SSH

1、ssh是安全的加密協議，用於遠程連接linux伺服器。

2、ssh預設埠是22，安全協議版本ssh2。

3、ssh服務端主要包含兩個服務功能ssh遠程連接，sftp服務。

4、linux ssh客戶端包含ssh遠程連接命令，以及遠程拷貝scp命令等。

SSH服務認證類型

基於口令的安全驗證

1. [root@server ~]# ssh -p22 [email protected]
2. The authenticity of host '192.168.31.132 (192.168.31.132)' can't be established.
3. RSA key fingerprint is a0:60:7f:c8:e1:2c:d4:3b:2c:63:b7:3d:66:ad:f2:18.
4. Are you sure you want to continue connecting (yes/no)? yes
5. Warning: Permanently added '192.168.31.132' (RSA) to the list of known hosts.
6. [email protected]'s password:
7. Last login: Mon Feb 6 13:33:19 2017 from 192.168.31.1
8. [root@backup ~]#

ssh連接遠程主機命令的基本語法：

-p接埠，預設22埠

@前面為用戶名

@後面為要連接的伺服器ip

1. [root@server ~]# cat ~/.ssh/known_hosts
2. 192.168.31.132 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzH2jCItapPoUp5IKjVNtNOfXM5FmPQ3i27SjDQzzblL2vVaqAzfA10IsHw/QLfUbBpVERmbxZMW1SRrdcxXOWPFatuYmZMJDja4gi2FstEVxvV+ozelhuxEF9khZEYJHndfh5jqBXOYAe6NXOhY6rheEUmao3Wi5FLqdQ9cE0PBfI7SEn6dWCZ5dTJ76qtyLbctTmHC/tgCi3bqmrMR+hCH+PoiHYitEztwXAEWYxAka0d0ET96Z19DMDF9ai8YsrfAH/BgRiAoeUgNhtc/LrmVKWSeeHk15UvvY8Ba2nzI1jYkVH2UOROYn4jnYhSlY7cI7umdkU5LflGvrHmfJcQ==

ssh總結：

1、切換到別的機器上ssh -p52113 user@ip。

2、到其他機器執行命令（不會切換到別的機器上）ssh -p 52113 user@ip 命令（全路徑）。

3、當第一次ssh連接的時候，本地會產生一個密鑰文件~/.ssh/known_hosts（多個密鑰）。

基於密鑰的安全驗證

事先建立一對密鑰對，然後把公用密鑰（public key）放在需要訪問的目標伺服器上，另外，還需要把私有密鑰（private key）放到ssh的客戶端對應的客戶端伺服器上。

根據埠號（111）查出對應的服務：

lsof -i:111

netstat -lntup|grep 111

根據進程名（sshd）查出對應的埠號：

netstat -lntup|grep sshd

更改預設ssh登錄配置

1. #更改前備份
2. cp /etc/ssh/sshd_config /etc/ssh/sshd_config.ori
3. vi /etc/ssh/sshd_config
4. Port 52113 #預設22埠，為了提高安全級別建議修改
5. PermitRootLogin no #root超級用戶禁止遠程登錄
6. PermiEmptyPasswords no #禁止空密碼登錄
7. UseDNS no #不使用DNS
8. GSSAPIAuthenication no

ssh客戶端附帶的遠程拷貝scp命令

1. [root@server ~]# scp -P22 -r -p /etc [email protected]:/tmp
2. [email protected]'s password:
3. system-release-cpe 100% 25 0.0KB/s 00:00
4. K89rdisc 100% 1513 1.5KB/s 00:00

-P（大寫）接埠。

-r遞歸，表示拷貝目錄。

-p表示在拷貝前後保持文件或目錄屬性

-l limit限制速度

scp總結：

1、scp是加密的遠程拷貝，cp僅為本地拷貝。

2、可以把數據從一臺機器推送到另一臺機器，也可以從其它伺服器把數據拉回到本地執行命令的伺服器。

3、每次都是全量完整拷貝，因此，效率不高，適合第一次拷貝用，如果需要增量拷貝用rsync。

sftp

1、linux下連接命令sftp -oPort=22 [email protected]

2、上傳put加客戶端本地路徑put /etc/hosts，也可以指定路徑上傳put /etc/hosts /tmp。

3、下載get服務端的內容get hosts，linux下載到本地連接前的目錄，也可以指定下載路徑get /etc/hosts /tmp。

4、連接的遠端家目錄為預設目錄，也可以切換到其他有許可權的目錄下。

批量分發文件、執行命令

配置ip主機名

1. [root@server ~]# cat /etc/hosts
2. 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
3. ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
4.  
5. 192.168.31.128 server
6. 192.168.31.134 lnmp
7. 192.168.31.133 lamp
8. 192.168.31.132 backup

IT公司企業級批量分發、管理方案

1、中小企業基本sshkey密鑰的方案。

2、門戶網站sina puppet（複製、太重）。

3、趕集、小米saltstack批量管理（輕量）。

創建用戶oldgirl，密碼system

1. [root@backup data]# useradd oldgirl
2. [root@backup data]# echo system|passwd --stdin oldgirl
3. Changing password for user oldgirl.
4. passwd: all authentication tokens updated successfully.

創建公私鑰

1. [root@server data]# su - oldgirl
2. [oldgirl@server ~]$ ssh
3. ssh ssh-agent sshd ssh-keyscan
4. ssh-add ssh-copy-id ssh-keygen
5. [oldgirl@server ~]$ ssh-keygen -t dsa #dsa
6. Generating public/private dsa key pair.
7. Enter file in which to save the key (/home/oldgirl/.ssh/id_dsa): #存放密鑰的路徑
8. Created directory '/home/oldgirl/.ssh'.
9. Enter passphrase (empty for no passphrase):
10. Enter same passphrase again:
11. Your identification has been saved in /home/oldgirl/.ssh/id_dsa.
12. Your public key has been saved in /home/oldgirl/.ssh/id_dsa.pub.
13. The key fingerprint is:
14. 5a:64:22:18:c1:4c:70:ea:dd:64:9d:82:81:0b:99:07 oldgirl@server
15. The key's randomart image is:
16. +--[ DSA 1024]----+
17. |EO*o |
18. |+++oo . . |
19. |o.o..+.oo |
20. |... +..+ |
21. | . . . S |
22. | o |
23. | . |
24. | |
25. | |
26. +-----------------+

1. [oldgirl@server ~]$ ls -l .ssh/
2. total 8
3. -rw-------. 1 oldgirl oldgirl 668 Feb 7 09:41 id_dsa #私鑰
4. -rw-r--r--. 1 oldgirl oldgirl 604 Feb 7 09:41 id_dsa.pub #公鑰

分發公鑰

1. [oldgirl@server ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected] #預設22埠
2. ssh: connect to host 182.168.31.134 port 22: Connection refused
3. [oldgirl@server ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]
4. The authenticity of host '192.168.31.134 (192.168.31.134)' can't be established.
5. RSA key fingerprint is c1:0f:e0:45:05:79:c9:f0:48:d3:2f:6b:dc:66:6a:fe.
6. Are you sure you want to continue connecting (yes/no)? yes
7. Warning: Permanently added '192.168.31.134' (RSA) to the list of known hosts.
8. [email protected]'s password:
9. Now try logging into the machine, with "ssh '[email protected]'", and check in:
10.  
11.   .ssh/authorized_keys
12.  
13. to make sure we haven't added extra keys that you weren't expecting.

1. [root@lnmp ~]# su - oldgirl
2. [oldgirl@lnmp ~]$ ls -l .ssh/
3. total 4
4. -rw-------. 1 oldgirl oldgirl 604 Feb 7 09:49 authorized_keys #許可權600，名字改變

如果不是22埠（52113埠）：ssh-copy-id -i .ssh/id_dsa.pub "-P 52113 [email protected]"

1. [oldgirl@server ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]
2. [oldgirl@server ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]

測試免密查詢ip

1. [oldgirl@server ~]$ ssh -P22 [email protected] /sbin/ifconfig eth0
2. eth0 Link encap:Ethernet HWaddr 00:0C:29:03:06:08
3.           inet addr:192.168.31.134 Bcast:192.168.31.255 Mask:255.255.255.0
4.           inet6 addr: fe80::20c:29ff:fe03:608/64 Scope:Link
5.           UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
6.           RX packets:4867 errors:0 dropped:0 overruns:0 frame:0
7.           TX packets:585 errors:0 dropped:0 overruns:0 carrier:0
8.           collisions:0 txqueuelen:1000
9.           RX bytes:473730 (462.6 KiB) TX bytes:91553 (89.4 KiB)

分發文件

1. [oldgirl@server ~]$ cp /etc/hosts .
2. [oldgirl@server ~]$ ls
3. hosts
4. [oldgirl@server ~]$ scp -P22 hosts [email protected]:~
5. hosts 100% 243 0.2KB/s 00:00

1. [root@lamp ~]# ls /home/oldgirl/
2. hosts

編寫批量分發腳本

1. [oldgirl@server ~]$ cat fenfa.sh
2. scp -P22 hosts [email protected]:~
3. scp -P22 hosts [email protected]:~
4. scp -P22 hosts [email protected]:~

1. [oldgirl@server ~]$ sh fenfa.sh
2. hosts 100% 243 0.2KB/s 00:00
3. hosts 100% 243 0.2KB/s 00:00
4. hosts 100% 243 0.2KB/s 00:00

1. [oldgirl@server ~]$ cat fenfa.sh
2. #!/bin/sh
3. for n in 132 133 134
4. do
5.   scp -P22 hosts [email protected].$n:~
6. done

1. [oldgirl@server ~]$ cat fenfa.sh
2. #!/bin/sh
3. . /etc/init.d/functions
4. for n in 132 133 134
5. do
6.   scp -P22 $1 [email protected].$n:~ &>/dev/null
7.   if [ $? -eq 0 ]
8.     then
9.       action "fenfa $1 ok" /bin/true
10.   else
11.       action "fenfa $1 error" /bin/false
12.   fi
13. done

1. [oldgirl@server ~]$ sh fenfa.sh hosts
2. fenfa hosts ok [ OK ]
3. fenfa hosts ok [ OK ]
4. fenfa hosts ok [ OK ]

1. [oldgirl@server ~]$ cp /server/scripts/inotify.sh .
2. [oldgirl@server ~]$ sh fenfa.sh inotify.sh
3. fenfa inotify.sh ok [ OK ]
4. fenfa inotify.sh ok [ OK ]
5. fenfa inotify.sh ok [ OK ]

1. [oldgirl@server ~]$ cat fenfa.sh
2. #!/bin/sh
3. . /etc/init.d/functions
4. if [ $# -ne 1 ]
5.   then
6.     echo "USAGE:$0 {FILENAME|DIRNAME}"
7.     exit 1
8. fi
9. for n in 132 133 134
10. do
11.   scp -P22 -r $1 [email protected].$n:~ &>/dev/null
12.   if [ $? -eq 0 ]
13.     then
14.       action "fenfa $1 ok" /bin/true
15.   else
16.       action "fenfa $1 error" /bin/false
17.   fi
18. done

1. [oldgirl@server ~]$ sh fenfa.sh
2. USAGE:fenfa.sh {FILENAME|DIRNAME}
3. [oldgirl@server ~]$ cp -r /data/ .
4. [oldgirl@server ~]$ sh fenfa.sh data/
5. fenfa data/ ok [ OK ]
6. fenfa data/ ok [ OK ]
7. fenfa data/ ok [ OK ]

1. [oldgirl@server ~]$ cat view.sh
2. #!/bin/sh
3.  
4. if [ $# -ne 1 ]
5.   then
6.     echo "USAGE:$0 COMMAND"
7.     exit 1
8. fi
9. for n in 132 133 134
10. do
11.   ssh -p22 [email protected].$n $1
12. done

1. [oldgirl@server ~]$ sh view.sh
2. USAGE:view.sh COMMAND
3. [oldgirl@server ~]$ sh view.sh "cat /etc/redhat-release"
4. CentOS release 6.6 (Final)
5. CentOS release 6.6 (Final)
6. CentOS release 6.6 (Final)

ssh批量分發與管理

1、利用root做ssh key驗證。

優點：簡單、易用。

缺點：安全差，同時無法禁止root遠程連接這個功能。

2、利用普通用戶（推薦）

先把分發的文件拷貝到伺服器用戶家目錄，然後sudo提權拷貝分發的文件。

優點：安全。無需停止root遠程連接這個功能。

缺點：配置比較複雜。

3、設置suid對固定命令

優點：相對安全

缺點：複雜，安全性較差。任何人都可以處理帶有suid許可權的命令。

1. [root@lnmp ~]# echo 'oldgirl ALL=(ALL) NOPASSWD:/usr/bin/rsync' >>/etc/sudoers
2. [root@lnmp ~]# visudo -c
3. /etc/sudoers: parsed OK
4. [root@lnmp ~]# grep oldgirl /etc/sudoers
5. oldgirl ALL=(ALL) NOPASSWD:/usr/bin/rsync

1. [oldgirl@server ~]$ scp -P22 -r hosts [email protected]:~
2. hosts 100% 255 0.3KB/s 00:00
3. [oldgirl@server ~]$ ssh -t [email protected] sudo rsync hosts /etc/
4. Connection to 192.168.31.133 closed.

1. [oldgirl@server ~]$ cat fenfa_good.sh
2. #!/bin/sh
3. . /etc/init.d/functions
4. if [ $# -ne 2 ]
5.   then
6.     echo "USAGE:$0 {FILENAME|DIRNAME} REMOTEDIR"
7.     exit 1
8. fi
9. for n in 132 133 134
10. do
11.   scp -P22 -r $1 [email protected].$n:~ &>/dev/null &&\
12.   ssh -t [email protected].$n sudo rsync $1 $2
13.   if [ $? -eq 0 ]
14.     then
15.       action "fenfa $1 ok" /bin/true
16.   else
17.       action "fenfa $1 error" /bin/false
18.   fi
19. done
20. [oldgirl@server ~]$ sh fenfa_good.sh
21. USAGE:fenfa_good.sh {FILENAME|DIRNAME} REMOTEDIR
22. [oldgirl@server ~]$ sh fenfa_good.sh hosts /etc/
23. Connection to 192.168.31.132 closed.
24. fenfa hosts ok [ OK ]
25. Connection to 192.168.31.133 closed.
26. fenfa hosts ok [ OK ]
27. Connection to 192.168.31.134 closed.
28. fenfa hosts ok [ OK ]

1. [root@lnmp ~]# ll `which rsync`
2. -rwxr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
3. [root@lnmp ~]# chmod 4755 /usr/bin/rsync
4. [root@lnmp ~]# ll `which rsync`
5. -rwsr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync

企業級生產場景批量管理，自動化管理方案：

1、最簡單最常見shh key，功能最強大的。一般中小型企業會用，50—100台以下。

2、門戶級別puppet批量管理工具。

3、saltstack批量管理工具。

4、http+cron

批量管理路線：sshkeyàpuppetàsaltstack/ansible。