Precautions for logging on to a remote host using SSH without a password

Precautions for logging on to a remote host using SSH without a password

The latest project should be combined with rabbitmq, keepalived, and supervisor. In one scenario, after a keepalived instance is promoted to a MASTER instance, it needs to kill these client processes on the remote host where the rabbitmq client is deployed.

The general idea is to configure a password-less ssh Login between the host where keepalived is located and the host Where the client is deployed. Then, run a remote command through ssh to obtain the process numbers of each client process, kill these processes one by one.

The general idea is simple, but many problems have been encountered in the process. It is easy to configure ssh without a password to connect to a remote host. I will not talk about it here. After configuration, you can directly use it in the script:
Ssh-p port ip "command"
Or
Ssh-p port ip 'command'
To run commands on the remote host.

Let's talk about the overall design.
In the beginning, it was a straight-line thinking: first, remotely obtain the client process number through ssh, and then remotely execute the kill operation for each process number through ssh. Because multiple keepalived instances run on different hosts, you need to maintain a list of clients to be processed on each host, in addition, you need to run ssh multiple times to remotely deploy the client host to obtain the process number and kill the process name. This is disgusting for maintenance and performance.

In another way of thinking, since the process and kill process number operations are completed on the remote host. Why not only does the remote host maintain a list of clients to be processed and encapsulate the operations for obtaining process numbers and killing processes into a script on the remote host? In this way, only one remote host script can be called in the name of the host where the other keepalived instances are located. Saves many unnecessary steps.

The above is the problem of application design. It can be seen that the best solution can be considered before a project can reduce the amount of trouble for subsequent implementation. When encountering a problem, you must consider multiple aspects. Try to use the simplest method instead of the most complex one.

Let's talk about some details.
Ssh-p port ip "command"
Or
Ssh-p port ip 'command'
If a variable is included in the command, the variable must be enclosed by corresponding quotation marks before it can be correctly parsed (in fact, it is a String concatenation in shell ).
For example:
Consumer = worker_for_summary.py
Then
Ssh-p port ip "ps-ef | grep" $ consumer "| grep-v grep"
Or
Ssh-p port ip 'ps-ef | grep' $ consumer '| grep-v grep'
The following command does not work.
Ssh-p port ip 'ps-ef | grep $ consumer | grep-v grep'

In addition, pay attention to awk usage in ssh, because the awk command uses single quotes to indicate the action to be executed, therefore, the quotation marks for commands enclosed in ssh must be changed to double quotation marks, and the "$" value in awk is a parameter that requires an escape character.
For example:
Consumer = worker_for_summary.py
Then
Ssh-p port ip "ps-ef | grep" $ consumer "| grep-v grep | awk '{print \ $2 }'"
You cannot use any other method.

Finally, let's take note of Using ssh in shell scripts.
Generally, ssh-p port ip "command" is executed by default by the current user to a remote host.
If the ssh-p port ip "command" is encapsulated into a script, the user used to execute the script will log on to the remote host to execute the command.
In our application, the ssh-p port ip "command" is encapsulated into a script, which will be called by keepalived after the keepalived instance enters the MASTER state, keepalived is started by the root user, so it will actually run commands from the root user to the remote host. The non-root user is used for configuring ssh without a password to connect to the remote host (usually the public key of the current user). Therefore, the remote command cannot be executed successfully and a password is prompted, even if the user information added to the ssh-p port ip "command" is changed to ssh-p PORT norootuser @ IP "command", this does not work. Therefore, this problem is avoided by generating the root user's public key and configuring ssh without a password to the remote host.

When trying the password, the account is locked and cannot log on. You can run the faillog command to view the failure record and set the logon failure limit.
For example:
View User Logon failures
Sudo faillog-u op1
Reset user
Sudo faillog-u op1-r

How to Improve the SSH login authentication speed of Ubuntu

Enable the SSH service to allow Android phones to remotely access Ubuntu 14.04

How to add dual authentication for SSH in Linux

Configure the SFTP environment for non-SSH users in Linux

Configure and manage the SSH service on Linux

Basic SSH tutorial

SSH password-free logon details

This article permanently updates the link address: