介紹了ssh服務
1) 遠程連接加密傳輸數據協議,實現遠程連接登錄,默認端口22
2)ssh遠程連接原理
依賴於鎖頭(公鑰)和鑰匙(私鑰),實現遠程加密連接
3)ssh基於祕鑰遠程登錄原理
a 管理服務器創建祕鑰対,將公鑰傳輸發送給給管理端
b 管理端請求與被管理端建立連接
c 被管理向管理端發送公鑰質詢
d 管理端處理質詢信息,實現管理與被管理端免密碼交互
4)基於ssh協議相關命令
ssh scp sftp
netstat -lntup |egrep sshd 查看ssh端口
1.1 部署ssh+key (免密碼交互方式) 架構換環境
確認一下部署架構環境
管理服務器:m01
被管理服務器: web01 nfs01 backup
架構部署(ssh+key)
第一個里程:在管理服務器上創建祕鑰対
兩種創建祕鑰對方法:
a 利用交互方式創建祕鑰對
[root@m01 ~]# ssh-keygen -t dsa
Generating public/private dsa key pair. --- 提示進行祕鑰對創建
Enter file in which to save the key (/root/.ssh/id_dsa): --- 提示私鑰文件保存在什麼位置,進行確認
Enter passphrase (empty for no passphrase): --- 是否給私鑰文件進行加密處理
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa. --- 提示私鑰文件最終保存路徑
Your public key has been saved in /root/.ssh/id_dsa.pub. --- 提示公鑰文件最終保存路徑
The key fingerprint is: --- 以下內容表示祕鑰指紋信息提示
0b:d2:c0:14:3c:9b:9d:de:1b:d8:3a:c6:92:f9:39:d5 root@m01
The key's randomart image is:
+--[ DSA 1024]----+
| .o. |
| oo |
| o= . |
| ooo |
| ..o+S. |
| .o.=.E |
| + o.o |
| + *.. |
| +oo |
+-----------------+
b 利用免交互方式創建祕鑰對
a 交互方式位置:需要確認私鑰文件保存路徑
-f filename Specifies the filename of the key file.
-f "/root/.ssh/id_dsa"
b 交互方式位置:需要進行私鑰文件加密確認
-N new_passphrase Provides the new passphrase.
-P passphrase Provides the (old) passphrase.
-N ""
ssh-keygen -t dsa -f "/root/.ssh/id_dsa" -N ""
ssh-keygen -t dsa -f "/root/.ssh/id_dsa" -N "" -q
第二個里程:在管理服務器上分發公鑰給被管理端服務器
a 利用交互方式實現公鑰分發
ssh-copy-id [-i [identity_file]] [user@]machine
ssh-copy-id -i /root/.ssh/id_dsa.pub 172.16.1.41
ssh-copy-id -i /root/.ssh/id_dsa.pub 172.16.1.31
ssh-copy-id -i /root/.ssh/id_dsa.pub 172.16.1.8
[root@m01 ~]# ssh-copy-id -i /root/.ssh/id_dsa.pub 172.16.1.41
The authenticity of host '172.16.1.41
(172.16.1.41
)' can't be established.
RSA key fingerprint is 59:41:4e:36:ae:75:83:01:23:93:7b:c8:68:ff:37:9f.
Are you sure you want to continue connecting (yes/no)? yes --- 確認是否接受連接主機公鑰信息
Warning: Permanently added '172.
.1.41
' (RSA) to the list of known hosts.
[email protected]'s password: --- 首次連接需要基於口令連接
Now try logging into the machine, with "ssh '172.16.1.41
'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@m01 ~]# ssh 172.16.1.41
--- 進行連接測試,已經可以免密碼登錄遠程主機
Last login: Tue Dec 5 12:02:48 2017 from 10.0.0.253
[root@backup ~]# exit 退出當前客服端
[root@m01 ~]# ssh 172.16.1.41
uptime --- 可以不用登錄主機,利用命令直接查看遠程主機信息
09:52:05 up 9:02, 1 user, load average: 0.00, 0.00, 0.00
問題:如果客戶端默認ssh端口發生變化,如何進行分發公鑰
查看ssh-copy-id腳本文件信息
ssh $1 "exec sh -c 'cd; umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/
authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys >/dev/nu
ll 2>&1 || true)'" || exit 1
a 臨時修改umask值信息爲077
b 判斷.ssh目錄是否存在,如果沒有不存在,創建.ssh目錄
c 把管理端公鑰文件中的內容複製到被管理端~/.ssh/authorized_keys文件中,設置權限爲600
666-077=6 -1 -1 = 600
處理問題方法一:直接修改腳本
ssh -p52113 $1 "exec sh -c 'cd; umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/
authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys >/dev/nu
ll 2>&1 || true)'" || exit 1
處理問題方法二:直接利用命令參數實現
ssh-copy-id -i /root/.ssh/id_dsa.pub "172.16.1.8 -p52113"
問題:如果客戶端默認ssh端口發生變化,如何進行分發公鑰
查看ssh-copy-id腳本文件信息
ssh $1 "exec sh -c 'cd; umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/
authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys >/dev/nu
ll 2>&1 || true)'" || exit 1
a 臨時修改umask值信息爲077
b 判斷.ssh目錄是否存在,如果沒有不存在,創建.ssh目錄
c 把管理端公鑰文件中的內容複製到被管理端~/.ssh/authorized_keys文件中,設置權限爲600
666-077=6 -1 -1 = 600
處理問題方法一:直接修改腳本
ssh –p22 $1 "exec sh -c 'cd; umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/
authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys >/dev/nu
ll 2>&1 || true)'" || exit 1
處理問題方法二:直接利用命令參數實現
ssh-copy-id -i /root/.ssh/id_dsa.pub "172.16.1.8 -p52113"
說明:正確理解是
-i 爲$1
/root/.ssh/id_dsa.pub 爲$2
172.16.1.8
爲$3
但是ssh-copy-id腳本文件中出現了兩次shift參數,所以最終導致172.16.1.8
的$3變爲了$1
理解shift腳本命令用法
[root@m01 scripts]# vim test_shift.sh
#!/bin/bash
until [ $# -eq 0 ]
do
echo $*
shift
done
[root@m01 scripts]# sh test_shift.sh
1 2 3 4 5 6
1 2 3 4 5 6
2 3 4 5 6
3 4 5 6
4 5 6
5 6
6
b 第一次遠程連接需要基於口令認證
sshpass -p 123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "172.16.1.8 -p22 -o StrictHostKeyChecking=no"
Now try logging into the machine, with "ssh '172.16.1.8
-p52113 -o StrictHostKeyChecking=no'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
第三個里程碑:如何實現公鑰批量分發,祕鑰對自動生成
編寫腳本實現公鑰批量分發
[root@m01 scripts]# cat fenfa_check.sh
#!/bin/bash
var info
Password_info=123456
Server_Port=22
Cmd_info=$1
push public key to client server
for ip in 8 31 41
do
echo "================= host 172.16.1.$ip check_info ================="
ssh -p$Server_Port 172.16.1.$ip $Cmd_info
echo ""
done
[root@m01 scripts]# cat fenfa_keygen.sh
#!/bin/bash
var info
Password_info=123456
Server_Port=22
create key pair
rm /root/.ssh/id_dsa* -f
ssh-keygen -t dsa -f "/root/.ssh/id_dsa" -N "" -q
push public key to client server
for ip in 8 31 41
do
echo "================= host 172.16.1.$ip info ================="
sshpass -p $Password_info ssh-copy-id -i /root/.ssh/id_dsa.pub "172.16.1.$ip -p$Server_Port -o StrictHostKeyChecking=no"
echo "================= host info end ================="
echo ""
done
[root@m01 scripts]# cat test_shift.sh
#!/bin/bash
until [ $# -eq 0]
do
echo $*
shift
done
安裝免密碼sshpass
ansible批量管理服務介紹
軟件由python語言開發
其功能實現基於SSH遠程連接服務
可以實現批量系統配置、批量軟件部署、批量文件拷貝、批量運行命令等功能
ansible軟件參考資料
說明信息:
ansible軟件相關參考鏈接信息
http://docs.ansible.com/ansible/intro_installation.html
http://www.ansible.com.cn/
http://docs.ansible.com/modules_by_category.html
http://www.ansible.cn/docs/
2.1 ansible軟件特點
a 不需要單獨安裝客戶端(no agents),基於系統自帶的sshd服務,sshd就相當於ansible的客戶端。
b 不需要服務端(no servers)
c 需要依靠大量的模塊實現批量管理。
d 配置文件/etc/ansible/ansible.cfg,不用配置
2.2 安裝部署ansible
管理端部署:
yum install -y ansible --- ansible軟件也來自epel源
被管理端部署:
yum install libselinux-python -y --- 被管理端需要進行安裝的軟件(不安裝看看會不會遇到問題)
2.3 配置ansible
vim /etc/ansible/hosts
[oldboy]
172.16.1.8
172.16.1.41
172.16.1.31
說明:才文件用來定義ansible可以管理的主機信息(IP地址或者域名)
變態需求:不想分發ssh-key公鑰,又想利用ansible批量管理
[[email protected] ~]# cat /etc/ansible/hosts
[test]
172.16.1.7 ansible_ssh_user=root ansible_ssh_pass=123456
172.16.1.31 ansible_ssh_user=root ansible_ssh_pass=123456
172.16.1.41 ansible_ssh_user=root ansible_ssh_pass=123456
說明:後面的用戶和密碼項是非必須的,在配置key認證的情況下,不使用密碼也可以直接操作 。
未使用key的,也可以在ansible通過 -k參數在操作前詢問手動輸入密碼。
2.4 利用ansible命令進行遠程管理了
ansible命令語法
ansible oldboy -m command -a "hostname" --- 實現ansible第一次批量管理功能
ansible測試管理端與被管理端連通性命令
[root@m01 scripts]# ansible oldboy -m ping
172.16.1.31 | SUCCESS => {
"changed": false,
"failed": false,
"ping": "pong"
}
172.16.1.8 | SUCCESS => {
"changed": false,
"failed": false,
"ping": "pong"
}
172.16.1.41 | SUCCESS => {
"changed": false,
"failed": false,
"ping": "pong"
}
常見的報錯
172.16.1.31 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Permission denied (publickey,password).\r\n",
"unreachable": true
}
172.16.1.41 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Permission denied (publickey,password).\r\n",
"unreachable": true
}
解決方式
sshpass -p 123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "172.16.1.8 -p52113 -o StrictHostKeyChecking=no"
ansible oldboy -m command -a "hostname"