ssh服务批量管理示例

前提条件

1、准备172.16.1.10-backup, 172.16.1.7-lnmp01, 172.16.1.9-nfs-server三台22端口机器，172.16.1.8-lamp01一台8080端口机器（只是个人测试用）
2、查看系统相关信息

[root@backup ~]# cat /etc/redhat-release
CentOS release 6.7 (Final)
[root@backup ~]# uname -r
2.6.32-573.el6.x86_64
[root@backup ~]# uname -m
x86_64

1、检查SSH服务是否安装

[root@backup ~]#rpm -qa openssl openssh[root@backup ~]#yum install -y openssl

[root@backup ~]#yum install -y openssh[root@backup ~]#rpm -qa openssl opensshopenssh-5.3p1-111.el6.x86_64openssl-1.0.1e-42.el6.x86_64

2、检查SSH服务是否开启

[root@backup ~]# /etc/init.d/sshd statusopenssh-daemon (pid 4096) is running...#如果未开启，那么需要执行下述命令

[root@backup ~]# /etc/init.d/sshd start

3、为所有机器创建用户及密码

[root@backup ~]# useradd oldgirl[root@backup ~]# tail -1 /etc/passwd
oldgirl:x:503:503::/home/oldgirl:/bin/bash
[root@backup ~]# echo 123456|passwd --stdin oldgirl[root@backup ~]# id oldgirl[root@backup ~]# su – oldgirl #其他3台机器也要建同样的用户[oldgirl@backup ~]$ ll...............

4、SSH优化

#在root用户下执行[root@backup ~]# sed -ir '13 iPort 52113\nPermitRootLoginno\nPermitEmptyPasswords no\nUseDNS no\nGSSAPIAuthentication no' /etc/ssh/sshd_config#一般来讲，如果用户严格的话，那么不让root用户登录，那么需要把PermitRootLogin改为no，现在测试机直接是yes，ssh这个文件默认端口是22，如果要修改端口加上Port 52113，那么在访问这台机器的时候要特殊处理。

5、在backup10机器创建秘钥对

[oldgirl@backup ~]$ ssh-keygen -t dsa#下面的都敲回车即可Generating public/private dsa key pair.Enter file in which to save the key(/home/oldgirl/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in/home/oldgirl/.ssh/id_dsa.Your public key has been saved in/home/oldgirl/.ssh/id_dsa.pub.The key fingerprint is:e8:3b:06:99:fe:bc:ca:dd:72:2a:c0:24:df:fe:e1:eeoldgirl@backupThe key's randomart image is:+--[ DSA 1024]----+| || || ||. . . || = . o. S || + =. || + .o || .++++. || oOE*. |+-----------------+ [oldgirl@backup ~]$ cat .ssh/#查看秘钥生成的相关文件authorized_keys id_dsa id_dsa.pub known_hosts

6、backup10机器分发秘钥

#注意：公钥相当于锁，要发给所有机器，私钥相当于钥匙，要留给自己。#给22端口的7机器和9机器发公钥密钥[oldgirl@backup ~]$ ssh-copy-id -i ~/.ssh/id_dsa.pub oldgirl@172.16.1.7oldgirl@172.16.1.7's password: Now try logging into the machine, with "ssh'oldgirl@172.16.1.7'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren'texpecting. [oldgirl@backup ~]$ ssh-copy-id -i ~/.ssh/id_dsa.pub oldgirl@172.16.1.9oldgirl@172.16.1.9's password: Now try logging into the machine, with "ssh'oldgirl@172.16.1.9'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren'texpecting. #查看7、9两台机器生成的密钥[oldgirl@lnmp01 ~]$ ls -l ~/.ssh/authorized_keys#相当于[b]id_dsa.pub，只是换了个名[/b]-rw------- 1 oldgirl oldgirl 604 Jun 5 20:33 /home/oldgirl/.ssh/authorized_keys[oldgirl@nfs-server ~]$ ls -l ~/.ssh/authorized_keys -rw------- 1 oldgirl oldgirl 604 Jun 5 20:34 /home/oldgirl/.ssh/authorized_keys
#给8080端口8机器发密钥,仅仅是个人测试端口使用[oldgirl@backup ~]$ ssh-copy-id -i ~/.ssh/id_dsa.pub"-p 8080 oldgirl@172.16.1.8"The authenticity of host '[172.16.1.8]:8080([172.16.1.8]:8080)' can't be established.RSA key fingerprint is85:f0:47:99:b8:f7:f4:23:c4:a8:db:e6:ac:d3:dd:f3.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '[172.16.1.8]:8080' (RSA) tothe list of known hosts.oldgirl@172.16.1.8's password: Now try logging into the machine, with "ssh '-p 8080oldgirl@172.16.1.8'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren'texpecting.
#查看8机器生成的密钥 [oldgirl@lamp01 ~]$ ls -l ~/.ssh/authorized_keys-rw------- 1 oldgirl oldgirl 604 Jun 7 02:02 /home/oldgirl/.ssh/authorized_keys
7、批量管理7、1批量管理：在10backup机器分发文件方式一
脚本内容：
[oldgirl@backup ~]$ cat fenfa1.sh

#!/bin/sh
. /etc/init.d/functions
if [ $# -ne 1 ];then
echo"USAGE:$0 filename"
exit 1
fi

for n in  9 7
do
scp -P22 -rp $1oldgirl@172.16.1.$n:~ &>/dev/null &&\
ssh -p22 -toldgirl@172.16.1.$n sudo rsync ~/$1 /etc/ &>/dev/null
if [ $? -eq 0];then
action"172.16.1.$n" /bin/true
else
action"172.16.1.$n" /bin/false
fi
done

#在10机器的oldgirl下执行，执行这步之前一定要先把密钥/公钥发给其他机器，不然执行这里会让输入密码。[oldgirl@backup ~]$ /bin/sh fenfa1.sh test1.txt #格式为/bin/sh，脚本名称，要发送的文件名172.16.1.9 [ OK ]172.16.1.7 [ OK ] #查看7和9机器生成的文件[oldgirl@nfs-server ~]$ ls -l test1.txt -rw-rw-r-- 1 oldgirl oldgirl 0 Jun 7 2016test1.txt [oldgirl@lnmp01 ~]$ ls -l test1.txt -rw-rw-r-- 1 oldgirl oldgirl 0 Jun 7 2016test1.txt

7、2批量管理：在10backup机器分发文件方式二#在root用户下，在10、7、9机器中加入[root@backup ~]# cat /etc/sudoersoldgirl ALL= NOPASSWD: /usr/bin/rsync脚本内容：[oldgirl@backup ~]$ cat fenfa.sh

#!/bin/sh
. /etc/init.d/functions
if [ $# -ne 2 ];then
echo"USAGE:$0 filename DST"
exit 1
fi

for n in  9 7
do
scp -P22 -rp $1oldgirl@172.16.1.$n:~ &>/dev/null &&\
ssh -p22 -toldgirl@172.16.1.$n sudo rsync ~/$1 /$2/ &>/dev/null
if [ $? -eq 0];then
action"172.16.1.$n" /bin/true
else
action"172.16.1.$n" /bin/false
fi
done

#上述脚本涉及rsync的内容请参考我的另一篇博文“rsync的配置和以rsync的daemon工作模式传输数据”#在10机器的oldgirl用户下执行[oldgirl@backup ~]$ /bin/sh fenfa.sh text2.txt data #注意data这里不要加”/”，脚本里已加，认真认真再认真！ #格式为/bin/sh，脚本名，发送文件名，接收文件目录172.16.1.9 [ OK ]172.16.1.7 [ OK ]#在7和9机器查看结果[oldgirl@lnmp01 ~]$ ls -l /data/total 0-rw-r--r-- 1 root root 0 Jun 8 22:07 text2.txt[oldgirl@nfs-server ~]$ ls -l /data/
total 0-rw-r--r-- 1 root root 0 Jun 8 22:07 text2.txt