12 3 / 3 页下一页

论坛徽章:: 3

电梯直达

1楼 [收藏(0)] [报告]

发表于 2013-03-12 11:21 |只看该作者 |倒序浏览

30可用积分

本帖最后由 tomer 于 2013-03-29 15:45 编辑

条件：有n台主机，这n台主机的IP,用户名/密码已知
需一脚本，在这n台主机中的一台运行，运行后的结果是：这n台主机随便俩俩都互信，也就是说ssh登录不需要密码

这位领导的脚本被证实是好用的，但需要略作一下修改，chmod 700 ~/.ssh；这样就完美了

最佳答案

iamhere2007

查看完整内容

在RHEL6.0上openssh实现,未考虑移植性.另外,欢迎大家提出问题与改进意见.说明(1)思路很简单,就是共享公钥,语言用expect(2)selinux要关闭,原因待探讨(3)不能用于已经存有ssh认证的机器上,否则会覆盖原先的认证(4)此脚本不一定要在内部结点上运行,也可以在认证群组之外的主机上执行(5)认证没有passphrase用法:sh scriptFile -f hostFile其中hostFile格式为IP1 user1 pass1 FQDN1IP2 user2 pass2 FQDN2...

文库|博客

iamhere2007

白手起家

论坛徽章:: 0

2楼 [报告]

发表于 2013-03-12 11:21 |只看该作者

本帖最后由 iamhere2007 于 2013-03-21 07:03 编辑

在RHEL6.0上openssh实现,未考虑移植性.另外,欢迎大家提出问题与改进意见.
说明(1)思路很简单,就是共享公钥,语言用expect(2)selinux要关闭,原因待探讨(3)不能用于已经存有ssh认证的机器上,否则会覆盖原先的认证(4)此脚本不一定要在内部结点上运行,也可以在认证群组之外的主机上执行(5)认证没有passphrase

用法:sh scriptFile -f hostFile
其中hostFile格式为
IP1 user1 pass1 FQDN1
IP2 user2 pass2 FQDN2
.
.
.

#!/bin/sh
####################################
#OS:RHEL 6.0
#Packages needed:expect;openssh,openssh-clients,openssh-server
#Some warnings:
#(1)rsa type is chosen,which,howerer,can be changed by modifying the script or by providing some available options in future improvements
#(2)No ever .ssh direcotry should exist, or the previous key pairs will be destroyed
#(3)selinux should be set permissively,and the reason still needs investigation
#(4)The script doesn't have to be executed in one of the internal node, but also functions well in external host
#####################################
#arguments processing
usage()
{
cat<<EOF
Usage: $0 -f hostListFile
$0 -h
EOF
exit 1
}
if [ $# -eq 0 ]
then
usage
fi
while getopts :f:h option
do
case "$option" in
h)
uage
;;
f)
hostFile=$OPTARG;
;;
*)
echo "invalid option"
usage
;;
esac
done
if [ -z $hostFile ]
then
usage
fi
echo "script starts to execute..."
echo "gererating keys and some preparation..."
mkdir keys
while read IP user _ hostname
do
ssh-keygen -t rsa -P "" -f keys/$IP
sed -i "s/ [^ ]\+$/ ${user}@$hostname/" keys/${IP}.pub
cat keys/${IP}.pub>>keys/commonKeys
echo $IP>>IPs #IPs is temporary file for storing IP lists to be used by
#ssh-keyscan
done< $hostFile >/dev/null 2>&1
#using environment variables simply for feeding shell variable to expect
export commonKeys=`cat keys/commonKeys`
export knownHosts=`ssh-keyscan -t rsa -f IPs 2>/dev/null` #``only capture the stard output
echo -e "gererating keys and all preparation completed successfully!\n"
while read f1 f2 f3 _
do
echo "authenticating for host $f1..."
export IP="$f1"
export user="$f2"
export pass="$f3"
export public=`cat keys/${IP}.pub`
export private=`cat keys/$IP`
expect -c '
log_file expect.log
log_user 0
set prompt "(%|#|\\$) $"
set IP $env(IP)
set user $env(user)
set pass $env(pass)
spawn -noecho ssh $user@$IP
expect {
"(yes/no)\?" { send "yes\r";exp_continue;}
"password:" {send "$pass\r"}
}
#manully build the ~/.ssh directory
expect -re "$prompt" {
send "if \[ ! -e ~/.ssh \];then mkdir ~/.ssh;fi;echo \"$env(public)\">~/.ssh/id_rsa.pub;echo \"$env(private)\">~/.ssh/id_rsa;echo \"$env(commonKeys)\">~/.ssh/authorized_keys\r"
}
expect -re "$prompt" {
send "ssh-keyscan -t rsa localhost>~/.ssh/known_hosts;echo \"$env(knownHosts)\">>~/.ssh/known_hosts;chmod 600 ~/.ssh/*\r"
}
expect -re "$prompt" exit
'
echo "authentication for host $IP completed successfully!";
done<$hostFile
#trace cleaning
rm -rf keys
rm -f IPs
unset IP
unset user
unset pass
unset public
unset private
unset knownHosts
unset commonKeys