linux系统免秘钥分发文件

1.多台机器上设置同一个账号和密码（以普通用户传资料，避免权限过大）

#useradd tornado

#echo 123456|passwd --stdin tornado

2.切换到创建的用户tornado上，在分发服务器上创建密钥。

[root@backup ~]# su - tornado
[tornado@backup ~]$ ssh-keygen -t dsa

Generating public/private dsa key pair.
Enter file in which to save the key (/home/tornado/.ssh/id_dsa):
Created directory '/home/tornado/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tornado/.ssh/id_dsa.
Your public key has been saved in /home/tornado/.ssh/id_dsa.pub.
The key fingerprint is:
a9:b0:f5:06:72:9b:b5:92:cd:62:30:43:ca:da:7f:5b tornado@backup
The key's randomart image is:
+--[ DSA 1024]----+
| |
| |
| . |
| . o . |
| o * + S |
| o X @ . |
|. . . O E |
| . ..= |
| .... |
+-----------------+
[tornado@backup ~]$ ls -l .ssh/
total 8
-rw------- 1 tornado tornado 668 Sep 4 15:39 id_dsa            #私钥
-rw-r--r-- 1 tornado tornado 604 Sep 4 15:39 id_dsa.pub     #公钥

3.分发公钥到其他服务器上

[tornado@backup ~]$ ssh-copy-id -i .ssh/id_dsa.pub tornado@10.89.7.10
The authenticity of host '10.89.7.10 (10.89.7.10)' can't be established.
RSA key fingerprint is 01:e7:d2:70:fc:a8:1a:ee:88:07:ef:9b:37:40:29:2d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.89.7.10' (RSA) to the list of known hosts.
tornado@10.89.7.10's password:
Permission denied, please try again.
tornado@10.89.7.10's password:
Now try logging into the machine, with "ssh 'tornado@10.89.7.10'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[tornado@backup ~]$
#如果端口不是22，使用下面的

[tornado@backup ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 tornado@10.89.7.12"

4.测试 分发后，可以免密码执行命令 如：/sbin/ifconfig

[tornado@backup ~]$ ssh -p52113 tornado@10.89.7.12 /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:CE:2E:36
inet addr:10.89.7.12 Bcast:10.89.7.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fece:2e36/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:297265 errors:0 dropped:0 overruns:0 frame:0
TX packets:36286 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:24006443 (22.8 MiB) TX bytes:3519806 (3.3 MiB)

5.分发文件脚本 

#cat fenfa.sh

#!/bin/sh
. /etc/init.d/functions
for n in 8 9 10
do
  scp -P22 $1 tornado@10.89.7.$n:~ &>/dev/null
  if [ $? -eq 0 ]
    then
      action "fenfa $1 ok?" /bin/true
  else
      action "fenfa $1 ok?" /bin/false
  fi
done

#执行效果
[tornado@backup scripts]$ sh fenfa.sh hosts
fenfa hosts ok? [ OK ]
fenfa hosts ok? [FAILED]
fenfa hosts ok? [FAILED]

上面的脚本虽然能完成，但是不太完美，下面提供完美的解决方案

#分发提权 利用sudo来提权，从家目录copy到需要的目录，不能用root来制作密钥，否则攻陷的分发机后，容易引发安全问题。

编辑客户机下 /etc/sudoers 文件：

客户机上执行如下：
[root@linux-node1 ~]# echo 'tornado ALL=(ALL) NOPASSWD:/usr/bin/rsync' >>/etc/sudoers
visudo -c
grep tornado /etc/sudoers
[root@linux-node1 ~]# visudo -c
/etc/sudoers: parsed OK
[root@linux-node1 ~]# grep tornado /etc/sudoers
tornado ALL=(ALL) NOPASSWD:/usr/bin/rsync

分发机上执行下面命令：
[tornado@backup ~]$ ssh -t tornado@10.89.7.12 sudo rsync hosts /etc/ # -t 远程使用sudo要加
Connection to 10.89.7.12 closed.
分发前：
[tornado@linux-node1 ~]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.89.1.12 linux-node1.example.com
10.89.1.10 linux-node2.example.com

分发后：
[tornado@linux-node1 ~]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

#tornado
[tornado@linux-node1 ~]$
------------------------------------------
#cat fenfa_good.sh

#!/bin/sh
. /etc/init.d/functions

if [ $# -ne 2 ]
then
echo "USAGE:$0 localfile remotedir"
exit 1
fi

for n in 10 11 12
do
scp -P22 -rp $1 tornado@10.89.7.$n:~ &>/dev/null &&\ 
ssh -t tornado@10.89.7.$n sudo rsync $1 $2 &>/dev/null
if [ $? -eq 0 ]
then
action "10.89.7.$n :fenfa $1 ok?" /bin/true
else
action "10.89.7.$n :fenfa $1 ok?" /bin/false
fi
done

[tornado@backup ~]$ sh /server/scripts/fenfa_good.sh hosts /etc
10.89.7.10 :fenfa hosts ok? [ OK ]
10.89.7.11 :fenfa hosts ok? [FAILED]
10.89.7.12 :fenfa hosts ok? [ OK ]
[tornado@backup ~]$

 

后记：批量查看服务器配置

#cat view.sh

#!/bin/sh

if [ $# -ne 1 ]
then
echo "USAGE:$0 Command"
exit 1
fi

for n in 10 11 12
do
echo =====10.89.7.$n=====
ssh -p22 tornado@10.89.7.$n $1
done

[tornado@backup ~]$ sh /server/scripts/view.sh "/sbin/ifconfig eth0"     #命令后面有参数需加引号
10.89.7.10
eth0 Link encap:Ethernet HWaddr 00:0C:29:44:C1:06
inet addr:10.89.7.10 Bcast:10.89.7.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe44:c106/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:95568 errors:0 dropped:0 overruns:0 frame:0
TX packets:8895 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11057298 (10.5 MiB) TX bytes:907262 (885.9 KiB)

10.89.7.11
ssh: connect to host 10.89.7.11 port 22: No route to host
10.89.7.12
eth0 Link encap:Ethernet HWaddr 00:0C:29:CE:2E:36
inet addr:10.89.7.12 Bcast:10.89.7.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fece:2e36/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37319 errors:0 dropped:0 overruns:0 frame:0
TX packets:2436 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2469416 (2.3 MiB) TX bytes:216969 (211.8 KiB)

[tornado@backup ~]$