521 0.5KB/s 00:00 .bash_logout 100% 18 0.0KB/s 00:00 network.sh 100% 238 0.2KB/s 00:00 .bashrc 100% 124 0.1KB/s 00:00 [xiaoping@clientA ~]$ ssh -t -p 22 xiaoping@192.168.20.25 sudo rsync -avz -p /home/xiaoping/xiaoping /root/ #再远程到对端服务器在用sudo将文件考到root目录下。 sending incremental file list xiaoping/ xiaoping/.bash_history xiaoping/.bash_logout xiaoping/.bash_profile xiaoping/.bashrc xiaoping/hoststatus.txt xiaoping/net.sh xiaoping/network.sh xiaoping/xiaogui xiaoping/xiaolai xiaoping/xiaoqi xiaoping/xiaozhou xiaoping/.ssh/ xiaoping/.ssh/id_dsa xiaoping/.ssh/known_hosts xiaoping/manager/ xiaoping/manager/iplist xiaoping/manager/manager.sh sent 3108 bytes received 309 bytes 6834.00 bytes/sec total size is 3041 speedup is 0.89 Connection to 192.168.20.25 closed. [xiaoping@clientA ~]$ #scp -p -r /home/xiaoping xiaoping@192.168.20.25:~ #ssh -t -p 22 xiaoping@192.168.20.25 sudo rsync -avz -p /home/xiaoping/xiaoping /root/
scp -P22 -p -r /xiaping root@192.168.20.5:~
方法一:使用rsync服务,在备份服务器部署rsync守护进程,把所有备份节点作为rsync客户端,
出方案在生产环境常用的备份方案,对于特别碎的文件,要进行打包再传输。
方法二:ftp的方式,在备份服务器部署ftp守护进程,把所有备份节点做为ftp客户端,在本地备份完毕,把数据通过
ftp的方式推送到备份服务器上。也可以采用。
方法三NFS方式,在备份服务器部署NFS服务,部署NFS服务,把所有备份节点做为NFS客户端,在本地备用完毕(也可以直接备份到远端的nfs server)
把数据通过挂载的方式把数据推送到NFS备用服务器上,此法也是个方案,机器少15台左右可以采用,推荐不用。
方法四。scp加ssh key或者expect交互式的方法备份,作为一个备份思路列在这里,不推荐。
总结:无论使用哪个方案备份都不能完全保证数据备份正常,在我的工作中还对备份服务器上备份的内容通过脚本程序做检查
定时发送邮件,甚至做定期的人工或自动化的还原数据测试操作(如:每周一次把数据自动还原测试机的WEB SERVER ,DB SERVER)
,然后备份及还原结果定时一般每日安排人工或自动的发送运维组相关人员的信箱。以确保备份的数据是真正有效的。
方案一,通过root用户直接建立密钥认证
方案二。普通用户建立密钥(通过sudo提权)
[root@clientC ~]# useradd 001 [root@clientC ~]# tail -l /etc/passwd rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin SambaServer:x:501:501::/home/SambaServer:/bin/false lily:x:502:502::/home/lily:/bin/bash lisan:x:503:502::/home/lisan:/bin/bash proadmin:x:504:504::/home/proadmin:/sbin/nologin prouser:x:505:504::/home/prouser:/sbin/nologin xiaoping:x:506:506::/home/xiaoping:/bin/bash 001:x:507:507::/home/001:/bin/bash [root@clientC ~]# echo "123456" | passwd --stdin 001 Changing password for user 001. passwd: all authentication tokens updated successfully. [root@clientC ~]# su -001 su: invalid option -- '0' Try `su --help' for more information. [root@clientC ~]# su 001 [001@clientC root]$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/001/.ssh/id_dsa): Created directory '/home/001/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/001/.ssh/id_dsa. Your public key has been saved in /home/001/.ssh/id_dsa.pub. The key fingerprint is: d4:44:da:62:a9:f1:af:c9:66:47:c2:09:ba:06:0e:b8 001@clientC The key's randomart p_w_picpath is: +--[ DSA 1024]----+ | .o | | * | | . * o | | .* . | |. ..oS. | |o . . +.. | | + . . o. | |E . o .oo. | | . o+. | +-----------------+ [001@clientC .ssh]$ ssh-copy-id -i id_dsa.pub "-p 22 001@192.168.20.5" The authenticity of host '192.168.20.5 (192.168.20.5)' can't be established. RSA key fingerprint is c1:28:b4:c3:f6:3d:85:bf:b2:df:59:17:d5:9f:65:2e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.20.5' (RSA) to the list of known hosts. 001@192.168.20.5's password: Now try logging into the machine, with "ssh '-p 22 001@192.168.20.5'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. [001@clientC .ssh]$ ssh 001@192.168.20.5 free -m total used free shared buffers cached Mem: 199 182 17 0 52 19 -/+ buffers/cache: 109 89 Swap: 1055 0 1055 [001@clientC .ssh]$ ssh 001@192.168.20.5 /sbin/ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:0C:29:D8:5D:8C inet addr:192.168.20.5 Bcast:192.168.20.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fed8:5d8c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:32979 errors:0 dropped:0 overruns:0 frame:0 TX packets:24899 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2999695 (2.8 MiB) TX bytes:6948512 (6.6 MiB) [001@clientC .ssh]$ mkdir /001/ mkdir: cannot create directory `/001/': Permission denied [001@clientC .ssh]$ mkdir 001 [001@clientC .ssh]$ cd 001 [001@clientC 001]$ touch 001 [001@clientC 001]$ touch 002 [001@clientC 001]$ echo 111 > 001 [001@clientC .ssh]$ scp -p -r 001 001@192.168.20.5:~ 001 100% 4 0.0KB/s 00:00 002 100% 0 0.0KB/s 00:00 [001@clientC .ssh]$ scp -p -r 001 001@192.168.20.5:/etc #A端没有root权限需要提权。 scp: /etc/001: Permission denied [root@clientA xiaoping]# grep \001 /etc/sudoers #在A端添加sudo权限,为下面拷贝做准备 001 ALL=(ALL) NOPASSWD: /usr/bin/rsync,/usr/bin/scp,/bin/cp [001@clientC .ssh]$ ssh -t 001@192.168.20.5 sudo rsync -avz -p 001 /etc/ sending incremental file list 001/ 001/001 001/002 sent 155 bytes received 54 bytes 418.00 bytes/sec total size is 4 speedup is 0.02 Connection to 192.168.20.5 closed. [root@clientC scirts]# mkdir /xp001/ -p [root@clientC scirts]# chown 001 /xp001/ -R [root@clientC scirts]# cp /etc/hosts /xp001/ [root@clientC scirts]# cd /xp001/ [root@clientC xp001]# ll total 4 -rw-r--r-- 1 root root 225 Feb 23 23:49 hosts [root@clientC xp001]# su 001 [001@clientC xp001]$ scp -p -r /xp001/hosts 001@192.168.20.5:~ hosts 100% 225 0.2KB/s 00:00 [001@clientC xp001]$ ssh -t 001@192.168.20.5 sudo rsync -avz -P hosts /etc sending incremental file list hosts 225 100% 0.00kB/s 0:00:00 (xfer#1, to-check=0/1) sent 199 bytes received 31 bytes 460.00 bytes/sec total size is 225 speedup is 0.98 Connection to 192.168.20.5 closed. [001@clientC xp001]$ vi 001-fenfa.sh ##让脚本自动分发 [001@clientC xp001]$ sh 001-fenfa.sh hosts hosts 100% 225 0.2KB/s 00:00 sending incremental file list sent 41 bytes received 12 bytes 106.00 bytes/sec total size is 225 speedup is 4.25 Connection to 192.168.20.5 closed. [001@clientC xp001]$ cat 001-fenfa.sh for ip in 192.168.20.5 do scp -p -r /xp001/hosts 001@$ip:~ ssh -t 001@$ip sudo rsync -avz -P $1 /etc done [001@clientC xp001]$ ##如果C端任何目录考到C端任何目录该任何呢! 1.c端也需要sudo提权,需要密码,就相当本地root 和远端001做认证。 ##??? 2.文件目录用户有读取权限就可以拷贝了。 [root@clientC ~]# cp -ap /home/001/.ssh/ /root/ [root@clientC ~]# mkdir /lily [root@clientC ~]# chmod 700 /lily/ [root@clientC ~]# touch /lily/001 [root@clientC ~]# su 001 [001@clientC root]$ sudo -l Matching Defaults entries for 001 on this host: requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User 001 may run the following commands on this host: (ALL) NOPASSWD: /usr/bin/rsync, (ALL) /usr/bin/scp, (ALL) /bin/cp [001@clientC root]$ sudo scp -p -r /lily/001 001@192.168.20.5:~ scp: /home/001/001: Is a directory [001@clientC root]$ sudo scp -P22 -p -r /lily/ 001@192.168.20.5:~ 001 100% 0 0.0KB/s 00:00 [root@clientC ~]# ll .ssh total 16 drwxrwxr-x 2 001 001 4096 Feb 23 23:36 001 -rw------- 1 001 001 668 Feb 23 23:30 id_dsa -rw-r--r-- 1 001 001 601 Feb 23 23:30 id_dsa.pub -rw-r--r-- 1 001 001 394 Feb 23 23:34 known_hosts [root@clientC .ssh]# diff id_dsa /home/001/.ssh/id_dsa #检查密钥是一致的 [root@clientC .ssh]# [root@clientC .ssh]# ssh -t 001@192.168.20.5 sudo rsync -avz -p /lily/ /etc/ sending incremental file list rsync: change_dir "/lily" failed: No such file or directory (2) sent 18 bytes received 12 bytes 60.00 bytes/sec total size is 0 speedup is 0.00 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1039) [sender=3.0.6] Connection to 192.168.20.5 closed.
方案三:普通用户建立密钥(setuid对命令提权操作)
[root@clientC .ssh]# which rsync /usr/bin/rsync [root@clientC .ssh]# chmod 4755 /usr/bin/rsync #设置setuid使用该命令用于root权限 [root@clientC .ssh]# ls /usr/bin/rsync -l -rwsr-xr-x. 1 root root 415544 Nov 11 2010 /usr/bin/rsync [root@clientC .ssh]# rsync -avz -P /xp001/001-fenfa.sh -e 'ssh' 001@192.168.20.5:/etc sending incremental file list 001-fenfa.sh 107 100% 0.00kB/s 0:00:00 (xfer#1, to-check=0/1) rsync: mkstemp "/etc/.001-fenfa.sh.ld7zDj" failed: Permission denied (13) sent 183 bytes received 31 bytes 142.67 bytes/sec total size is 107 speedup is 0.50 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1039) [sender=3.0.6] [root@clientC .ssh]# [001@clientC .ssh]$ rsync -avz -p /etc/hosts -e 'ssh ' 001@192.168.20.5:/etc sending incremental file list hosts rsync: mkstemp "/etc/.hosts.V7AS9m" failed: Permission denied (13) sent 188 bytes received 31 bytes 146.00 bytes/sec total size is 225 speedup is 1.03 rsync error: some files/attrs were not transferred (see previous errors) (code 2 [001@clientC .ssh]$ ^C [001@clientC .ssh]$ rsync -avz -p /etc/hosts -e 'ssh -p 22 ' 001@192.168.20.5:/tmp/ sending incremental file list hosts sent 188 bytes received 31 bytes 146.00 bytes/sec total size is 225 speedup is 1.03
总结批量分发、部署、管理的解决方案:
【1】. secureCRT
借用SecureCRT的交互式交谈窗口(其他远程连接软件也有类似的功能)
a.通过交互式交谈窗口可以批量查看客户端cpu、内存、负载、IP等。
b.批量部署客户端如nagios、puppet等;交互式交谈窗口。
c.分发文件
【2】.把要分发的文件放在一台http server上,然后交互式交谈窗口,统一wget url地址。
适合服务器200台以内的环境,服务器太多,批量部署也会越麻烦。
【3】ssh密钥的方案
简单,易用,功能强大,分发,如果对于1000台以下的机器,我们可以配置rsync daemon模式。
在客户机上通过定时任务rsync命令去分发机上取(puppet ,cfengine都是这个思路)。
ssh key 密钥认证实现批量分发、部署、管理的几种方案:
a.通过root用户直接建立密钥认证。
优点:简单,方便。缺点:及不安全。
b.普通用户建立密钥(需要通过sudo提权操作)
优点:简单,方便,安全,缺点:需技术
c.普通用户建立密钥(setuid对命令提权操作)
[root@clientA tmp]# chmod 4755 /usr/bin/rsync #当普通用户使用rsync命令具备root的权限 [root@clientA etc]# ll /usr/bin/rsync -rwsr-xr-x. 1 root root 410536 Apr 30 2014 /usr/bin/rsync
【4】expect
这里可以直接用expect做批量分发管理,省了密钥认证,交互式命令(结合rsync+scp+sudo),可实现普通用户,root
用户之间文件分发,批量部署及配置管理,查看信息。
优点:简单、强大、缺点:难度略大,相对复杂,需开开发写脚本。
【5】puppet
分发工具,分发和抓取。
缺点:复杂,特别在控制,批量部署方面实现复杂,大部分朋友仅仅实现了数据分发。
【6】cfengine
分发工具,分发和抓取。
缺点:复杂,特别在控制,批量部署方面实现复杂,大部分朋友仅仅实现了数据分发
【7】rsync
分发服务器上部署rsync daemon,然后客户机上通过定时任务抓取的方式实现文件分发。
【8】lsyncd (sersync)
触发式实时的抓取或推送。
【9】http 方式
http server+客户机cron.实现文件分发。
【10】NFS网络文件系统
把要分发的文件放在nfs上,然后在客户端通过定时任务,复制到需要的目录。
