ssh
查看软件
[root@backup ~]# rpm -qa openssh openssl openssl-1.0.1e-30.el6.x86_64 #加密 openssh-5.3p1-104.el6.x86_64 #连接
查看服务,0.0.0.0 监听所有IP端口
[root@backup ~]# netstat -nlpt|grep sshd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 876/sshd tcp 0 0 :::22 :::* LISTEN 876/sshd
给一个端口,查看是什么服务
[root@backup ~]# lsof -i:22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 876 root 3u IPv4 9529 0t0 TCP *:ssh (LISTEN) sshd 876 root 4u IPv6 9531 0t0 TCP *:ssh (LISTEN) sshd 29096 root 3u IPv4 47577 0t0 TCP 192.168.88.10:ssh->192.168.88.1:60895 (ESTABLISHED) sshd 31319 root 3u IPv4 59030 0t0 TCP 192.168.88.10:ssh->192.168.88.1:55402 (ESTABLISHED) sshd 31929 root 3r IPv4 63186 0t0 TCP 192.168.88.10:ssh->192.168.88.1:65234 (ESTABLISHED)
第二种
[root@backup ~]# netstat -nlpt|grep 22 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 876/sshd tcp 0 0 :::22 :::* LISTEN 876/sshd
配置文件
/etc/ssh/sshd_config
修改前先备份
[root@backup ssh]# cp sshd_config{,.bak}
优化
Port 12321 #修改端口 ListenAddress 192.168.88.10 #指定监听端口
PermitEmptyPasswords no #不允许空密码用户登录 PermitRootLogin no #不允许root用户直接登录,可以su - root GSSAPIAuthentication no # UseDNS no #不使用DNS,对主机名进行反向解析
平滑重启
[root@backup ssh]# /etc/init.d/sshd reload
Reloading sshd: [ OK ]
ssh客户端的使用
[root@lvs1 ~]# ssh -p22 root@192.168.88.10
p 小写指定端口,不写默认为22,root@192.168.88.10 root用户名,@后面为服务器IP,ssh -p22 192.168.88.10 默认root用户
故障排查
[root@lvs1 ~]# ssh -p22 root@192.168.88.10 ssh: connect to host 192.168.88.10 port 22: Connection refused
1、防火墙问题。
2、对方改端口了。
3、对方sshd服务没有启动。
不通连接不上问题
1、防火墙问题。
2、ssh服务问题。
3、/etc/hosts加入访问控制。
4、是否启用不让密码登录。
scp 远程拷贝
拷贝文件,全量拷贝
[root@lvs1 ~]# scp -P22 /etc/hosts root@192.168.88.10:/tmp root@192.168.88.10's password: hosts 100% 158 0.2KB/s 00:00
[root@backup ~]# ls /tmp/
hosts
-P 大写P指定端口
/etc/hosts 本地文件
root@192.168.88.10:/tmp 对方tmp目录下
拷贝目录
[root@lvs1 ~]# scp -P22 -rp /etc root@192.168.88.10:/tmp
[root@backup ~]# ls /tmp/
etc hosts
-r 拷贝目录,-p保持文件属性,可以使用-l限速
远端拉取数据
[root@lvs1 ~]# scp -P22 -rp root@192.168.88.10:/tmp/etc /root/
ssh免密码登录
创建用户及密码
[root@backup ~]# useradd wxianj
[root@backup ~]# echo "123456"|passwd --stdin wxianj Changing password for user wxianj. passwd: all authentication tokens updated successfully.
[root@backup ~]# id wxianj uid=501(wxianj) gid=501(wxianj) groups=501(wxianj)
两个客户端也创建用户
切换用户
[root@backup ~]# su - wxianj
[wxianj@backup ~]$
创建密钥对
[wxianj@backup ~]$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/wxianj/.ssh/id_dsa): Created directory '/home/wxianj/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/wxianj/.ssh/id_dsa. Your public key has been saved in /home/wxianj/.ssh/id_dsa.pub. The key fingerprint is: a0:2d:89:75:06:37:6c:51:0a:0e:dd:92:a6:8a:bd:50 wxianj@backup The key's randomart image is: +--[ DSA 1024]----+ | ..o++o. | | o=++o | | ooo= | | Eo * . | |.+. + . S | |+ . . | | . . | | . | | | +-----------------+
注:一键生成密钥对
[wxianj@backup ~]$ ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa>/dev/null 2>&1
查看,id_dsa私钥,id_dsa.pub公钥
[wxianj@backup ~]$ ls .ssh/
id_dsa id_dsa.pub
拷贝公钥到目标机器
[wxianj@backup ~]$ ssh-copy-id -i .ssh/id_dsa.pub wxianj@192.168.88.6 The authenticity of host '192.168.88.6 (192.168.88.6)' can't be established. RSA key fingerprint is f2:d6:44:06:6b:06:25:1d:ff:d7:3f:36:36:72:6a:b8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.88.6' (RSA) to the list of known hosts. wxianj@192.168.88.6's password: Now try logging into the machine, with "ssh 'wxianj@192.168.88.6'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
查看
[wxianj@lvs2 ~]$ ls -l .ssh/ total 4 -rw------- 1 wxianj wxianj 603 May 23 02:11 authorized_keys
同理5也拷贝,如果对方不是22端口,需要-p参数指定端口
[wxianj@backup ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p22 wxianj@192.168.88.5"
测试
[wxianj@backup ~]$ ssh -p22 wxianj@192.168.88.5 [wxianj@lvs1 ~]$
[wxianj@backup ~]$ ssh wxianj@192.168.88.6 [wxianj@lvs2 ~]$
远程执行命令,多个需要分号
[wxianj@backup ~]$ ssh wxianj@192.168.88.5 'pwd;who' /home/wxianj root pts/0 2017-05-25 09:33 (192.168.88.1)
企业
[wangxj@lvs ~]$ which sshp alias sshp='sudo ssh -p12321' /usr/bin/sudo
scp权限问题
[wxianj@backup ~]$ scp /etc/hosts wxianj@192.168.88.5:/etc/hosts scp: /etc/hosts: Permission denied
企业实现ssh权限方法
1、直接root ssh key,允许root登录。
2、sudo提权,实现没有权限的用户拷贝。
先拷贝对方家目录,然后sudo提权cp或rsync拷贝到目标位置。
[root@lvs1 ~]# visudo
wxianj ALL=(ALL) NOPASSWD: /bin/cp
测试
[root@lvs1 ~]# tail -1 /etc/hosts 1.1.1.1 aaa
[wxianj@backup ~]$ scp /etc/hosts wxianj@192.168.88.5:~ hosts
[wxianj@backup ~]$ ssh wxianj@192.168.88.5 sudo cp ~/hosts /etc/hosts sudo: sorry, you must have a tty to run sudo
[wxianj@backup ~]$ ssh -t wxianj@192.168.88.5 sudo cp ~/hosts /etc/hosts #远程sudo要加-t参数 Connection to 192.168.88.5 closed.
[root@lvs1 ~]# tail -1 /etc/hosts ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
ssh实现批量分发
[wxianj@backup ~]$ vim fenfa.sh . /etc/init.d/functions if [ $# -ne 2 ] then echo "USAGE:$0 must two args" exit 1 fi for i in 5 6 do scp -P22 -r ~/$1 wxianj@192.168.88.$i:~ >/dev/null 2>&1 &&\ ssh -t wxianj@192.168.88.$i sudo cp ~/$1 $2 >/dev/null 2>&1 if [ $? -eq 0 ] then action "fenfa $1 192.168.88.$i" /bin/true else action "fenfa $1 192.168.88.$i" /bin/true fi done
两个参数,-o ConnectTimeout=3 ssh连接卡死,timeout(脚本中使用有问题?)可以实现当一个命令在规定时间内不返回就强制返回的功能
rsync结合ssh免秘钥使用(增量、加密)
[wxianj@backup ~]$ rsync -avz fenfa.sh -e "ssh -p22" wxianj@192.168.88.5:~ sending incremental file list fenfa.sh sent 150 bytes received 31 bytes 362.00 bytes/sec total size is 91 speedup is 0.50
对端查看
[wxianj@lvs1 ~]$ ls
fenfa.sh hosts
其他
多个主机连接一台服务器
B--->A
C--->A
1、主机A生成私钥然后分发给B和C
2、B和C分别生成公钥,然后ssh-copy-id到A,两台都执行相同的命令,会自动追加到对方authorized_keys文件中(推荐)
企业应用
系统初始化时直接写到.ssh/authorized_keys文件中(权限问题)
例:
[wxianj@lvs1 ~]$ echo "ssh-dss ACCCB3NzaC1kc3MAAACBAP4W0q9YdxrI5nz/Tjlvv0fO7UtFB8hHV/X/RnGORkMVyXlQNsJv4hRVeP8PCUOF5jbJTO/U6Zj9NfYwgECzGlhqscPAWgcmf8RfB+ZVex8lslAJkThpp0z6NT0cZFhrlTD2XgauzoRhoaEZKaUF3l5tNI0fhHV+Sk1reo2cJjuvAAAAFQCFkgzUPNhD/CEWl1HgKofcLUvPRwAAAIAmXAOT+I83fo/Fi5YTYjFjQf3vxdEDrL0J1NJ4XHNLi7ZwERY2lV4FQ4G1Zjc5y8VMUALF7zGPt9e9GPDra63ay4cE4JpZp60quKlnb9ZingapBmjwEv1OIUBQIlYcV9jDmrZnM9sN5FrhCDGi35ZVlJywQy43GvMwcT+OnVTsbAAAAIEAx3poWiLy70rgW3imoJ8A22ymUatcXF5/z/WMMZwYiFYlLQusQs7SPX86Re7+Z2W7QOQ8kn9lhncpi26TkuoQjO23LBaAE6zEIv4j1yM6MTSc7TF8EG92nA8ow3g2whe++sgHG9duToYoNla8C0mQIujyz3ykVAxcCQgmsEBKLcg= wxianj@backup">.ssh/authorized_keys
except
Expect是一个用来实现自动交互功能的软件套件
[root@backup ~]# rpm -qa expect
[root@backup ~]# yum install expect -y
[root@backup ~]# rpm -qa expect expect-5.44.1.15-5.el6_4.x86_64
1、首行加上/usr/bin/expect
2、spawn: spawn命令是expect的初始命令,它用于启动一个进程,之后所有expect操作都在这个进程中进行,如果没有spawn语句,整个expect就无法执行了,如:spawn ssh root@192.168.2.5
3、expect: expect 表达式 动作 表达式 动作。。。,只有spawn 执行的命令结果才会被expect 捕捉到,主要包括:标准输入的提示信息,eof 和timeout。
4、send 和send_user:send 会将expect 脚本中需要的信息发送给spawn 启动的那个进程,而send_user 只是回显用户发出的信息,类似于shell 中的echo 而已。
set 设置变量值
expect脚本必须以interact或expect eof结束,执行自动化任务通常expect eof就够了。
interact 执行完成后保持交互状态,把控制权交给控制台,这个时候就可以手工操作了。如果没有这一句登录完成后会退出,而不是留在远程终端上。
set timeout 30
设置超时时间,计时单位是:秒。timeout -1 为永不超时
send:用于向进程发送字符串
expect:从进程接收字符串
spawn:启动新的进程
interact:允许用户交互
[lrange $argv 0 0]表示第1个参数,[lrange $argv 0 4]为第一个到第五个参数
例:
[wxianj@backup ~]$ vim ssh_expect.exp #!/usr/bin/expect spawn su - root expect "Password: " send "fastweb\n" expect "*#" interact
执行脚本不能用ssh,可以用./或者 expect
[wxianj@backup ~]$ expect ssh_expect.exp spawn su - root Password: [root@backup ~]#
例:
[root@backup ~]# cat ssh.exp #!/usr/bin/expect spawn ssh root@192.168.88.5 expect { "(yes/no)?" { send "yes\r";exp_continue} "password:" { send "fastweb\r"} } expect "]*" #捕捉]#或者]$ send "ls \n" expect "]*" send "ip a\n" expect "]*" send "exit\r" expect eof exit
expect 命令还有一种用法,它可以在一个expect匹配中多次匹配关键字,并给出处理动作,只需要将关键字放在一个大括号就可以了,当然还有exp_continue.
[root@backup ~]# expect ssh.exp spawn ssh root@192.168.88.5 root@192.168.88.5's password: Last login: Tue May 23 07:15:02 2017 from 192.168.88.10 [root@lvs1 ~]# ls anaconda-ks.cfg etc install.log install.log.syslog [root@lvs1 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:67:cc:02 brd ff:ff:ff:ff:ff:ff inet 192.168.88.5/24 brd 192.168.88.255 scope global eth1 inet 192.168.88.8/24 scope global secondary eth1:1 inet6 fe80::20c:29ff:fe67:cc02/64 scope link valid_lft forever preferred_lft forever [root@lvs1 ~]# exit logout Connection to 192.168.88.5 closed. [root@backup ~]#
#!/usr/bin/expect #参数的数目可以用$argc 得到 if { $argc != 2 } { send_user "usage:expect scp-expect.exp file host dir\n" exit } set ip [lindex $argv 0 ] #接收第一个参数,并设置IP,n从0开始,分别表示第一个,第二个,第三个....参数 set password [lindex $argv 1 ] #接收第二个参数,并设置密码 set timeout 10 #设置超时时间 spawn ssh root@$ip #发送ssh请滶 expect { #返回信息匹配 "*yes/no" { send "yes\r"; exp_continue} #第一次ssh连接会提示yes/no,继续 "*password:" { send "$password\r" } #出现密码提示,发送密码 } interact #交互模式,用户会停留在远程服务器上面.
expect批量分发,免交互脚本示例
主要有两部分:fenfa_sshkey.exp和fenfa.sh ,使用时直接执行fenfa.sh即可
root@server_05 scripts]# cat fenfa_sshkey.exp #!/usr/bin/expect if { $argc != 2 } { send_user "usage: expect fenfa_sshkey.exp file host\n" exit } #define var set file [lindex $argv 0] set host [lindex $argv 1] set password "123456" ##分发帐号的密码 set user "fenfa" ##分发帐号 set port "52113" ##分发主机的ssh端口 spawn ssh-copy-id -i $file "-p $port $user@$host" expect { "yes/no" {send "yes\r";exp_continue} "*password" {send "$password\r"} } expect eof
[root@server_05 scripts]# cat fenfa.sh #!/bin/bash Ipaddr_head=192.168.1 User=fenfa Port=52113 Commond_dir=/usr/bin if [ $UID -ne 0 ] then echo "Error:Please use root account to exec this script!" else for n in `seq 5` do ${Commond_dir}/ssh-copy-id -i "-p $Port ${User}@${Ipaddr_head}.$n" &2>/dev/null if [ $? -eq 0 ] then action "${Ipaddr_head}$n copy ssh_key..." /bin/ture else action "${Ipaddr_head}$n copy ssh_key..." /bin/false fi done fi
浙公网安备 33010602011771号