1. 给服务器分组

在/etc/ansible/hosts增加节点dbtest，包含若干服务器ip

1. 安装包分发

去官网找下载：
http://www.openssh.com/portable.html
https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
最新是： https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz

wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz -o /tmp/openssh-8.3p1.tar.gz

分发：

ansible dbtest-m copy -a “src=/tmp/openssh-8.3p1.tar.gz dest=/tmp/openssh-8.3p1.tar.gz”

1. 安装基础组件

   ansible dbtest -f6 -m shell -a “yum install -y zlib openssl openssl-dev”

   shell模块可以支持管道符和分号，比command模块更好用。但是awk支持得还不是很好。

   -f6同时6个并发

2. 编译安装

   ansible dbtest -f6 -m shell -a “cd /tmp/;tar -zxvf openssh-8.3p1.tar.gz” ansible dbtest -f6 -m shell -a “cd /tmp/openssh-8.3p1;./configure && make && make install”

3. 修改sshd配置文件

关注影响登录的设置，如root是否可以登录，端口号等；备份；修改配置。

[root@deployer ~]# cat /usr/local/etc/sshd_config |grep -Ei “(root|dns|gss|port)”

观察结果，这里我们只修改root登录

ansible dbtest -f6 -mshell -a “cp /usr/local/etc/sshd_config /usr/local/etc/sshd_config.bak” ansible dbtest -f6 -mshell -a “echo \”PermitRootLogin yes\” >> /usr/local/etc/sshd_config;cat /usr/local/etc/sshd_config |grep -Ei \”(root|dns|gss|port)\””

1. 修改sshd服务文件

   ansible dbtest -f6 -mshell -a “cp /etc/systemd/system/multi-user.target.wants/sshd.service /etc/systemd/system/multi-user.target.wants/sshd.service.bak” ansible dbtest -f6 -mshell -a “sed -i \”s/\/usr\/sbin\/sshd/\/usr\/local\/sbin\/sshd/g\” /etc/systemd/system/multi-user.target.wants/sshd.service” ansible dbtest -f6 -mshell -a “cat /etc/systemd/system/multi-user.target.wants/sshd.service”

如果使用的是openssh目录里/contrib/redhat/sshd.init作为服务启停脚本，这个要改。具体见附件部分。

1. 重启服务

   先单点测试，先登录上这台服务器，再远程执行，验证可登录后继续，如果不可登录，可以用已登录窗口恢复

   ansible 192.168.36.35 -f6 -mshell -a “systemctl restart sshd”

   验证可登录后继续

   ansible dbtest -f6 -mshell -a “systemctl restart sshd”

2. 验证

附件：
放于/etc/init.d的sshd文件，放后执行chkconfig on

#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /usr/local/etc/ssh/ssh_host_key
# config: /usr/local/etc/ssh/ssh_host_key.pub
# config: /usr/local/etc/ssh/ssh_random_seed
# config: /usr/local/etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
SSHD_CONFIG_DIR=/usr/local/etc
SSHD_BIN_DIR=/usr/local/sbin
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
RETVAL=0
prog="sshd"
# Some functions to make the below more readable
SSHD=${SSHD_BIN_DIR}/sshd
PID_FILE=/var/run/sshd.pid
do_restart_sanity_check()
{
    $SSHD -t
    RETVAL=$?
    if [ $RETVAL -ne 0 ]; then
        failure $"Configuration file or keys are invalid"
        echo
    fi
}
start()
{
    # Create keys if necessary
    /usr/bin/ssh-keygen -A
    if [ -x /sbin/restorecon ]; then
        /sbin/restorecon ${SSHD_CONFIG_DIR}/ssh_host_rsa_key.pub
        /sbin/restorecon ${SSHD_CONFIG_DIR}/ssh_host_dsa_key.pub
        /sbin/restorecon ${SSHD_CONFIG_DIR}/ssh_host_ecdsa_key.pub
    fi
    echo -n $"Starting $prog:"
    $SSHD $OPTIONS && success || failure
    RETVAL=$?
    [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
    echo
}
stop()
{
    echo -n $"Stopping $prog:"
    killproc $SSHD -TERM
    RETVAL=$?
    [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
    echo
}
reload()
{
    echo -n $"Reloading $prog:"
    killproc $SSHD -HUP
    RETVAL=$?
    echo
}
case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart)
        stop
        start
        ;;
    reload)
        reload
        ;;
    condrestart)
        if [ -f /var/lock/subsys/sshd ] ; then
            do_restart_sanity_check
            if [ $RETVAL -eq 0 ] ; then
                stop
                # avoid race
                sleep 3
                start
            fi
        fi
        ;;
    status)
        status $SSHD
        RETVAL=$?
        ;;
    *)
        echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
        RETVAL=1
esac
exit $RETVAL