Linux implementation ssh password-free login and implementation of secret Key management, distribution, deployment shell script sharing _linux Shell

Source: Internet
Author: User
Tags stdin ssh rsync ssh port ssh server

Environment:

SSH server:192.168.100.29 server.example.com
SSH client:192.168.100.30 client.example.com

Create secret key authentication through root user to implement Shell script management, distribution, deployment

First, the client side creates the secret key pair and distributes the public key to the SSH server that needs to be logged on

Note: The public key is equivalent to a lock, the private key is equivalent to a key, we here is equivalent to create a pair of keys and locks on the client, want to do ssh password-free login, the equivalent of our lock distribution to the server and lock, then the client can use the key to unlock.

I. Establishing secret key authentication

1. Create a secret key pair on the client: (SSH client)

Copy Code code as follows:
# Su-root
# Ssh-keygen-t DSA

You can return all the way
Copy Code code as follows:

Generating Public/private DSA key pair.
Enter file in which to save the key (/ROOT/.SSH/ID_DSA):
Created directory '/root/.ssh '.
Enter passphrase (empty for no passphrase):
Enter same Passphrase again:
Your identification has been saved IN/ROOT/.SSH/ID_DSA.
Your public key has been saved in/root/.ssh/id_dsa.pub.
The key fingerprint is:
e9:5e:4a:7f:79:64:c5:ae:f2:06:a7:26:e4:41:5c:0e root@zabbix.example.com
The key ' s Randomart image is:
+--[DSA 1024]----+
| |
|    E. |
| . +   . |
|   . O. o|
| S. O |
|  . O. + .|
| Oo.. B. |
| o +o * + |
|  O. + =. |
+-----------------+

2. View the generated secret key pair: (SSH client)
Copy Code code as follows:

# Ls-lda. SSH
-----------------
DRWX------2 root 4096 June 6 23:03 SSH
-----------------
# CD. SSH
# Ls-la
------------------
Total dosage 16
DRWX------2 root 4096 June 6 23:03.
Dr-xr-x---. Root root 4096 June 6 23:03.
-RW-------1 root 668 June 6 23:03 ID_DSA
-rw-r--r--1 Root 613 June 6 23:03 id_dsa.pub
------------------

Secret key Generation Complete

3. Distribute public key (lock) to SSH server: (SSH client)

Copy Code code as follows:

# ssh-copy-id-i Ssh/id_dsa.pub 192.168.100.29.

Note: If it is not the root user and the custom SSH port, the format is:
Copy Code code as follows:
# ssh-copy-id-i Ssh/id_rsa.pub "-P-user@server"

Enter Yes, and then enter the password after:
Copy Code code as follows:

The authenticity of host ' 192.168.100.30 (192.168.100.30) ' can ' t be established.
RSA key fingerprint is fc:9b:2e:38:3b:04:18:67:16:8f:dd:94:a8:bd:08:03.
Are you sure your want to continue connecting (yes/no)? Yes
warning:permanently added ' 192.168.100.30 ' (RSA) to the list of known hosts.
Address 192.168.100.30 maps to Bogon, but this does not map back to the address-possible break-in attempt!
root@192.168.100.30 ' s Password:
Now try logging to the machine, with SSH ' 192.168.100.30 ', and check in:
. Ssh/authorized_keys
To make sure we haven ' t added extra keys this you weren ' t expecting.

Public Key Distribution complete

4. Service side view received distribution file: (SSH server)

Copy Code code as follows:

# LL/ROOT/.SSH
-------------
Total Dosage 4
-RW-------1 Root 613 June 6 23:29 Authorized_keys
-------------

Successfully received

5. Client Authentication login: (SSH client)
To view service-side IP addresses:

Copy Code code as follows:

# SSH 192.168.100.29/sbin/ifconfig eth0
-----------------------
Address 192.168.100.29 maps to Bogon, but this does not map back to the address-possible break-in attempt!
Eth0 Link encap:ethernet hwaddr 00:0c:29:7a:4f:30
inet addr:192.168.100.29 bcast:192.168.100.255 mask:255.255.255.0
Inet6 ADDR:FE80::20C:29FF:FE7A:4F30/64 Scope:link
Up broadcast RUNNING multicast mtu:1500 metric:1
RX packets:184297 errors:0 dropped:0 overruns:0 frame:0
TX packets:162028 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:163599380 (156.0 MiB) TX bytes:51284830 (48.9 MiB)
Interrupt:19 Base address:0x2000

Note: Here is a warning prompt "address 192.168.100.29 maps to Bogon, but this does not map back to the address-possible break-in attempt!".
The solution is to modify the client/etc/hosts file, the IP address of the server and the host name of the corresponding relationship can be written.
Copy Code code as follows:

(SSH client)
# echo "192.168.100.29 server.example.com" >>/etc/hosts

Re-view
Copy Code code as follows:

# SSH 192.168.100.29/sbin/ifconfig eth0

No error prompts:
Copy Code code as follows:

--------------------------
Eth0 Link encap:ethernet hwaddr 00:0c:29:7a:4f:30
inet addr:192.168.100.29 bcast:192.168.100.255 mask:255.255.255.0
Inet6 ADDR:FE80::20C:29FF:FE7A:4F30/64 Scope:link
Up broadcast RUNNING multicast mtu:1500 metric:1
RX packets:184530 errors:0 dropped:0 overruns:0 frame:0
TX packets:162264 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:163618650 (156.0 MiB) TX bytes:51304877 (48.9 MiB)
Interrupt:19 Base address:0x2000
---------------------------

Viewing server-side memory
Copy Code code as follows:

# ssh 192.168.100.29 free-m
--------------------------
 &nbs p;          total       used        free     shared    buffers      Cached
mem:          1006         991         14           0        177        308
-/+ buffers/cache:        506       
swap:         1023           6       1017
---------------------------

two. Create a shell script to implement bulk management: (SSH client)
1. Create script:
Copy Code code as follows:

# CD/ETC/RC.D
# VI manager.sh
------------------
For IP in ' cat iplist '
Todo
echo "---$ip---"
SSH $ip $
Done
------------------

2. Generate IP list: (if more than one SSH server needs to be managed, here and so on)
Copy Code code as follows:

# echo 192.168.100.29 >> IPList
# echo 192.168.100.28 >> IPList
。。。。。
# Cat IPList
---------------
192.168.100.29
---------------

3. Execute script:
Copy Code code as follows:

# sh manager.sh "Df-h"
----------------
---192.168.100.29---
File system capacity has been used available with percent mount point
/dev/sda3 19G 6.7G 11G 38%/
Tmpfs 504M 0 504M 0%/dev/shm
/DEV/SDA1 194M 27M 158M 15%/boot
----------------

Management success

Three. Create a shell script to implement bulk distribution: (SSH client)

1. Create script:

Copy Code code as follows:

# CD/ETC/RC.D
# VI distribute.sh
------------------
For IP in ' cat iplist '
Todo
echo "---$ip---"
Scp-r-P $ $ip: $
Done
------------------

Script IP list created
Execute script:
Distribute local/root files to the SSH server host
Copy Code code as follows:

# sh Distribute.sh/root/tmp
------------------
---192.168.100.29---
. Iceauthority 100% 620 0.6kb/s 00:00
Install.log.syslog 100% 10KB 10.2kb/s 00:00
Preferred-web-browser.desktop 100% 2378 2.3kb/s 00:00
Preferred-mail-reader.desktop 100% 257 0.3kb/s 00:00
. converted-launchers 100% 0 0.0kb/s 00:00
. bash_history 100% 3200 3.1kb/s 00:00
. bash_logout 100% 0.0kb/s 00:00
Applet_dirlist 100% 0 0.0kb/s 00:00
Saved_state 100% 65KB 64.5kb/s 00:00
8f329b0c645a51e018b765fa0000001a-0 100% 463 0.5kb/s 00:00
............
------------------

Distribution successful

Four. Bulk deployment:

The deployment here combines Shell scripting with batch management and distribution of two functions.
For example, you want to deploy an n-port SSH server to bulk install Apache.

1. Write a good Apache installation script.
2. Distribute the installation script to the SSH server.
3. Use shell management to execute the script remotely.
There is no more demo here, I have the opportunity to tidy up my lamp document, write an Apache script, and show it here.
Note: Because of the risk operation involved. Therefore, it is not recommended to use the root user for bulk management operations.
It is recommended to set up a common account and then use sudo to extract power.

Through the common user establishes the secret key authentication and the sudo authority carries on the management, the distribution, the deployment

Copy Code code as follows:

(SSH server)
# Useradd User02
# echo "123456" | passwd--stdin User02
(SSH client)
# Useradd User01
# echo "123456" | passwd--stdin User01
# Su-user01
# Ssh-keygen-t DSA

Note: Default three carriage returns complete creation
Copy Code code as follows:

# ssh-copy-id-i Ssh/id_dsa.pub user02@192.168.100.29.

Enter password 123456, distribution complete
Verify:
Copy Code code as follows:

# SSH User02@192.168.100.29/sbin/ifconfig eth0

The return of 192.168.100.29 IP indicates the success of secret key authentication.
Distribute:
Note: Client User01 users are now free to distribute passwords to server-side User02-owned folders, but Sudo is required if you want to distribute to root-owned folders.
1. Service-side sudo claim:
Copy Code code as follows:

# Su-root
# echo "User02 all= (All) nopasswd:/usr/bin/rsync,/bin/tar,/usr/bin/scp,/bin/cp" >>/etc/sudoers

Login to User02 Account
Copy Code code as follows:

# Su-user02

View account information:
Copy Code code as follows:

# sodo-l
----------------
............
User User02 may run the following commands in this host:
(All) NOPASSWD:/usr/bin/rsync, (All)/bin/tar, (All)/USR/BIN/SCP, (All)/BIN/CP
----------------

2. The client first distributes to the server User02 user home directory:
Copy Code code as follows:

# Scp-p22-r-p/home/user01/user02@192.168.100.29:/home/user02
-----------------------------
. bash_logout 100% 0.0kb/s 00:00
. BASHRC 100% 124 0.1kb/s 00:00
Known_hosts 100% 396 0.4kb/s 00:00
ID_DSA 100% 672 0.7kb/s 00:00
Id_dsa.pub 100% 615 0.6kb/s 00:00
. bash_profile 100% 176 0.2kb/s 00:00
-------------------------------

2. Perform a local copy of the sudo cp command after connecting to the server:
Copy Code code as follows:

# ssh-t user02@192.168.100.29 sudo cp/home/user02/etc
-----------------------
Connection to 192.168.100.29 closed.
-----------------------

Copy Successful
Note:
Copy Code code as follows:

# cp/test1/test2/

is to copy the/test1 directory to the/test2/directory
Copy Code code as follows:

# cp/test1//test2/

is to copy all the files in the/test1 directory to the/test2/directory
---------------

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.