1.多台机器上设置同一个账号和密码(以普通用户传资料,避免权限过大)
#useradd tornado
#echo 123456|passwd --stdin tornado
2.切换到创建的用户tornado上,在分发服务器上创建密钥。
[root@backup ~]# su - tornado
[tornado@backup ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/tornado/.ssh/id_dsa):
Created directory '/home/tornado/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tornado/.ssh/id_dsa.
Your public key has been saved in /home/tornado/.ssh/id_dsa.pub.
The key fingerprint is:
a9:b0:f5:06:72:9b:b5:92:cd:62:30:43:ca:da:7f:5b tornado@backup
The key's randomart image is:
+--[ DSA 1024]----+
| |
| |
| . |
| . o . |
| o * + S |
| o X @ . |
|. . . O E |
| . ..= |
| .... |
+-----------------+
[tornado@backup ~]$ ls -l .ssh/
total 8
-rw------- 1 tornado tornado 668 Sep 4 15:39 id_dsa #私钥
-rw-r--r-- 1 tornado tornado 604 Sep 4 15:39 id_dsa.pub #公钥
3.分发公钥到其他服务器上
[tornado@backup ~]$ ssh-copy-id -i .ssh/id_dsa.pub tornado@10.89.7.10
The authenticity of host '10.89.7.10 (10.89.7.10)' can't be established.
RSA key fingerprint is 01:e7:d2:70:fc:a8:1a:ee:88:07:ef:9b:37:40:29:2d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.89.7.10' (RSA) to the list of known hosts.
tornado@10.89.7.10's password:
Permission denied, please try again.
tornado@10.89.7.10's password:
Now try logging into the machine, with "ssh 'tornado@10.89.7.10'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[tornado@backup ~]$
#如果端口不是22,使用下面的
[tornado@backup ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 tornado@10.89.7.12"
4.测试 分发后,可以免密码执行命令 如:/sbin/ifconfig
[tornado@backup ~]$ ssh -p52113 tornado@10.89.7.12 /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:CE:2E:36
inet addr:10.89.7.12 Bcast:10.89.7.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fece:2e36/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:297265 errors:0 dropped:0 overruns:0 frame:0
TX packets:36286 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:24006443 (22.8 MiB) TX bytes:3519806 (3.3 MiB)
5.分发文件脚本
#cat fenfa.sh
#!/bin/sh . /etc/init.d/functions for n in 8 9 10 do scp -P22 $1 tornado@10.89.7.$n:~ &>/dev/null if [ $? -eq 0 ] then action "fenfa $1 ok?" /bin/true else action "fenfa $1 ok?" /bin/false fi done
#执行效果
[tornado@backup scripts]$ sh fenfa.sh hosts
fenfa hosts ok? [ OK ]
fenfa hosts ok? [FAILED]
fenfa hosts ok? [FAILED]
上面的脚本虽然能完成,但是不太完美,下面提供完美的解决方案
#分发提权 利用sudo来提权,从家目录copy到需要的目录,不能用root来制作密钥,否则攻陷的分发机后,容易引发安全问题。
编辑客户机下 /etc/sudoers 文件:
客户机上执行如下:
[root@linux-node1 ~]# echo 'tornado ALL=(ALL) NOPASSWD:/usr/bin/rsync' >>/etc/sudoers
visudo -c
grep tornado /etc/sudoers
[root@linux-node1 ~]# visudo -c
/etc/sudoers: parsed OK
[root@linux-node1 ~]# grep tornado /etc/sudoers
tornado ALL=(ALL) NOPASSWD:/usr/bin/rsync
分发机上执行下面命令:
[tornado@backup ~]$ ssh -t tornado@10.89.7.12 sudo rsync hosts /etc/ # -t 远程使用sudo要加
Connection to 10.89.7.12 closed.
分发前:
[tornado@linux-node1 ~]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.89.1.12 linux-node1.example.com
10.89.1.10 linux-node2.example.com
分发后:
[tornado@linux-node1 ~]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
#tornado
[tornado@linux-node1 ~]$
------------------------------------------
#cat fenfa_good.sh
#!/bin/sh . /etc/init.d/functions if [ $# -ne 2 ] then echo "USAGE:$0 localfile remotedir" exit 1 fi for n in 10 11 12 do scp -P22 -rp $1 tornado@10.89.7.$n:~ &>/dev/null && ssh -t tornado@10.89.7.$n sudo rsync $1 $2 &>/dev/null if [ $? -eq 0 ] then action "10.89.7.$n :fenfa $1 ok?" /bin/true else action "10.89.7.$n :fenfa $1 ok?" /bin/false fi done
[tornado@backup ~]$ sh /server/scripts/fenfa_good.sh hosts /etc
10.89.7.10 :fenfa hosts ok? [ OK ]
10.89.7.11 :fenfa hosts ok? [FAILED]
10.89.7.12 :fenfa hosts ok? [ OK ]
[tornado@backup ~]$
后记:批量查看服务器配置
#cat view.sh
#!/bin/sh if [ $# -ne 1 ] then echo "USAGE:$0 Command" exit 1 fi for n in 10 11 12 do echo =====10.89.7.$n===== ssh -p22 tornado@10.89.7.$n $1 done
[tornado@backup ~]$ sh /server/scripts/view.sh "/sbin/ifconfig eth0" #命令后面有参数需加引号
10.89.7.10
eth0 Link encap:Ethernet HWaddr 00:0C:29:44:C1:06
inet addr:10.89.7.10 Bcast:10.89.7.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe44:c106/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:95568 errors:0 dropped:0 overruns:0 frame:0
TX packets:8895 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11057298 (10.5 MiB) TX bytes:907262 (885.9 KiB)
10.89.7.11
ssh: connect to host 10.89.7.11 port 22: No route to host
10.89.7.12
eth0 Link encap:Ethernet HWaddr 00:0C:29:CE:2E:36
inet addr:10.89.7.12 Bcast:10.89.7.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fece:2e36/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37319 errors:0 dropped:0 overruns:0 frame:0
TX packets:2436 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2469416 (2.3 MiB) TX bytes:216969 (211.8 KiB)
[tornado@backup ~]$