Batch configure SSH mutual trust script and ssh mutual trust script
During large-scale automated deployment, we often need to configure SSH mutual trust on the server so that the automated script can log on to the remote server without password. The general steps to manually configure SSH mutual trust are as follows:
- Use ssh-keygen to generate a local ssh key (mha01). The generated file is as follows:
- Cp. ssh/id_rsa.pub. ssh/authorized_keys
- Copy all. ssh content to the remote server mha02. Before the formal copy, the remote server will be added to the. ssh/known_hosts file and then copied.
Every copy to the new server will update. ssh/known_hosts. After all copies are completed, you can log on to all servers without password on mha1.
The batch configuration script compiled based on the above ideas is:
#! /Usr/bin/expect # This script must be used with the ip. list file. The ip. list file stores the IP addresses of all servers, including local servers. # This script must be placed with ip. list in the user ~ /Directory. Set passwd xxx -- set the server password variable. The passwords of all users on all servers with ssh mutual trust must be consistent. Spawn ssh-keygen continue CT {"id_rsa" {send "\ r"; exp_continue} "Overwrite" {send "y \ r "; exp_continue} "phrase" {send "\ r"; exp_continue} "again" {send "\ r"; exp_continue }}# note that the path cannot be ~ Therefore, either the absolute path or the relative path cannot be used ~ /To indicate the home directory. But for $ ip :~ . Spawn cp. ssh/id_rsa.pub. ssh/authorized_keys -- this can also be written as spawn cp/root /. ssh/id_rsa.pub/root /. ssh/authorized_keysset hosts [open ip. list r] while {[gets $ hosts ip]> = 0} {spawn scp-r. ssh/$ ip :~ /-- This can also be written as spawn scp-r/root /. ssh/$ ip:/root/login CT {"yes/no" {send "yes \ r"; exp_continue} "password:" {send "$ passwd \ r "; exp_continue }}close $ hosts
Assuming there are 99 mha01-mha99 servers, then after the configuration is complete, mha01 can log on to other 98 servers without password, but mha02 can only log on to mha01 and mha02 without password, mha03 can only log on to the first three servers without password. Similarly, mha99 and mha01 can log on to all servers without password. If you want servers between 01-99, you can also log on to the same server as 01 and 99, you can execute the second part of the script again, which is equivalent to the known_hosts file containing all hosts. the ssh directory is transmitted to all server nodes.