Linux-11-SSH KEY免密碼分發、管理、備份
SSH是專門為遠端登入會話和其他網路服務提供安全性的協議,利用SSH協議可以有效防止遠端管理中的資訊洩露問題。
預設情況下,SSH本身提供兩個服務功能:一個是類似telnet的遠端聯機shell服務,另一個是sftp-server,可以提供安全的FTP服務。
SSH提供兩種級別的安全認證
1.基於口令的安全驗證
利用賬號和口令進行驗證,並登陸到遠端主機,所有傳輸的資料都會被加密
2.基於祕鑰的安全驗證
使用者需要為自己建立一對祕鑰,並把公用祕鑰放在需要訪問的伺服器上,如果需要利用SSH連線伺服器,客戶端SSH軟體就會向伺服器傳送請求利用祕鑰進行安全驗證,伺服器端在接收到請求後,在伺服器端使用者主目錄下尋找公用祕鑰,並用它和你發過來的祕鑰進行對比,如果一致,伺服器端就用公用祕鑰加密“質詢”並把它傳送給客戶端。
一、分發資料
1.檢查環境
[[email protected] ~]# cat /etc/redhat-release
CentOS release 6.10 (Final)
[[email protected] ~]# uname -mi
x86_64 x86_64
[[email protected] ~]# uname -r
2.6.32-754.2.1.el6.x86_64
2.新增使用者(這裡我們準備相同的三個伺服器,分別是Server(2.2.2.5)B-Client(2.2.2.6) C-Client(2.2.2.7))
[[email protected] ~]# useradd syner
[[email protected] ~]# echo "syner"|passwd --stdin syner
Changing password for user syner.
passwd: all authentication tokens updated successfully.
[[email protected] ~]# tail -1 /etc/passwd
syner:x:514:514::/home/syner:/bin/bash
[[email protected] ~]# useradd syner
[[email protected] ~]# echo "syner"|passwd --stdin syner
Changing password for user syner.
passwd: all authentication tokens updated successfully.
[[email protected] ~]# tail -1 /etc/passwd
syner:x:514:514::/home/syner:/bin/bash
[[email protected] ~]# useradd syner
[[email protected] ~]# echo "syner"|passwd --stdin syner
Changing password for user syner.
passwd: all authentication tokens updated successfully.
[[email protected] ~]# tail -1 /etc/passwd
syner:x:514:514::/home/syner:/bin/bash
3.生成祕鑰對
[[email protected] ~]# su - syner
[[email protected] ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/syner/.ssh/id_dsa):
Created directory '/home/syner/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/syner/.ssh/id_dsa.
Your public key has been saved in /home/syner/.ssh/id_dsa.pub.
The key fingerprint is:
ba:19:34:a6:2a:8c:fa:48:28:03:3f:b2:73:f1:44:e7 [email protected]
The key's randomart image is:
+--[ DSA 1024]----+
| |
| |
| |
| . . |
|. . o+ S |
|o.. .+Eo |
|B.o+. o |
|**.o. + |
|==o o |
+-----------------+
[[email protected] ~]$ tree .ssh
.ssh
├── id_dsa
└── id_dsa.pub
0 directories, 2 files
[[email protected] ~]$ ls -al
total 28
drwx------ 4 syner syner 4096 Sep 22 22:04 .
drwxr-xr-x. 17 root root 4096 Sep 22 19:58 ..
drwx------ 2 syner syner 4096 Sep 22 22:04 .ssh
[[email protected] ~]$ ls -al .ssh
total 16
drwx------ 2 syner syner 4096 Sep 22 22:04 .
drwx------ 4 syner syner 4096 Sep 22 22:04 ..
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 id_dsa.pub
在建立祕鑰時,會在使用者家目錄下生成一個.ssh的隱藏目錄,並在目錄中存放公鑰和私鑰
這裡的.ssh目錄許可權是700,公鑰許可權是644,私鑰許可權是600
4.分發公鑰
把公鑰拷貝的B、C端使用者家目錄中
[[email protected] .ssh]$ ssh-copy-id -i id_dsa.pub "-p 52113 [email protected]"
The authenticity of host '[2.2.2.6]:52113 ([2.2.2.6]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.6]:52113' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '-p 52113 [email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
這裡由於我們的ssh埠之前修改過,所以在引數中加上 -p 52113
檢查公鑰是否釋出成功
[[email protected] ~]$ su - syner
Password:
[[email protected] ~]$
[[email protected] ~]$
[[email protected] ~]$ ls -al
total 28
drwx------ 4 syner syner 4096 Sep 22 22:42 .
drwxr-xr-x. 17 root root 4096 Sep 22 19:58 ..
-rw-r--r-- 1 syner syner 18 Mar 23 2017 .bash_logout
-rw-r--r-- 1 syner syner 176 Mar 23 2017 .bash_profile
-rw-r--r-- 1 syner syner 124 Mar 23 2017 .bashrc
drwxr-xr-x 2 syner syner 4096 Nov 12 2010 .gnome2
drwx------ 2 syner syner 4096 Sep 22 22:42 .ssh
[[email protected] ~]$ cd .ssh/
[[email protected] .ssh]$ ls -al
total 12
drwx------ 2 syner syner 4096 Sep 22 22:42 .
drwx------ 4 syner syner 4096 Sep 22 22:42 ..
-rw------- 1 syner syner 603 Sep 22 22:42 authorized_keys
將公鑰釋出到另外一臺機器上
[[email protected] .ssh]$ ssh-copy-id -i id_dsa.pub "-p 52113 [email protected]"
The authenticity of host '[2.2.2.7]:52113 ([2.2.2.7]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.7]:52113' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '-p 52113 [email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
檢查是否釋出成功
[[email protected] ~]# su - syner
[[email protected] ~]$ ls -al
total 28
drwx------ 4 syner syner 4096 Sep 22 22:46 .
drwxr-xr-x. 17 root root 4096 Sep 22 19:58 ..
-rw-r--r-- 1 syner syner 18 Mar 23 2017 .bash_logout
-rw-r--r-- 1 syner syner 176 Mar 23 2017 .bash_profile
-rw-r--r-- 1 syner syner 124 Mar 23 2017 .bashrc
drwxr-xr-x 2 syner syner 4096 Nov 12 2010 .gnome2
drwx------ 2 syner syner 4096 Sep 22 22:46 .ssh
[[email protected] ~]$ ls -al .ssh/
total 12
drwx------ 2 syner syner 4096 Sep 22 22:46 .
drwx------ 4 syner syner 4096 Sep 22 22:46 ..
-rw------- 1 syner syner 603 Sep 22 22:46 authorized_keys
檢視ssh配置檔案
[[email protected] ~]# cat /etc/ssh/sshd_config | grep AuthorizedKeysFile
#AuthorizedKeysFile .ssh/authorized_keys
5.遠端登入執行命令測試
[[email protected] ~]$ ssh -p 52113 [email protected] /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:79:36:89
inet addr:2.2.2.6 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe79:3689/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23456 errors:0 dropped:0 overruns:0 frame:0
TX packets:890 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1457992 (1.3 MiB) TX bytes:88259 (86.1 KiB)
[[email protected] ~]$ ssh -p 52113 [email protected] /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:BA:45:99
inet addr:2.2.2.7 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feba:4599/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23234 errors:0 dropped:0 overruns:0 frame:0
TX packets:761 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1439707 (1.3 MiB) TX bytes:73715 (71.9 KiB)
二、備份
我們將B、C機器備份到Server端
1.生成祕鑰
[[email protected] ~]$ ls -al .ssh
total 20
drwx------ 2 syner syner 4096 Sep 22 22:42 .
drwx------ 4 syner syner 4096 Sep 22 22:50 ..
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 id_dsa.pub
-rw-r--r-- 1 syner syner 794 Sep 22 22:46 known_hosts
由於之前生成過祕鑰,這裡我們就不重新生成了
與之前分發不同,這次方向是反的,我們是需要B、C機器能夠免祕鑰ssh到S上面,所以我們這次要將私鑰分發給B、C
2.分發祕鑰
[[email protected] ~]$ scp -P52113 -p .ssh/id_dsa [email protected]:~/.ssh/
id_dsa 100% 668 0.7KB/s 00:00
檢查是否分發成功
[[email protected] ~]$ ls -al .ssh
total 16
drwx------ 2 syner syner 4096 Sep 23 09:57 .
drwx------ 4 syner syner 4096 Sep 22 23:46 ..
-rw------- 1 syner syner 603 Sep 22 22:42 authorized_keys
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
分發到另一臺伺服器上
[[email protected] ~]$ scp -P52113 -p .ssh/id_dsa [email protected]:~/.ssh/
id_dsa 100% 668 0.7KB/s 00:00
檢查分發是否成功
[[email protected] ~]$ ls -al .ssh
total 16
drwx------ 2 syner syner 4096 Sep 23 09:59 .
drwx------ 4 syner syner 4096 Sep 22 23:46 ..
-rw------- 1 syner syner 603 Sep 22 22:46 authorized_keys
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
這裡我們要將S伺服器端公鑰的名字改成ssh配置檔案中預設的檔名
[[email protected] ~]$ cd .ssh/
[[email protected] .ssh]$ ll
total 12
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 id_dsa.pub
-rw-r--r-- 1 syner syner 794 Sep 22 22:46 known_hosts
[[email protected] .ssh]$ mv id_dsa.pub authorized_keys
[[email protected] .ssh]$ ll
total 12
-rw-r--r-- 1 syner syner 603 Sep 22 22:04 authorized_keys
-rw------- 1 syner syner 668 Sep 22 22:04 id_dsa
-rw-r--r-- 1 syner syner 794 Sep 22 22:46 known_hosts
3.測試連通性
[[email protected] ~]$ ssh -p 52113 [email protected] /sbin/ifconfig eth0
The authenticity of host '[2.2.2.5]:52113 ([2.2.2.5]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.5]:52113' (RSA) to the list of known hosts.
eth0 Link encap:Ethernet HWaddr 00:0C:29:CA:07:AA
inet addr:2.2.2.5 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feca:7aa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30133 errors:0 dropped:0 overruns:0 frame:0
TX packets:2995 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1937162 (1.8 MiB) TX bytes:478213 (467.0 KiB)
[[email protected] ~]$ ssh -p 52113 [email protected] /sbin/ifconfig eth0
The authenticity of host '[2.2.2.5]:52113 ([2.2.2.5]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.5]:52113' (RSA) to the list of known hosts.
eth0 Link encap:Ethernet HWaddr 00:0C:29:CA:07:AA
inet addr:2.2.2.5 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feca:7aa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30166 errors:0 dropped:0 overruns:0 frame:0
TX packets:3021 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1941659 (1.8 MiB) TX bytes:483082 (471.7 KiB)
4.進行備份
[[email protected] ~]$ scp -P52113 -rp /etc [email protected]:/tmp
rsync 100% 332 0.3KB/s 00:00
rc.local 100% 345 0.3KB/s 00:00
utmp.conf 100% 564 0.6KB/s 00:00
pthread.conf 100% 7686 7.5KB/s 00:00
latrace.conf 100% 74 0.1KB/s 00:00
syscall.conf 100% 6342 6.2KB/s 00:00
備份的幾種思路
1.使用rsync,在備份伺服器部署rsync守護程序,把所有節點作為rsync客戶端,生產環境中常用的方法
2.使用FTP,在備份伺服器部署FTP守護程序,把所有節點作為FTP客戶端,把資料通過FTP方式推送到備份伺服器上
3.使用NFS,在備份伺服器部署NFS服務,把所有節點作為NFS客戶端,在客戶端伺服器上通過掛載的方式把資料推送到NFS備份伺服器上,不推薦使用(機器太多時不好用)
4.SCP+SSH KEY或expect互動式備份,不推薦
例項一:通過root使用者直接建立祕鑰認證(不推薦)
伺服器S向B、C客戶端分發
在伺服器端建立祕鑰對
[[email protected] ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
1a:07:e9:8b:ee:f8:72:da:22:51:33:f4:28:37:ab:c6 [email protected]
The key's randomart image is:
+--[ DSA 1024]----+
| |
| . . |
| . o o |
|. B .. . |
| + = o S |
|. . . = |
|.o . o |
|oEo+. |
|..oB= |
+-----------------+
[[email protected] ~]#
[[email protected] ~]# ls -al .ssh
total 16
drwx------ 2 root root 4096 Sep 23 11:58 .
dr-xr-x---. 5 root root 4096 Sep 23 11:58 ..
-rw------- 1 root root 668 Sep 23 11:58 id_dsa
-rw-r--r-- 1 root root 602 Sep 23 11:58 id_dsa.pub
由於之前我們設定過不允許root使用者遠端登入,因此我們先取消這個設定
[[email protected] ~]# vi /etc/ssh/sshd_config
PermitRootLogin yes
[[email protected] ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[[email protected] ~]# vi /etc/ssh/sshd_config
PermitRootLogin yes
[[email protected] ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[[email protected] ~]# vi /etc/ssh/sshd_config
PermitRootLogin yes
[[email protected] ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
然後我們對公鑰進行分發
[[email protected] ~]# ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 2.2.2.6"
[email protected]'s password:
Now try logging into the machine, with "ssh '-p 52113 2.2.2.6'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[[email protected] ~]# ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 2.2.2.7"
The authenticity of host '[2.2.2.7]:52113 ([2.2.2.7]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.7]:52113' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '-p 52113 2.2.2.7'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
測試連通性
[[email protected] ~]# ssh -p 52113 2.2.2.6 /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:79:36:89
inet addr:2.2.2.6 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe79:3689/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37907 errors:0 dropped:0 overruns:0 frame:0
TX packets:24863 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2687536 (2.5 MiB) TX bytes:25927411 (24.7 MiB)
[[email protected] ~]# ssh -p 52113 2.2.2.7 /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:BA:45:99
inet addr:2.2.2.7 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feba:4599/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29755 errors:0 dropped:0 overruns:0 frame:0
TX packets:1449 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1880516 (1.7 MiB) TX bytes:151824 (148.2 KiB)
我們試著寫一個管理指令碼並執行,檢視B、C客戶端的執行情況
[[email protected] ~]# vi manage.sh
#!/bin/sh
for ip in `cat iplist`
do
echo "======$ip======"
ssh -p 52113 $ip $1
done
建立ip列表檔案
[[email protected] ~]# echo "2.2.2.6">>iplist
[[email protected] ~]# echo "2.2.2.7">>iplist
[[email protected] ~]# more iplist
2.2.2.6
2.2.2.7
執行管理命令
[[email protected] ~]# sh manage.sh "df -h"
======2.2.2.6======
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 7.1G 2.2G 4.6G 32% /
tmpfs 937M 0 937M 0% /dev/shm
/dev/sda1 190M 65M 115M 37% /boot
======2.2.2.7======
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 7.1G 2.2G 4.6G 32% /
tmpfs 937M 0 937M 0% /dev/shm
/dev/sda1 190M 65M 115M 37% /boot
[[email protected] ~]# sh manage.sh "free -m"
======2.2.2.6======
total used free shared buffers cached
Mem: 2001 336 1665 0 44 166
-/+ buffers/cache: 125 1876
Swap: 511 0 511
======2.2.2.7======
total used free shared buffers cached
Mem: 2001 320 1681 0 43 151
-/+ buffers/cache: 124 1876
Swap: 511 0 511
[[email protected] ~]# sh manage.sh "uptime"
======2.2.2.6======
12:27:26 up 10:06, 1 user, load average: 0.00, 0.00, 0.00
======2.2.2.7======
12:27:26 up 10:05, 1 user, load average: 0.00, 0.00, 0.00
寫一個分發指令碼
[[email protected] ~]# cp manage.sh fenfa.sh
[[email protected] ~]# vi fenfa.sh
#!/bin/sh
for ip in `cat iplist`
do
echo "======$ip======"
scp -rp -P52113 $1 $ip:$2
done
執行分發命令
[[email protected] ~]# sh fenfa.sh /etc /tmp
======2.2.2.6======
sudo.conf 100% 1786 1.7KB/s 00:00
rsync 100% 332 0.3KB/s 00:00
rc.local 100% 314 0.3KB/s 00:00
======2.2.2.7======
sudo.conf 100% 1786 1.7KB/s 00:00
rsync 100% 332 0.3KB/s 00:00
rc.local 100% 314 0.3KB/s 00:00
最後我們將之前的配置刪除
[[email protected] ~]# rm -rf .ssh/
[[email protected] ~]# vi /etc/ssh/sshd_config
PermitRootLogin no
[[email protected] ~]# rm -rf .ssh/
[[email protected] ~]# vi /etc/ssh/sshd_config
PermitRootLogin no
[[email protected] ~]# rm -rf .ssh/
[[email protected] ~]# vi /etc/ssh/sshd_config
PermitRootLogin no
例項二:普通使用者建立的祕鑰(通過sudo提權操作)(推薦用這種方法)
這裡我們還是實現服務端S到客戶端B、C的分發
[[email protected] ~]# useradd ssher
[[email protected] ~]# echo "ssher"|passwd --stdin ssher
Changing password for user ssher.
passwd: all authentication tokens updated successfully.
[[email protected] ~]# useradd ssher
[[email protected] ~]# echo "ssher"|passwd --stdin ssher
Changing password for user ssher.
passwd: all authentication tokens updated successfully.
[[email protected] ~]# useradd ssher
[[email protected] ~]# echo "ssher"|passwd --stdin ssher
Changing password for user ssher.
passwd: all authentication tokens updated successfully.
[[email protected] ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/ssher/.ssh/id_dsa):
Created directory '/home/ssher/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ssher/.ssh/id_dsa.
Your public key has been saved in /home/ssher/.ssh/id_dsa.pub.
The key fingerprint is:
6a:7d:b9:64:48:ea:68:39:a9:ee:57:33:e4:a8:f0:4e [email protected]
The key's randomart image is:
+--[ DSA 1024]----+
| |
| |
| |
| . |
| + S |
|. . == . . |
| oE. ++oo = |
| .o *+ + . |
| +=+... . |
+-----------------+
[[email protected] ~]$
[[email protected] ~]$ ls -al .ssh
total 16
drwx------ 2 ssher ssher 4096 Sep 23 12:55 .
drwx------ 4 ssher ssher 4096 Sep 23 12:55 ..
-rw------- 1 ssher ssher 668 Sep 23 12:55 id_dsa
-rw-r--r-- 1 ssher ssher 603 Sep 23 12:55 id_dsa.pub
[[email protected] ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 [email protected]"
The authenticity of host '[2.2.2.6]:52113 ([2.2.2.6]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.6]:52113' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '-p 52113 [email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[[email protected] ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 [email protected]"
The authenticity of host '[2.2.2.7]:52113 ([2.2.2.7]:52113)' can't be established.
RSA key fingerprint is 3b:0e:09:84:dc:78:05:90:5a:4e:a1:ba:fd:71:7f:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[2.2.2.7]:52113' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '-p 52113 [email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[[email protected] ~]$ ll .ssh
total 4
-rw------- 1 ssher ssher 603 Sep 23 12:58 authorized_keys
[[email protected] ~]$ ll .ssh
total 4
-rw------- 1 ssher ssher 603 Sep 23 12:59 authorized_keys
[[email protected] ~]$ ssh [email protected] /sbin/ifconfig eth0
ssh: connect to host 2.2.2.6 port 22: Connection refused
[[email protected] ~]$ ssh -p 52113 [email protected] /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:79:36:89
inet addr:2.2.2.6 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe79:3689/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:51775 errors:0 dropped:0 overruns:0 frame:0
TX packets:29482 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14179418 (13.5 MiB) TX bytes:26427845 (25.2 MiB)
[[email protected] ~]$ ssh -p 52113 [email protected] /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:BA:45:99
inet addr:2.2.2.7 Bcast:2.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feba:4599/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:44991 errors:0 dropped:0 overruns:0 frame:0
TX packets:6580 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15031942 (14.3 MiB) TX bytes:707150 (690.5 KiB)
分發實現
[[email protected] ~]$ mkdir ssher
[[email protected] ~]$ touch ssher/tt.txt
[[email protected] ~]$ tree
.
└── ssher
└── tt.txt
1 directory, 1 file
[[email protected] ~]$ scp -P52113 -rp ssher [email protected]:~
tt.txt 100% 0 0.0KB/s 00:00
到這裡普通使用者的分發就做完了,但是如果執行的操作超過了客戶端機器使用者許可權,就需要在客戶端機器上做sudo提權了
[[email protected] ~]# echo "ssher ALL=(ALL) NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp" >>/etc/sudoers
[[email protected] ~]# visudo -c
/etc/sudoers: parsed OK
[[email protected] ~]# su - ssher
[[email protected] ~]$ sudo -l
Matching Defaults entries for ssher on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User ssher may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp
[[email protected] ~]# echo "ssher ALL=(ALL) NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp" >>/etc/sudoers
[[email protected] ~]# visudo -c
/etc/sudoers: parsed OK
[[email protected] ~]# su - ssher
[[email protected] ~]$ sudo -l
Matching Defaults entries for ssher on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User ssher may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp
[[email protected] ~]# echo "ssher ALL=(ALL) NOPASSWD:/usr/bin/rsync,/bin/tar,/usr/bin/scp" >>/etc/sudoers
[[email protected] ~]# visudo -c
/etc/sudoers: parsed OK
[[email protected] ~]# su - ssher
[[email protected] ~]$ sudo -l
Matching Defaults entries for ssher on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User ssher may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/rsync, (ALL) /bin/tar, (ALL) /usr/bin/scp
這時我們的分發就分兩步走,第一步將檔案或目錄推送到目標機器的家目錄,第二步利用sudo提權命令將檔案或目錄二次分配到其他的目錄
[[email protected] ~]$ scp -P52113 -rp ssher/ [email protected]:~
tt.txt 100% 0 0.0KB/s 00:00
[[email protected] ~]$ ssh -t -p 52113 [email protected] sudo rsync -avzP ssher /etc
sending incremental file list
ssher/
ssher/tt.txt
0 100% 0.00kB/s 0:00:00 (xfer#1, to-check=0/2)
sent 109 bytes received 35 bytes 288.00 bytes/sec
total size is 0 speedup is 0.00
Connection to 2.2.2.6 closed.
[[email protected] etc]$ ll ssher
total 0
-rw-rw-r-- 1 ssher ssher 0 Sep 23 13:04 tt.txt
通過指令碼執行分發命令
[[email protected] ~]$ vi putongfenfa.sh
scp -P52113 -rp $1 [email protected]$ip:~
for ip in `cat iplist`
for ip in `cat iplist`
do
scp -P52113 -rp $1 [email protected]$ip:~
ssh -t -p 52113 [email protected]$ip sudo rsync -avzP $1 /etc
done
~
[[email protected] ~]$ echo "2.2.2.6" >> iplist
[[email protected] ~]$ echo "2.2.2.7" >> iplist
[[email protected] ~]$ cat iplist
2.2.2.6
2.2.2.7
[[email protected] ~]$ cp /etc/hosts ./
[[email protected] ~]$ ll
total 16
-rw-r--r-- 1 ssher ssher 166 Sep 23 13:37 hosts
-rw-rw-r-- 1 ssher ssher 16 Sep 23 13:35 iplist
-rw-rw-r-- 1 ssher ssher 119 Sep 23 13:35 putongfenfa.sh
drwxrwxr-x 2 ssher ssher 4096 Sep 23 13:04 ssher
[[email protected] ~]$ vi hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 C64-5-S
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
######################################
[[email protected] ~]$ sh putongfenfa.sh /home/ssher/hosts
hosts 100% 205 0.2KB/s 00:00
sending incremental file list
hosts
205 100% 0.00kB/s 0:00:00 (xfer#1, to-check=0/1)
sent 151 bytes received 31 bytes 364.00 bytes/sec
total size is 205 speedup is 1.13
Connection to 2.2.2.6 closed.
hosts 100% 205 0.2KB/s 00:00
sending incremental file list
hosts
205 100% 0.00kB/s 0:00:00 (xfer#1, to-check=0/1)
sent 151 bytes received 31 bytes 364.00 bytes/sec
total size is 205 speedup is 1.13
Connection to 2.2.2.7 closed.
檢查推送是否成功
[[email protected] ~]$ more /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 C64-5-S
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
######################################
[[email protected] ~]$ more /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 C64-5-S
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
######################################
例項三:普通使用者建立祕鑰(setuid對命令提權操作)
修改rsync的setuid許可權
[[email protected] ~]# ll /usr/bin/rsync
-rwxr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[[email protected] ~]# chmod 4755 /usr/bin/rsync
[[email protected] ~]# ll /usr/bin/rsync
-rwsr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[[email protected] ~]# ll /usr/bin/rsync
-rwxr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[[email protected] ~]# chmod 4755 /usr/bin/rsync
[[email protected] ~]# ll /usr/bin/rsync
-rwsr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[[email protected] ~]# ll /usr/bin/rsync
-rwxr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[[email protected] ~]# chmod 4755 /usr/bin/rsync
[[email protected] ~]# ll /usr/bin/rsync
-rwsr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[[email protected] ~]$ rsync -avzP ./hosts -e 'ssh -p 52113' [email protected]:/etc
sending incremental file list
sent 45 bytes received 12 bytes 114.00 bytes/sec
total size is 205 speedup is 3.60
[[email protected] ~]# ll /etc/hosts
-rw-r--r-- 1 ssher ssher 205 Sep 23 13:37 /etc/hosts