ssh+key

第1章 ssh補充

1.1 ssh服務相關命令操做方法

    ssh –p52113 wuhuang@10.0.0.41 [命令]

l SSH鏈接遠程主機命令的基本語法;

l -p（小寫）接端口，默認22端口時能夠省略-p22;

l 「@」前面爲用戶名，若是用當前用戶鏈接，能夠不指定用戶。

l 「@」後面爲要鏈接的服務器的IP. 更多用法

l  -A 攜帶私鑰認證文件，登陸遠程主機中

經過man ssh查詢更多幫助信息。

1.2 scp

scp -P22 -rp /tmp/wuhuang  wuhuang@10.0.0.143:/tmp

說明：scp命令有推和拉的概念

l  -P  （大寫，注意和ssh命令的不一樣）接端口，默認22端口時能夠省略-P22;

l  -r   遞歸，表示拷貝目錄;

l   -p  表示在拷貝先後保持文件或目錄屬性;

l  -l   limit 限制速度。

l  /tmp/wuhuang爲本地的目錄。

l  「@」前爲用戶名，「@」後爲要鏈接的服務器的IP。

l  IP後的:/tmp目錄，爲遠端的目標目錄。

1.3 sftp   

    sftp -oPort=52113 wuhuang@10.0.0.142     --- 實現ftp協議中控制鏈路創建

l  -oPort=52113    --- 指定鏈接ssh服務端口

l  sftp>           --- 進入到ftp控制命令行中

l  bye             --- Quit sftp  退出ftp控制界面命令

l  ls              --- 顯示出sftp服務端文件或目錄數據信息

l  lls             --- 顯示出sftp客戶端（本地）文件或目錄數據信息

l     pwd             --- 檢查當前登陸到sftp服務端以後，所在路徑信息

l  lpwd            --- 檢查當前登陸到sftp服務端以後，客戶端所在路徑信息

l  get             --- 從ftp服務端下載數據

l  put             --- 從ftp客戶端上傳數據

l  mget            --- 批量下載數據

l  mput            --- 批量上傳數據

第2章 ssh+key

2.1 部署好基於ssh祕鑰認證的環境

2.1.1 第一步：建立祕鑰對

ssh-keygen -t rsa

2.1.2 第二步：分發公鑰

ssh-copy-id -i /root/.ssh/id_rsa.pub 172.16.1.41

2.2 實現批量部署ssh+key環境時遇到的問題

2.2.1 建立祕鑰對時須要進行交互，輸入回車

1) 須要確認私鑰保存路徑

解決方法：ssh-keygen -t rsa -f /root/.ssh/id_rsa

  -f filename    #Specifies the filename of the key file.  指定私鑰文件保存路徑信息參數

2) 須要確認私鑰密碼信息

解決方法：ssh-keygen -t rsa -f /root/.ssh/id_rsa -P ""

-N new_passphrase      #Provides the new passphrase.  提供了新的密碼

-P passphrase          #Provides the (old) passphrase   提供舊密碼      

2.2.2 分發公鑰時，須要輸入yes和密碼信息

解決方法：

sshpass -p123456 ssh-copy-id -i /root/.ssh/id_rsa.pub "172.16.1.41 -o StrictHostKeyChecking=no"

sshpass -p123456                                 #指定密碼爲123456，忽略交互

若是端口號不是默認的22號端口，例如是52114

sshpass -p123456 ssh-copy-id -i /root/.ssh/id_rsa.pub "172.16.1.7 -p52114"

 

[root@m01 ~]# cat /usr/bin/ssh-copy-id …… ssh $1 "exec sh -c 'cd; umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys >/dev/null 2>&1 || true)'" || exit 1 …… 說明： 1. exec sh -c               --- 在腳本中臨時設置環境變量信息 2. cd                     --- 切換到當前用戶家目錄 3. umask 077              --- 設置臨時的umask值，使發佈過去的公鑰信息是600的權限 4. test -d .ssh || mkdir .ssh    --- 判斷當前用戶家目錄是否存在.ssh目錄，若是不存在就進行建立 5. cat >> .ssh/authorized_keys && ...省略...    ---- 將當前主機祕鑰對中公鑰信息複製到遠程主機上，在遠                                           程主機接收到公鑰信息後，將信息保存到.ssh/authorized_keys 整體含義：遠程登陸到相應主機上, 將公鑰信息保存到遠程主機相應用戶家目錄中的.ssh/authorized_keys     並將authorized_keys權限設置爲600

 

shift：一個shift能夠理解爲忽略在命令行中的第一個參數（執行第二次忽略第一個參數，執行第三次忽略前兩個參數，依次忽略）

腳本內容 [root@m01 scripts]# cat shift.sh #!/bin/bash until [ $# -eq 0 ] do    echo $*    shift done 執行結果 [root@m01 scripts]# sh shift.sh 1 2 3 4 5 6 1 2 3 4 5 6 2 3 4 5 6 3 4 5 6 4 5 6 5 6 6

2.3 編寫免交互批量分發公鑰腳本

2.3.1 編寫腳本

腳本內容 [root@m01 scripts]# cat fenfa.sh #!/bin/bash   # create key pair               \rm /root/.ssh/id_rsa* -f                   #避免.ssh下已有公鑰信息，下次在建立時，會提示是否覆蓋 ssh-keygen -t rsa -f /root/.ssh/id_rsa -P "" &>/dev/null                              #免交互建立祕鑰對   # fenfa                                                                      #免交互分發公鑰 for ip in 7 8 31 41 do   echo =====================172.16.1.$ip fenfa info==========================   sshpass -p123456 ssh-copy-id -i /root/.ssh/id_rsa.pub "172.16.1.$ip -o StrictHostKeyChecking=no"   echo =====================172.16.1.$ip fenfa end===========================   echo "" done

2.3.2 測試

[root@m01 scripts]# sh fenfa.sh =====================172.16.1.7 fenfa info========================== Now try logging into the machine, with "ssh '172.16.1.7 -o StrictHostKeyChecking=no'", and check in:     .ssh/authorized_keys   to make sure we haven't added extra keys that you weren't expecting.   =====================172.16.1.7 fenfa end===========================   =====================172.16.1.8 fenfa info========================== Warning: Permanently added '172.16.1.8' (RSA) to the list of known hosts. Now try logging into the machine, with "ssh '172.16.1.8 -o StrictHostKeyChecking=no'", and check in:     .ssh/authorized_keys   to make sure we haven't added extra keys that you weren't expecting.   =====================172.16.1.8 fenfa end===========================   =====================172.16.1.31 fenfa info========================== Now try logging into the machine, with "ssh '172.16.1.31 -o StrictHostKeyChecking=no'", and check in:     .ssh/authorized_keys   to make sure we haven't added extra keys that you weren't expecting.   =====================172.16.1.31 fenfa end===========================   =====================172.16.1.41 fenfa info========================== Now try logging into the machine, with "ssh '172.16.1.41 -o StrictHostKeyChecking=no'", and check in:     .ssh/authorized_keys   to make sure we haven't added extra keys that you weren't expecting.   =====================172.16.1.41 fenfa end===========================   說明：執行腳本時後面不加參數的話，會先鏈接到172.16.1.7，在鏈接到31，而後從31在鏈接到41

2.4 編寫批量管理腳本

2.4.1 編寫腳本

[root@m01 scripts]# cat batch.sh #!/bin/bash   #batch   for ip in 7 8 31 41   do   echo =====================172.16.1.$ip host info==========================   ssh 172.16.1.$ip $1                                                    #$1 表示第一個參數   echo ""   done 說明：執行腳本時後面不加參數的話，會先鏈接到172.16.1.7，在鏈接到31，而後從31在鏈接到41

2.4.2 測試

[root@m01 scripts]# sh batch.sh hostname                                #批量查看每一個主機的主機名 =====================172.16.1.7 host info========================== web01   =====================172.16.1.8 host info========================== web02   =====================172.16.1.31 host info========================== nfs01   =====================172.16.1.41 host info========================== backup

[root@m01 scripts]# sh batch.sh free -m                                #批量查看每一個主機的內存信息 =====================172.16.1.7 host info==========================              total       used       free     shared    buffers     cached Mem:        485984     252840     233144        228      26956     121208 -/+ buffers/cache:     104676     381308 Swap:       204796          0     204796   =====================172.16.1.8 host info==========================              total       used       free     shared    buffers     cached Mem:        485984     258228     227756        236      27088     124804 -/+ buffers/cache:     106336     379648 Swap:       204796          0     204796   =====================172.16.1.31 host info==========================              total       used       free     shared    buffers     cached Mem:        485984     248468     237516        228      25568     117744 -/+ buffers/cache:     105156     380828 Swap:       204796          0     204796   =====================172.16.1.41 host info==========================              total       used       free     shared    buffers     cached Mem:        485984     239944     246040        228      25412     114812 -/+ buffers/cache:      99720     386264 Swap:       204796          0     204796

[root@m01 scripts]# sh batch.sh uptime                                #批量查看每一個主機的負載信息 =====================172.16.1.7 host info==========================  11:18:17 up  1:25,  1 user,  load average: 0.00, 0.00, 0.00   =====================172.16.1.8 host info==========================  11:18:18 up  1:24,  1 user,  load average: 0.00, 0.00, 0.00   =====================172.16.1.31 host info==========================  11:18:18 up  1:31,  1 user,  load average: 0.00, 0.00, 0.00   =====================172.16.1.41 host info==========================  11:18:18 up  1:26,  1 user,  load average: 0.00, 0.00, 0.00

[root@m01 scripts]# sh batch.sh yum install libselinux-python -y     #批量安裝ansible被管理端軟件

第3章 實現多臺主機之間，彼此相互訪問都是基於祕鑰的

3.1 方法1（思路：多臺主機的祕鑰都同樣）

3.1.1 第一步：在一臺主機上建立祕鑰對

[root@m01 ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 50:c8:08:88:32:8e:ad:ad:e2:3e:9c:c1:b3:1f:ad:92 root@m01 The key's randomart image is: +--[ RSA 2048]----+ |.... o ..        | |=   . o.         | |+o    .          | |...    .         | |.o      S        | |.+. .            | |..*. .           | |oE  o            | |+o+o             | +-----------------+ [root@m01 ~]# ll .ssh/ total 8 -rw------- 1 root root 1675 Feb  3 11:34 id_rsa -rw-r--r-- 1 root root  390 Feb  3 11:34 id_rsa.pub

3.1.2 第二步：將公鑰複製到authorized_keys

[root@m01 ~]# cd .ssh/ [root@m01 .ssh]# cp id_rsa.pub authorized_keys [root@m01 .ssh]# ll total 12 -rw-r--r-- 1 root root  390 Feb  3 11:36 authorized_keys -rw------- 1 root root 1675 Feb  3 11:34 id_rsa -rw-r--r-- 1 root root  390 Feb  3 11:34 id_rsa.pub

3.1.3 第三步：將authorized_keys權限設爲600

[root@m01 .ssh]# chmod 600 authorized_keys

3.1.4 第四步：將 .ssh目錄遠程複製到其餘主機

[root@m01 ~]# rsync -rp .ssh root@172.16.1.7:/root [root@m01 ~]# rsync -rp .ssh root@172.16.1.8:/root [root@m01 ~]# rsync -rp .ssh root@172.16.1.31:/root [root@m01 ~]# rsync -rp .ssh root@172.16.1.41:/root

3.1.5 第五步：測試

[root@m01 ~]# ssh 172.16.1.7 hostname web01 [root@m01 ~]# ssh 172.16.1.8 hostname web02 [root@m01 ~]# ssh 172.16.1.31 hostname nfs01 [root@m01 ~]# ssh 172.16.1.41 hostname backup 實現彼此之間的訪問不須要密碼

 

3.2 方法2

思路：每臺主機分別建立本身的祕鑰對，再將公鑰分發給其餘主機

此種方法比較繁瑣，當有多臺主機時工做量會加大

第4章 利用xshell實現基於祕鑰鏈接虛擬主機

4.1 第一步：設置用戶身份驗證方式

 

4.2 第二步：將主機私鑰傳輸到宿主機

[root@web02 .ssh]# sz  id_rsa

4.3 第三步：建立用戶祕鑰

 

 

4.4 第四步：修改ssh服務端配置文件並重啓服務

[root@web02 .ssh]# vim /etc/ssh/sshd_config 66 PasswordAuthentication no [root@web02 .ssh]# /etc/init.d/sshd reload Reloading sshd:                                       [  OK  ]

4.5 第五步：從新鏈接測試

 

注：由於這些主機的祕鑰對都是同樣的，因此均可以利用xshell實現基於祕鑰鏈接