##### STEP 1 :主機之間互相信任,密鑰對認證
### mussh 主機生成密鑰對:
[root@localhost ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase): ## 輸入私鑰密碼
Enter same passphrase again: ## 重複私鑰密碼
Your identification has been saved in /root/.ssh/pri_dsa.
Your public key has been saved in /root/.ssh/pri_dsa.pub.
The key fingerprint is:
c0:06:54:98:49:5b:9f:f3:de:79:1c:0f:3f:46:ef:51 [email protected]
The key's randomart p_w_picpath is:
+--[ DSA 1024]----+
| o+=o |
| += . . |
| . + + |
| . . o |
| S . o.E|
| . . o.=o|
| . o o++|
| ...o|
| .|
+-----------------+'
[root@localhost ~]# cat /root/.ssh/id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAOJ20Be45e/E/6AqlBFG89qcNPmsKqlXsWTmerf+MvY4G2qcxluGtjzCLwrGAf0JKFwEC+5OfJBU5JlUhM6HJ3+57zOyK0ZNnhv0h1ICKqF1ndRqoP3eonHD0krKySc/CYMJM2nGF5NRqMhUc+0wOLT4RmX+NB0kXH1EfTAyfSAVAAAAFQDU151234sGUKK4GAPagd87jBqXkwAAAIEA4FmcUNIZ2em2doZqg9jKeTa9GlK1vr2n2jiBTPmyxjY5BHcRb8zje4fm92e/CPTOWWC0ljKjLwzSavcLRfHg0+KU3lb5vxqHImp94HprkUW4e4T3+79h+HKlJ/TKd5UyxnEJDxUG2FNMT9mwq+T+HlMTmaEHGWxSS6ModmCruKEAAA369870bGvp7XP2WWGgclNnHO3IXPXrEuBui6CjjC1S6CdTEE6Z/BX7FarsPr5yI4wnSAHHoojbg78XcxWPlopoyXjxumvIU0WeVyVqVs4V8mgbIuGeamGjXdbeY3XxzcSURnYzZ1+hZJv70+RsS8G083gPi6if7j8vitV/4tfHHx [email protected]
[root@localhost ~]#
### 目標主機修改 sshd 配置文件
[root@vm1 ~]# vi /etc/ssh/sshd_config
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#### 標準教程做法,但是我試了一下注釋了這兩行,依然可以正常登錄,sshd應該是默認打開了密鑰認證,所以,除非你想關閉密鑰認證,否則修改配置文件沒什麼意義。
[root@vm1 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@vm1 ~]#
### 上傳公鑰到目標主機 vm1 - vm5 :多種方式執行,我是用scp的。
[root@vm1 ~]# mkdir -p /root/.ssh/
# Tip: 若自行創建.ssh/目錄,需要確保.ssh/目錄(及其下文件)的安全上下文爲 ssh_home_t ,否則公鑰認證失敗。
[root@vm1 ~]# ll -dZ /root/.ssh/
drwxr-xr-x. root root system_u:object_r:ssh_home_t:s0 /root/.ssh/
[root@vm1 ~]#
# 使用restorecon 命令可以修正文件夾安全上下文:
Shell> restorecon -r -vv /root/.ssh
# 當然也可以禁用selinux,但不推薦
[root@localhost ~]# scp /root/.ssh/id_dsa.pub [email protected]:/root/.ssh/authorized_keys
[root@vm1 ~]# cat /root/.ssh/authorized_keys
ssh-dss AAAAB3NzaC1kc3MAAACBAOJ20Be45e/E/6AqlBFG89qcNPmsKqlXsWTmerf+MvY4G2qcxluGtjzCLwrGAf0JKFwEC+5OfJBU5JlUhM6HJ3+57zOyK0ZNnhv0h1ICKqF1ndRqoP3eonHD0krKySc/CYMJM2nGF5NRqMhUc+0wOLT4RmX+NB0kXH1EfTAyfSAVAAAAFQDU15fnq1sGUKK4GAPagd87jBqXkwAAAIEA4FmcUNIZ2em2doZqg9jKeTa9GlK1vr2n2jiBTPmyxjY5BHcRb8zje4fm92e/CPTOWWC0ljKjLwzSavcLRfHg0+KU3lb5vxqHImp94HprkUW4e4T3+79h+HKlJ/TKd5UyxnEJDxUG2FNMT9mwq+T+HlMTmaEHGWxSS6ModmCruKEAAACBAM6IH0bGvp7XP2WWGgclNnHO3IXPXrEuBui6CjjC1S6CdTEE6Z/BX7FarsPr5yI4wnSAHHoojbg78XcxWPlopoyXjxumvIU0WeVyVqVs4V8mgbIuGeamGjXdbeY3XxzcSURnYzZ1+hZJv70+RsS8G083gPi6if7j8vitV/4tfHHx [email protected]
[root@vm1 ~]#
若ssh到普通用戶必須修改權限,否則認證失敗, 當然,無論是用什麼用戶,都推薦修改。
[root@vm1 ~]# chmod 700 ~/.ssh#
[root@vm1 ~]# chmod 600 ~/.ssh/authorized_keys
[root@vm1 ~]#
# Tip:普通用戶默認是不允許給ssh的, 需要將普通用戶加到sshd用戶組中。
# 這個是在網上看到的,我不知道其他系統是怎樣的,我用CentOS6.4時,沒有什麼問題,普通用戶不用加到sshd用戶組也行,無論是ssh登錄到普通用戶,還是用普通用戶ssh登錄,不過當ssh出現問題時不訪試試。
### ssh測試:
[root@localhost ~]# ssh [email protected]
The authenticity of host '172.16.67.201 (172.16.67.201)' can't be established.
RSA key fingerprint is 5d:27:0f:5c:33:f3:44:f5:b5:f2:c2:a2:5f:a3:ee:35.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.67.201' (RSA) to the list of known hosts.
Enter passphrase for key '/root/.ssh/id_dsa':
Last login: Mon Sep 2 17:11:40 2013 from 172.16.67.38'
[root@vm1 ~]# exit
logout
Connection to 172.16.67.201 closed.
### 啓用ssh-agent,減少私鑰密碼認證次數
[root@localhost ~]# eval `ssh-agent`
Agent pid 3939
[root@localhost ~]# ssh-add
Enter passphrase for /root/.ssh/id_dsa:
Identity added: /root/.ssh/id_dsa (/root/.ssh/id_dsa)
[root@localhost ~]# ssh [email protected]
Last login: Mon Sep 2 17:12:48 2013 from 172.16.64.11
[root@vm1 ~]# exit
logout
Connection to 172.16.67.201 closed.
[root@localhost ~]#
##### STEP 2 : mussh 安裝:
wget http://softlayer-dal.dl.sourceforge.net/project/mussh/mussh/1.0/mussh-1.0.tgz
解壓即可使用
tar zxvf mussh-1.0.tgz
##=========== mussh 執行命令 ==================
[root@localhost mussh]# cat ./hosts
[root@localhost mussh]#
#### -H <file> [file ..] : 指定包含目標主機的文件,可以有多個.
[root@localhost mussh]# ./mussh -H ./hosts -c 'hostname'
[email protected]: vm1.untx.com
[email protected]: vm2.untx.com
[email protected]: vm3.untx.com
[email protected]: vm4.untx.com
[email protected]: vm5.untx.com
[root@localhost mussh]#
##=========== mussh 執行本地腳本文件 ===============
# iptables.sh 配置iptables腳本
[root@localhost mussh]# ./mussh -H ./hosts -C /root/scripts/iptables.sh
[email protected]: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[email protected]: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[email protected]: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[email protected]: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[email protected]: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@localhost mussh]#
[root@vm1 ~]#
##============= 若目標主機ssh使用其它端口,需要使用 -o 傳遞ssh配置參數 =========
[root@localhost mussh]# ./mussh -o "Port=58022" -h [email protected] -C '/root/scripts/iptables.sh'
[email protected]: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@localhost mussh]#
##============= mussh 執行python, 可用 -s 指定shell路徑
[root@localhost mussh]# ./mussh -H ./hosts -s /usr/bin/python -C '/root/scripts/nod32/3.py'
[email protected]: Traceback (most recent call last): # 因爲目標機沒有安裝BeautifulSoup,報錯是正常的,證明python文件正確執行了
[email protected]: File "<stdin>", line 4, in <module>
[email protected]: ImportError: No module named BeautifulSoup
[email protected]: Traceback (most recent call last):
[email protected]: File "<stdin>", line 4, in <module>
[email protected]: ImportError: No module named BeautifulSoup
[email protected]: Traceback (most recent call last):
[email protected]: File "<stdin>", line 4, in <module>
[email protected]: ImportError: No module named BeautifulSoup
[email protected]: Traceback (most recent call last):
[email protected]: File "<stdin>", line 4, in <module>
[email protected]: ImportError: No module named BeautifulSoup
[email protected]: Traceback (most recent call last):
[email protected]: File "<stdin>", line 4, in <module>
[email protected]: ImportError: No module named BeautifulSoup
[root@localhost mussh]#