- 给服务器分组
在/etc/ansible/hosts增加节点dbtest,包含若干服务器ip
- 安装包分发
去官网找下载:
http://www.openssh.com/portable.html
https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
最新是: https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz -o /tmp/openssh-8.3p1.tar.gz
分发:
ansible dbtest-m copy -a “src=/tmp/openssh-8.3p1.tar.gz dest=/tmp/openssh-8.3p1.tar.gz”
安装基础组件
ansible dbtest -f6 -m shell -a “yum install -y zlib openssl openssl-dev”
shell模块可以支持管道符和分号,比command模块更好用。但是awk支持得还不是很好。
-f6同时6个并发
编译安装
ansible dbtest -f6 -m shell -a “cd /tmp/;tar -zxvf openssh-8.3p1.tar.gz” ansible dbtest -f6 -m shell -a “cd /tmp/openssh-8.3p1;./configure && make && make install”
修改sshd配置文件
关注影响登录的设置,如root是否可以登录,端口号等;备份;修改配置。
[root@deployer ~]# cat /usr/local/etc/sshd_config |grep -Ei “(root|dns|gss|port)”
观察结果,这里我们只修改root登录
ansible dbtest -f6 -mshell -a “cp /usr/local/etc/sshd_config /usr/local/etc/sshd_config.bak” ansible dbtest -f6 -mshell -a “echo \”PermitRootLogin yes\” >> /usr/local/etc/sshd_config;cat /usr/local/etc/sshd_config |grep -Ei \”(root|dns|gss|port)\””
- 修改sshd服务文件
ansible dbtest -f6 -mshell -a “cp /etc/systemd/system/multi-user.target.wants/sshd.service /etc/systemd/system/multi-user.target.wants/sshd.service.bak” ansible dbtest -f6 -mshell -a “sed -i \”s/\/usr\/sbin\/sshd/\/usr\/local\/sbin\/sshd/g\” /etc/systemd/system/multi-user.target.wants/sshd.service” ansible dbtest -f6 -mshell -a “cat /etc/systemd/system/multi-user.target.wants/sshd.service”
如果使用的是openssh目录里/contrib/redhat/sshd.init作为服务启停脚本,这个要改。具体见附件部分。
重启服务
先单点测试,先登录上这台服务器,再远程执行,验证可登录后继续,如果不可登录,可以用已登录窗口恢复
ansible 192.168.36.35 -f6 -mshell -a “systemctl restart sshd”
验证可登录后继续
ansible dbtest -f6 -mshell -a “systemctl restart sshd”
验证
附件:
放于/etc/init.d的sshd文件,放后执行chkconfig on
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /usr/local/etc/ssh/ssh_host_key
# config: /usr/local/etc/ssh/ssh_host_key.pub
# config: /usr/local/etc/ssh/ssh_random_seed
# config: /usr/local/etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
SSHD_CONFIG_DIR=/usr/local/etc
SSHD_BIN_DIR=/usr/local/sbin
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
RETVAL=0
prog="sshd"
# Some functions to make the below more readable
SSHD=${SSHD_BIN_DIR}/sshd
PID_FILE=/var/run/sshd.pid
do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
failure $"Configuration file or keys are invalid"
echo
fi
}
start()
{
# Create keys if necessary
/usr/bin/ssh-keygen -A
if [ -x /sbin/restorecon ]; then
/sbin/restorecon ${SSHD_CONFIG_DIR}/ssh_host_rsa_key.pub
/sbin/restorecon ${SSHD_CONFIG_DIR}/ssh_host_dsa_key.pub
/sbin/restorecon ${SSHD_CONFIG_DIR}/ssh_host_ecdsa_key.pub
fi
echo -n $"Starting $prog:"
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
echo
}
stop()
{
echo -n $"Stopping $prog:"
killproc $SSHD -TERM
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
echo
}
reload()
{
echo -n $"Reloading $prog:"
killproc $SSHD -HUP
RETVAL=$?
echo
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
if [ $RETVAL -eq 0 ] ; then
stop
# avoid race
sleep 3
start
fi
fi
;;
status)
status $SSHD
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL