ssh+key
第1章?ssh補充
1.1?ssh服務相關命令操作方法
????ssh –p52113 wuhuang@10.0.0.41?[命令]
l?SSH連接遠程主機命令的基本語法;
l?-p(小寫)接端口,默認22端口時可以省略-p22;
l?“@”前面為用戶名,如果用當前用戶連接,可以不指定用戶。
l?“@”后面為要連接的服務器的IP. 更多用法
l??-A 攜帶私鑰認證文件,登錄遠程主機中
通過man ssh查詢更多幫助信息。
1.2?scp
scp -P22 -rp /tmp/wuhuang ?wuhuang@10.0.0.143:/tmp
說明:scp命令有推和拉的概念
l? -P??(大寫,注意和ssh命令的不同)接端口,默認22端口時可以省略-P22;
l? -r???遞歸,表示拷貝目錄;
l? ?-p??表示在拷貝前后保持文件或目錄屬性;
l? -l ??limit 限制速度。
l? /tmp/wuhuang為本地的目錄。
l? “@”前為用戶名,“@”后為要連接的服務器的IP。
l? IP后的:/tmp目錄,為遠端的目標目錄。
1.3?sftp???
????sftp -oPort=52113 wuhuang@10.0.0.142 ????--- 實現ftp協議中控制鏈路建立
l? -oPort=52113 ???--- 指定連接ssh服務端口
l? sftp> ??????????--- 進入到ftp控制命令行中
l? bye ????????????--- Quit sftp ?退出ftp控制界面命令
l? ls ?????????????--- 顯示出sftp服務端文件或目錄數據信息
l? lls ????????????--- 顯示出sftp客戶端(本地)文件或目錄數據信息
l?????pwd ????????????--- 檢查當前登錄到sftp服務端之后,所在路徑信息
l? lpwd ???????????--- 檢查當前登錄到sftp服務端之后,客戶端所在路徑信息
l? get ????????????--- 從ftp服務端下載數據
l? put ????????????--- 從ftp客戶端上傳數據
l? mget ???????????--- 批量下載數據
l? mput ???????????--- 批量上傳數據
第2章?ssh+key
2.1?部署好基于ssh秘鑰認證的環境
2.1.1?第一步:創建秘鑰對
ssh-keygen -t rsa
2.1.2?第二步:分發公鑰
ssh-copy-id -i /root/.ssh/id_rsa.pub 172.16.1.41
2.2?實現批量部署ssh+key環境時遇到的問題
2.2.1?創建秘鑰對時需要進行交互,輸入回車
1)?需要確認私鑰保存路徑
解決方法:ssh-keygen -t rsa -f /root/.ssh/id_rsa
??-f filename ???#Specifies the filename of the key file. ?指定私鑰文件保存路徑信息參數
2)?需要確認私鑰密碼信息
解決方法:ssh-keygen -t rsa -f /root/.ssh/id_rsa -P ""
-N new_passphrase ?????#Provides the new passphrase. ?提供了新的密碼
-P passphrase ?????????#Provides the (old) passphrase ??提供舊密碼 ?????
2.2.2?分發公鑰時,需要輸入yes和密碼信息
解決方法:
sshpass -p123456?ssh-copy-id -i /root/.ssh/id_rsa.pub "172.16.1.41 -o StrictHostKeyChecking=no"
sshpass -p123456? ???????????????????????????????#指定密碼為123456,忽略交互
如果端口號不是默認的22號端口,例如是52114
sshpass -p123456 ssh-copy-id -i /root/.ssh/id_rsa.pub "172.16.1.7?-p52114"
?
[root@m01 ~]# cat /usr/bin/ssh-copy-id …… ssh $1 "exec sh -c 'cd; umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys >/dev/null 2>&1 || true)'" || exit 1 …… 說明: 1.?exec sh -c ??????????????--- 在腳本中臨時設置環境變量信息 2.?cd ????????????????????--- 切換到當前用戶家目錄 3.?umask 077 ?????????????--- 設置臨時的umask值,使發布過去的公鑰信息是600的權限 4.?test -d .ssh || mkdir .ssh ???--- 判斷當前用戶家目錄是否存在.ssh目錄,如果不存在就進行創建 5.?cat >> .ssh/authorized_keys && ...省略...????----?將當前主機秘鑰對中公鑰信息復制到遠程主機上,在遠?? ????????????????????????????????????????程主機接收到公鑰信息后,將信息保存到.ssh/authorized_keys 總體含義:遠程登錄到相應主機上, 將公鑰信息保存到遠程主機相應用戶家目錄中的.ssh/authorized_keys ????并將authorized_keys權限設置為600 |
?
shift:一個shift可以理解為忽略在命令行中的第一個參數(執行第二次忽略第一個參數,執行第三次忽略前兩個參數,依次忽略)
腳本內容 [root@m01 scripts]# cat shift.sh #!/bin/bash until [ $# -eq 0 ] do ???echo $* ???shift done 執行結果 [root@m01 scripts]# sh shift.sh 1 2 3 4 5 6 1 2 3 4 5 6 2 3 4 5 6 3 4 5 6 4 5 6 5 6 6 |
2.3?編寫免交互批量分發公鑰腳本
2.3.1?編寫腳本
腳本內容 [root@m01 scripts]# cat fenfa.sh #!/bin/bash ? # create key pair?????????????? \rm /root/.ssh/id_rsa* -f???????????????????#避免.ssh下已有公鑰信息,下次在創建時,會提示是否覆蓋 ssh-keygen -t rsa -f /root/.ssh/id_rsa -P "" &>/dev/null??????????????????????????????#免交互創建秘鑰對 ? # fenfa??????????????????????????????????????????????????????????????????????#免交互分發公鑰 for ip in 7 8 31 41 do ??echo =====================172.16.1.$ip fenfa info========================== ??sshpass -p123456 ssh-copy-id -i /root/.ssh/id_rsa.pub "172.16.1.$ip -o StrictHostKeyChecking=no" ??echo =====================172.16.1.$ip fenfa end=========================== ??echo "" done |
2.3.2?測試
[root@m01 scripts]#?sh fenfa.sh =====================172.16.1.7 fenfa info========================== Now try logging into the machine, with "ssh '172.16.1.7 -o StrictHostKeyChecking=no'", and check in: ? ??.ssh/authorized_keys ? to make sure we haven't added extra keys that you weren't expecting. ? =====================172.16.1.7 fenfa end=========================== ? =====================172.16.1.8 fenfa info========================== Warning: Permanently added '172.16.1.8' (RSA) to the list of known hosts. Now try logging into the machine, with "ssh '172.16.1.8 -o StrictHostKeyChecking=no'", and check in: ? ??.ssh/authorized_keys ? to make sure we haven't added extra keys that you weren't expecting. ? =====================172.16.1.8 fenfa end=========================== ? =====================172.16.1.31 fenfa info========================== Now try logging into the machine, with "ssh '172.16.1.31 -o StrictHostKeyChecking=no'", and check in: ? ??.ssh/authorized_keys ? to make sure we haven't added extra keys that you weren't expecting. ? =====================172.16.1.31 fenfa end=========================== ? =====================172.16.1.41 fenfa info========================== Now try logging into the machine, with "ssh '172.16.1.41 -o StrictHostKeyChecking=no'", and check in: ? ??.ssh/authorized_keys ? to make sure we haven't added extra keys that you weren't expecting. ? =====================172.16.1.41 fenfa end=========================== ? 說明:執行腳本時后面不加參數的話,會先連接到172.16.1.7,在連接到31,然后從31在連接到41 |
2.4?編寫批量管理腳本
2.4.1?編寫腳本
[root@m01 scripts]# cat batch.sh #!/bin/bash ? #batch ? for ip in 7 8 31 41 ? do ? echo =====================172.16.1.$ip host info========================== ? ssh 172.16.1.$ip $1 ???????????????????????????????????????????????????#$1 表示第一個參數 ? echo "" ? done 說明:執行腳本時后面不加參數的話,會先連接到172.16.1.7,在連接到31,然后從31在連接到41 |
2.4.2?測試
[root@m01 scripts]# sh batch.sh hostname????????????????????????????????#批量查看每個主機的主機名 =====================172.16.1.7 host info========================== web01 ? =====================172.16.1.8 host info========================== web02 ? =====================172.16.1.31 host info========================== nfs01 ? =====================172.16.1.41 host info========================== backup |
[root@m01 scripts]#?sh batch.sh free -m????????????????????????????????#批量查看每個主機的內存信息 =====================172.16.1.7 host info========================== ?????????????total ??????used ??????free ????shared ???buffers ????cached Mem: ???????485984 ????252840 ????233144 ???????228 ?????26956 ????121208 -/+ buffers/cache: ????104676 ????381308 Swap: ??????204796 ?????????0 ????204796 ? =====================172.16.1.8 host info========================== ?????????????total ??????used ??????free ????shared ???buffers ????cached Mem: ???????485984 ????258228 ????227756 ???????236 ?????27088 ????124804 -/+ buffers/cache: ????106336 ????379648 Swap: ??????204796 ?????????0 ????204796 ? =====================172.16.1.31 host info========================== ?????????????total ??????used ??????free ????shared ???buffers ????cached Mem: ???????485984 ????248468 ????237516 ???????228 ?????25568 ????117744 -/+ buffers/cache: ????105156 ????380828 Swap: ??????204796 ?????????0 ????204796 ? =====================172.16.1.41 host info========================== ?????????????total ??????used ??????free ????shared ???buffers ????cached Mem: ???????485984 ????239944 ????246040 ???????228 ?????25412 ????114812 -/+ buffers/cache: ?????99720 ????386264 Swap: ??????204796 ?????????0 ????204796 ? |
[root@m01 scripts]# sh batch.sh uptime????????????????????????????????#批量查看每個主機的負載信息 =====================172.16.1.7 host info========================== ?11:18:17 up ?1:25, ?1 user, ?load average: 0.00, 0.00, 0.00 ? =====================172.16.1.8 host info========================== ?11:18:18 up ?1:24, ?1 user, ?load average: 0.00, 0.00, 0.00 ? =====================172.16.1.31 host info========================== ?11:18:18 up ?1:31, ?1 user, ?load average: 0.00, 0.00, 0.00 ? =====================172.16.1.41 host info========================== ?11:18:18 up ?1:26, ?1 user, ?load average: 0.00, 0.00, 0.00 ? |
[root@m01 scripts]#?sh batch.sh yum install libselinux-python -y? ? ?#批量安裝ansible被管理端軟件 |
第3章?實現多臺主機之間,彼此相互訪問都是基于秘鑰的
3.1?方法1(思路:多臺主機的秘鑰都一樣)
3.1.1?第一步:在一臺主機上創建秘鑰對
[root@m01 ~]#?ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 50:c8:08:88:32:8e:ad:ad:e2:3e:9c:c1:b3:1f:ad:92 root@m01 The key's randomart image is: +--[ RSA 2048]----+ |.... o .. ???????| |= ??. o. ????????| |+o ???. ?????????| |... ???. ????????| |.o ?????S ???????| |.+. . ???????????| |..*. . ??????????| |oE ?o ???????????| |+o+o ????????????| +-----------------+ [root@m01 ~]# ll .ssh/ total 8 -rw------- 1 root root 1675 Feb ?3 11:34 id_rsa -rw-r--r-- 1 root root ?390 Feb ?3 11:34 id_rsa.pub |
3.1.2?第二步:將公鑰復制到authorized_keys
[root@m01 ~]# cd .ssh/ [root@m01 .ssh]# cp id_rsa.pub authorized_keys [root@m01 .ssh]# ll total 12 -rw-r--r-- 1 root root ?390 Feb ?3 11:36 authorized_keys -rw------- 1 root root 1675 Feb ?3 11:34 id_rsa -rw-r--r-- 1 root root ?390 Feb ?3 11:34 id_rsa.pub |
3.1.3?第三步:將authorized_keys權限設為600
[root@m01 .ssh]#?chmod 600 authorized_keys? |
3.1.4?第四步:將 .ssh目錄遠程復制到其他主機
[root@m01 ~]# rsync -rp .ssh root@172.16.1.7:/root [root@m01 ~]# rsync -rp .ssh root@172.16.1.8:/root [root@m01 ~]# rsync -rp .ssh root@172.16.1.31:/root [root@m01 ~]# rsync -rp .ssh root@172.16.1.41:/root |
3.1.5?第五步:測試
[root@m01 ~]# ssh 172.16.1.7 hostname web01 [root@m01 ~]# ssh 172.16.1.8 hostname web02 [root@m01 ~]# ssh 172.16.1.31 hostname nfs01 [root@m01 ~]# ssh 172.16.1.41 hostname backup 實現彼此之間的訪問不需要密碼 |
?
3.2?方法2
思路:每臺主機分別創建自己的秘鑰對,再將公鑰分發給其他主機
此種方法比較繁瑣,當有多臺主機時工作量會加大
第4章?利用xshell實現基于秘鑰連接虛擬主機
4.1?第一步:設置用戶身份驗證方式
?
4.2?第二步:將主機私鑰傳輸到宿主機
[root@web02 .ssh]# sz ?id_rsa |
4.3?第三步:創建用戶秘鑰
?
?
4.4?第四步:修改ssh服務端配置文件并重啟服務
[root@web02 .ssh]# vim /etc/ssh/sshd_config 66 PasswordAuthentication no [root@web02 .ssh]# /etc/init.d/sshd reload Reloading sshd: ??????????????????????????????????????[ ?OK ?] |
4.5?第五步:重新連接測試
?
注:因為這些主機的秘鑰對都是一樣的,所以都可以利用xshell實現基于秘鑰連接
轉載于:https://blog.51cto.com/12805107/2068680
《新程序員》:云原生和全面數字化實踐50位技術專家共同創作,文字、視頻、音頻交互閱讀總結
- 上一篇: PC处理器装机中的认识 三
- 下一篇: 【OSS 排查方案-5】透过现象看本质之