Linux ssh服务之免密码登录批量分发方案-用户权限问题解决办法

SSH KEY 免密码登录批量分发数据方案-用户权限问题解决办法

[环境]
CentOS release 5.8 (Final)
2.6.18-308.el5
中心分发服务器A：Center-A：10.0.0.56
接收节点服务器B：Client-B：10.0.0.57
接收节点服务器C：Client-C：10.0.0.58
######添加新用户： 添加系统账号（避免禁止root ssh远程连接，造成的问题）

问题：普通用户，要是想将/etc目录下的文件分发，则没有权限。

[lican@Center-A ~]$ sh fenfa.sh /etc /
10.0.0.57 is failure. [FAILED]
10.0.0.58 is failure. [FAILED]
10.0.0.59 is failure. [FAILED]

方法1：通过sudo提权:将文件先拷贝至客户端的家目录内，在客户端通过sudo进行拷贝至/etc目录

[测试]
[lican@Center-A ~]]# visudo 
#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.

#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

[Client-B]
[root@Client-B ~]# echo "lican  ALL=(ALL)       NOPASSWD:/usr/bin/rsync" >>/etc/sudoers       
[root@Client-B ~]# tail -1 /etc/sudoers 
lican  ALL=(ALL)       NOPASSWD:/usr/bin/rsync
[root@Client-B ~]# visudo -c
/etc/sudoers: parsed OK
[root@Client-B ~]# su - lican
[lican@Client-B ~]$ ls /etc/all_iplist.txt
ls: /etc/all_iplist.txt: No such file or directory

[Client-C]
[root@Client-C ~]# echo "lican  ALL=(ALL)       NOPASSWD:/usr/bin/rsync" >>/etc/sudoers
[root@Client-C ~]# tail -1 /etc/sudoers 
lican  ALL=(ALL)       NOPASSWD:/usr/bin/rsync
[root@Client-C ~]# visudo -c
/etc/sudoers: parsed OK
[root@Client-C ~]# su - lican
[lican@Client-C ~]$ ls /etc/all_iplist.txt
ls: /etc/all_iplist.txt: No such file or directory

[Center-A]
[lican@Center-A ~]$ cat fenfa01.sh 
#!/bin/sh
. /etc/init.d/functions
file="$1"
remote_dir="$2"
if [ $# -ne 2 ];then
   echo "usage:$0 argv1 argv2"
   echo "must have two argvs."
   exit
fi
for ip in `cat all_iplist.txt`
  do
     scp -P22 -r -p $file lican@$ip:~ >/dev/null 2>&1 &&\
     ssh -p22 -t lican@$ip sudo rsync ~/$file $remote_dir >/dev/null 2>&1
  if [ $? -eq 0 ];then
     action "$ip is successful." /bin/true
  else
     action "$ip is failure." /bin/false
  fi
done
[lican@Center-A ~]$ sh fenfa01.sh all_iplist.txt /etc/
10.0.0.57 is successful.                                   [  OK  ]
10.0.0.58 is successful.                                   [  OK  ]
10.0.0.59 is failure.                                      [FAILED]

[Client-B|C]
[lican@Client-B ~]$ ls /etc/all_iplist.txt 
/etc/all_iplist.txt
[lican@Client-C ~]$ ls /etc/all_iplist.txt
/etc/all_iplist.txt

方法2：通过setuid权限位:将文件先拷贝至客户端的家目录内，在客户端通过赋予/bin/cp权限位setuid进行拷贝至/etc目录，直接授予Center-A上scp、rsync权限位，进行推送拷贝操作。

[测试]
[Client-B]
[root@Client-B ~]# ll /bin/cp
-rwxr-xr-x 1 root root 71524 2011-07-22 /bin/cp
[root@Client-B ~]# chmod 4755 /bin/cp
[root@Client-B ~]# ll /bin/cp        
-rwsr-xr-x 1 root root 71524 2011-07-22 /bin/cp
[root@Client-B ~]# su - lican
[lican@Client-B ~]$ ls /etc/setuid.ssh 
ls: /etc/setuid.ssh No such file or directory

[Client-C]
[root@Client-C ~]# ll /bin/cp
-rwxr-xr-x 1 root root 68248 2011-07-22 /bin/cp
[root@Client-C ~]# chmod 4755 /bin/cp
[root@Client-C ~]# ll /bin/cp        
-rwsr-xr-x 1 root root 68248 2011-07-22 /bin/cp
[root@Client-C ~]# su - lican
[lican@Client-C ~]$ ls /etc/setuid.ssh 
ls: /etc/setuid.ssh No such file or directory

[Center-A]
[lican@Center-A ~]$ cat fenfa02.sh 
#!/bin/sh
. /etc/init.d/functions
file="$1"
remote_dir="$2"
if [ $# -ne 2 ];then
   echo "usage:$0 argv1 argv2"
   echo "must have two argvs."
   exit
fi
for ip in `cat all_iplist.txt`
  do
     scp -P22 -r -p $file lican@$ip:~ >/dev/null 2>&1 &&\
     ssh -p22 -t lican@$ip /bin/cp ~/$file $remote_dir >/dev/null 2>&1
  if [ $? -eq 0 ];then
     action "$ip is successful." /bin/true
  else
     action "$ip is failure." /bin/false
  fi
done
[lican@Center-A ~]$ sh fenfa02.sh setuid.ssh /etc
10.0.0.57 is successful.                                   [  OK  ]
10.0.0.58 is successful.                                   [  OK  ]
10.0.0.59 is failure.                                      [FAILED]

[Client-B|C]
[lican@Client-B ~]$ ls /etc/setuid.ssh 
/etc/setuid.ssh
[lican@Client-C ~]$ ls /etc/setuid.ssh 
/etc/setuid.ssh

方法3：通过root用户免认证登陆进行操作
　　缺点：会带来一定的安全问题。禁止root远程连接就要打开（/etc/ssh/sshd_config文件中PermitRootLogin yes）。