​ssh免密码登录设置及问题总结

前几天写了一篇文章
关于ssh免密码登录，总结了3种方法，
# 一种推送的方式，也就是在服务器端操作，前提是知道所有免秘登录的服务器用户密码，通过脚本可以读取用户名密码。我写过一个telnet自动登录的脚本，详见附件。
ssh自动登录也可以采用expect语言实现，这个暂未撰写脚本文件，待写中。
# 一种拉取的方式。也就是在客户端进程操作，前提只要知道服务器端一个用户密码即可，弊端是需要在所有客户端手动执行。
# 最后一种方式，是通过工具的方式进行远程管理布置，例如ansible，puppet，func等，同时结合自动读取用户名，密码的shell，可以利于日常运维，简化人工成本。
最后，我也提供一个获取服务器负载的案例简单说明。

1.1 客户端操作，一般设置思路：
--server端生成秘钥串 ssh-keygen -t rsa -P ''
mkdir /home/oracle/.ssh&&chmod 700 /home/oracle/.ssh 
cd /home/oracle/.ssh &&scp 10.150.27.17:/home/oracle/.ssh/id_rsa.pub /home/oracle/.ssh/guoldb_keys &&cat guoldb_keys >>authorized_keys 

1.2 服务器端操作，命令方式：
for i in {1..11} 
do 
#echo 10.150.15.$i 
ssh-copy-id -i /home/oracle/.ssh/id_rsa.pub oracle@10.150.15.$i 
done;
 
1.3 ssh免秘登录设置好后，可能出现的问题就是，明明已经设置完毕，但是无法免秘登录。
具体现象为：root用户的免秘登录可以，但是普通用户oracle的免秘登录不可以。初步定位于权限问题，网上获取的资源也大多如此。
示例如下，来源于生产环境案例：
目的：从10.150.27.17(GuolDB) 到 10.150.27.20(orcl) 的免秘登录 
操作流程如下：
-- 10.150.27.17-OpenSSH_7.3p1
1.3.1 ssh-keygen -t rsa -P ''
1.3.2 ssh-copy-id -i /home/oracle/.ssh/id_rsa.pub oracle@10.150.27.20
1.3.3 测试结果如下：ssh 10.150.27.20 date 
								
oracle@GuolDB:[/home/oracle/.ssh] ssh 10.150.27.20
The authenticity of host '10.150.27.20 (10.150.27.20)' can't be established.
RSA key fingerprint is 03:57:78:14:bd:b4:47:c3:7e:6a:aa:33:c8:90:7c:11.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.150.27.20' (RSA) to the list of known hosts.
oracle@10.150.27.20's password: 
Last login: Thu Dec 29 10:30:59 2016 from 10.150.27.17
oracle@GuolDB:[/home/oracle/.ssh]

oracle@GuolDB:[/home/oracle/.ssh] ssh-copy-id -i /home/oracle/.ssh/id_rsa.pub oracle@10.150.27.20
oracle@10.150.27.20s password: 
Now try logging into the machine, with "ssh oracle@10.150.27.20", and check in:
.ssh/authorized_keys
to make sure we haven t added extra keys that you weren't expecting.
oracle@GuolDB:[/home/oracle/.ssh] 

oracle@GuolDB:[/home/oracle/.ssh] ssh 10.150.27.20
oracle@10.150.27.20's password:

疑惑，明明设置了免秘登录，为何还需要输入密码。
查阅相关资料，网帖，主要包括 .ssh 目录权限是700 ，authorized_keys 为600 或者644 的权限问题。
	  
	
-- 10.150.27.20-OpenSSH_5.3p1
[oracle@orcl ~]$ ll -d .ssh/
drwxrwxrwx 2 oracle dba 4096 Dec 29 10:33 .ssh/
[oracle@orcl ~]$ chmod 700 .ssh
[oracle@orcl ~]$ 
[oracle@orcl ~]$ cd .ssh/
[oracle@orcl .ssh]$ ll
total 4
-rw------- 1 oracle dba 395 Dec 29 10:33 authorized_keys
-rw-r--r-- 1 oracle dba   0 Dec 29 10:36 known_hosts	
[oracle@orcl home]$ ll
total 8
drwxrwxrwx. 13 oracle     dba        4096 Dec 29 10:32 oracle
[oracle@orcl home]$ 
[oracle@orcl home]$ chmod 744 oracle/

再次测试，成功。
oracle@GuolDB:[/home] ssh 10.150.27.20
Last login: Thu Dec 29 10:58:21 2016 from 10.150.27.17

-- 根据测试结果，总结如下。
在免秘登录的设置中，需要注意3个地方的权限设置问题，特别是普通用户，如oracle用户家目录的权限设置，这个容易遗漏。
1 .ssh 目录权限是700 ，
2 authorized_keys 为600 或者644 
3 普通用户家目录的other权限位不能太高，不能有w权限位。
4 具体ssh的秘钥权限文件，目录权限设置和免秘登录的关系，还有待查找ssh的官方资料佐证。
	
	-- 使用ansible 布置ssh免秘登录，在大量server需要布置的情况下，个人建议采用此方式，节约人力成本，同时无需安装agent。
通过远程工具和ssh的免秘登录配置结合，可以扩展运维思路，我现在正在通过此方式设计zabbix无法监控的数据库值班。
ansible+ssh-收集服务器数据入库db-然后分析db中的数据出报告-mail发送给dba或者相关人-历史数据分析。预计春节前完成，届时如果效果不错都成型后，发给你也请你给一些建议。
	ansible all -m authorized_keys -a "user=oracle key='{{ lookup('file','/home/oracle/.ssh/id_rsa.pub') }}'  path=/home/oracle/.ssh/authorized_keys manage_dir=no"
	ansible all -m copy -a 'owner=oracle group=oinstall src=/home/oracle/oracle_guoldb.key dest=/home/oracle'	
	ansible all -m shell -a 'cat /home/oracle/oracle_guoldb.key>>/home/oracle/.ssh/authorized_keys' 	
		
--附件telnet自动登录服务器，远程执行command操作指令 
	文件说明：
		1 param 	用于记录服务器地址，用户，密码
		2 cmdlist 	用于记录command远程操作指令
		3 telnet.sh 用于执行远程指令的脚本，格式"Usage: $0 param cmdlist" 
		
cmcbmon1:/home/cmcbadm/guol/update_sh/opt_oracle>cat param
10.150.82.15 oracle oracle 
10.150.82.17 oracle oracle 
10.150.46.17 oracle oracle


cmcbmon1:/home/cmcbadm/guol/update_sh/opt_oracle>cat cmdlist
cd /home/oracle
mkdir -p ~/guol/alert
mkdir -p ~/guol/arch
mkdir -p ~/guol/sql
mkdir -p ~/guol/cron

cmcbmon1:/home/cmcbadm/guol/tmp/upload/bak>cat telnet.sh 
#!/usr/bin/ksh

tmptty=`tty |sed -e "s/\/dev//g"` 
if [ 3 -lt $# ]
then 
    echo "Usage: $0 param cmdlist"
    exit
fi
PARAM=param
CMDLIST=cmdlist

if [ "$2" = "cmdlist" ] && [ -r $2 ]
then 
    CMDLIST=$2
fi

if [ "$1" = "param" ] && [ -r $1 ]
then
    PARAM=$1
fi

echo "PARAM=$PARAM"
echo "CMDLIST=$CMDLIST"


inputfile=in                 
outputfile=out               

rm -fr $inputfile
rm -fr $outputfile
mknod $inputfile p
touch $outputfile

#file description 7 for out and 8 for in 
exec 8<>$outputfile
exec 7<>$inputfile

while read ipaddress user password 
do
telnet $ipaddress <&7 >&8 & 
sleep 3 ; echo $user >> $inputfile      
sleep 2 ; echo $password >> $inputfile  
sleep 1;

while read str
do
if [ "$str" = "" ] 
then 
echo "" >> $inputfile

elif [ "`echo "$str" | awk '{print $1}'`" = "local" ]
then
echo "$str"|awk '{print substr($0,7,length())}' | sh
else
echo "$str"  >> $inputfile
fi
sleep 1
done  < $CMDLIST
#echo "exit" >> $inputfile
sleep 1
done < $PARAM

exec 1<&7
exec 0<&8

cat $outputfile >> $outputfile.log
rm -fr $inputfile
rm -fr $outputfile
cmcbmon1:/home/cmcbadm/guol/tmp/upload/bak>


-- uptime.sh
	说明：通过ansible收集所有服务器的负载信息uptime.sh，然后插入到信息库中待分析analyze_load.sh后邮件告警或者历史记录分析。
oracle@GuolDB:[/home/oracle/guol/uptime_report] cat uptime.sh
#!/bin/bash
#
load_dir=/home/oracle/guol/uptime_report


#ansible all -m command -a 'uptime' |awk '/>$/{T=$0;next;}{print T"|\t       "$0;}' |column -t -s " "|awk  -v d=`date +%Y/%m/%d_%H:%M:%S` '{print "insert into server_load@link_to_guoldb values(" "\047"$1"\047"  ","  "to_date(" "\047"d"\047" ",\047YYYY/MM/DD_hh24:mi:ss\047"   "), "   $16     $17    $18   ");"}'>$load_dir/load_insert.sql
	# bug list : 13:03--15 min
	#10.150.15.14 | SUCCESS | rc=0 >> 09:47:26 up 157 days, 13:03,  5 users,  load average: 0.10, 0.25, 0.40
	#10.150.15.16 | SUCCESS | rc=0 >> 09:48:07 up 79  days, 15 min,  4 users,  load average: 0.07, 0.11, 0.21
	#insert into server_load@link_to_guoldb values('10.150.15.16',to_date('2016/12/20_09:48:04','YYYY/MM/DD_hh24:mi:ss'), average:0.00,0.11,);

cd $load_dir
>load_insert.sql
for i in `cat /home/oracle/guol/ansible_history/ansible_ip_list.txt`
	do

ansible $i -m command -a 'uptime' |awk '/>$/{T=$0;next;}{print T"|\t  "$0;}' |column -t -s " "|sed 's/|/,/g'|awk -F ','  '{print $1 $(NF-2) $(NF-1) $NF}'|awk  -v d=`date +%Y/%m/%d_%H:%M:%S` '{print "insert into server_load@link_to_guoldb values(" "\047"$1"\047"  ","  "to_date(" "\047"d"\047" ",\047YYYY/MM/DD_hh24:mi:ss\047"   "), "   $4  ","  $5  ","  $6   ");"}'>>$load_dir/load_insert.sql


done

source ~/.bash_profile
export ORACLE_SID=guoldb
sqlplus -s /nolog <<EOF
        conn monitor/M0nitor$
        set echo off feedback off head off pagesize 0
        @load_insert.sql
        commit;
quit;
EOF

############## table 
#create table guoliang.server_load(
#ip  	varchar2(30),
#time 	date,
#one_minute_load		number,
#five_minute_load	number,
#fifteen_minute_load	number
#);
oracle@GuolDB:[/home/oracle/guol/uptime_report]

oracle@GuolDB:[/home/oracle/guol/uptime_report] cat analyze_load.sh
#!/bin/bash
#
#auth:guoliang 
#
source ~/.bash_profile
current_date=`date +%Y%m%d_%H:%M --date="-5 minutes"`
load_dir=/home/oracle/guol/uptime_report
load_threshold=30
mail_man=guolora@163.com
ddate=`date +%Y%m%d`

################################ start 
>$load_dir/uptime_load_data.txt
sqlplus -s /nolog>$load_dir/uptime_load_data.txt<<EOF
	conn monitor/M0nitor$
	set echo off feedback off head off pagesize 0 linesize 200
	alter session set nls_date_format='yyyymmdd_hh24:mi';
	select * from server_load where time>=to_date('$current_date','yyyymmdd_hh24:mi') and (one_minute_load>$load_threshold or five_minute_load>$load_threshold or fifteen_minute_load>$load_threshold) order by time desc;
	quit;
EOF
很多朋友
>$load_dir/uptime_report.txt
cat $load_dir/uptime_load_data.txt |awk -v v1=$load_threshold '{print "Alert :"$1 "_uptime_"$2"_load :" $3 "--"$4"--"$5 "  It is over load "v1" ,pls check and notice it." }'>$load_dir/uptime_report.txt
################################ end #################################

脚本结果如下：
Alert :172.16.15.9_uptime_20161228_22:10_load :26.4--22.72--33.71  It is over load 30 ,pls check and notice it.