我们一般使用linux的时候,都是在Windows上安装一个ssh客户端连接上去。那么从一台linux如何连接到另一条linux呢?使用ssh命令即可,因为每台linux机器自己都有一个ssh客户端。现在我们使用Python的paramiko模块可以实现ssh客户端,通过Python脚本远程登录一台机器并执行相关操作。
为什么要使用Python来实现ssh客户端呢?主要作用是用来作批量管理。如果让你使用ssh命令登录1台linux机器还好,但是如果让1000台机器同时执行一个命令怎么办呢?当然你可以使用shell脚本写一个for循环来实现,我们使用Python也可以实现。
paramiko模块:基于SSH用于连接远程服务器并执行相关操作
首先安装paramiko模块
基本命令:pip install paramiko
C:UsersAdministrator>pip install paramiko #由于我PC上同时安装了Python2和Python3,所以会报错 Fatal error in launcher: Unable to create process using '"' C:UsersAdministrator>python3 -m pip install paramiko #用这个命令安装就好啦 ... Successfully installed asn1crypto-0.24.0 bcrypt-3.1.6 cffi-1.12.2 cryptography-2 .6.1 paramiko-2.4.2 pyasn1-0.4.5 pycparser-2.19 pynacl-1.3.0 six-1.12.0 C:UsersAdministrator>python3 #验证是否安装成功 Python 3.6.5 (v3.6.5:f59c0932b4, Mar 28 2018, 17:00:18) [MSC v.1900 64 bit (AMD6 4)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> import paramiko #不报错说明安装成功 >>> PS:别看上面用命令安装paramiko这么简单,刚开始跟着网上博客离线安装各种报错,浪费了我整整1天的时间,哎,说多了都是泪啊。。。
[root@hadoop ~]# cd /usr/local/python3/bin/ [root@hadoop bin]# pip3 install paramiko #直接安装会报错,所以请按下面步骤安装 pip._vendor.requests.packages.urllib3.exceptions.ReadTimeoutError: HTTPSConnectionPool(host='files.pythonhosted.org', port=443): Read timed out. 1.安装组件 [root@hadoop ~]# install openssl openssl-devel python-dev pycrypto -y [root@hadoop ~]# yum install zlib-devel zlib #必须安装,不安装会报错 [root@hadoop ~]# cd /usr/local/python3/ [root@hadoop python3]# ./configure #安装zlib-devel需要对python3.5进行重新编译安装 [root@hadoop python3]# make & make install 2.安装setuptools: [root@hadoop python3]# cd bin [root@hadoop bin]# pip3 install setuptools #貌似安装python3.6时已经顺带安装过了 Requirement already satisfied: setuptools in /usr/local/python3/lib/python3.6/site-packages 3.安装paramiko [root@hadoop bin]# pip3 install paramiko #安装成功未报错 Successfully installed asn1crypto-0.24.0 bcrypt-3.1.6 cffi-1.12.2 cryptography-2.6.1 paramiko-2.4.2 pyasn1-0.4.5 pycparser-2.19 pynacl-1.3.0 six-1.12.0 [root@hadoop bin]# python3 #验证是否安装成功 Python 3.6.1 (default, Sep 21 2018, 15:34:57) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import paramiko #不报错说明安装成功 >>> 参考:https://www.cnblogs.com/chimeiwangliang/p/7193187.html
SSHClient
用于连接远程服务器并执行基本命令
基于用户名密码连接:
import paramiko
# 创建SSH对象
ssh = paramiko.SSHClient()
# 允许连接不在know_hosts文件中的主机,否则可能报错:paramiko.ssh_exception.SSHException: Server '192.168.43.140' not found in known_hosts
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# 连接服务器
ssh.connect(hostname=b'192.168.43.140', port=22, username=b'root', password=b'123123')
# 执行命令
# stdin:标准输入(就是你输入的命令);stdout:标准输出(就是命令执行结果);stderr:标准错误(命令执行过程中如果出错了就把错误打到这里),stdout和stderr仅会输出一个
stdin, stdout, stderr = ssh.exec_command('df')
# 获取命令结果
result = stdout.read().decode() # 这个有问题,不显示错误,可以修改一下,先判断stdout有没有值,如果输出没有,就显示错误
print(result)
# 关闭连接
ssh.close()
#Author:Zheng Na import paramiko transport = paramiko.Transport(('192.168.43.140', 22)) transport.connect(username='root', password='123123') ssh = paramiko.SSHClient() ssh._transport = transport stdin, stdout, stderr = ssh.exec_command('df') result = stdout.read().decode() print(result) transport.close()
基于公钥密钥连接:
import paramiko
# 首先指定你的私钥在哪个位置(ssh是自动找到这个位置,Python不行,必须指定)
private_key = paramiko.RSAKey.from_private_key_file('id_rsa')
# 创建SSH对象
ssh = paramiko.SSHClient()
# 允许连接不在know_hosts文件中的主机
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# 连接服务器
ssh.connect(hostname='192.168.43.140', port=22, username='root', pkey=private_key)
# 执行命令
stdin, stdout, stderr = ssh.exec_command('df')
# 获取命令结果
result = stdout.read().decode()
print(result)
# 关闭连接
ssh.close()
import paramiko private_key = paramiko.RSAKey.from_private_key_file('id_rsa') transport = paramiko.Transport(('192.168.43.140', 22)) transport.connect(username='root', pkey=private_key) ssh = paramiko.SSHClient() ssh._transport = transport stdin, stdout, stderr = ssh.exec_command('df') result = stdout.read().decode() print(result) transport.close()
#Author:Zheng Na import paramiko from io import StringIO key_str = """-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA+4kJjKuG2uYNuTZ1SsBr5kCd5GPHV9MU1OsqqXjJlFDvFwa/ /DtPNgeimA6bkHLdd63j0pDpgY/r5jcyH1bLbHMq97hYzNEJZ4GsEDMjnR0qFLTm QtD2qj+Y6bEmNj39PgGs8sWN+1O4fPWDvGQTnmCytGOTYPA9LtMWkjHcTTNk9UqC x5kSlhASSuf0DEtBrpKGUDT1G6BYVDQN3rALAZVAtLOEDCZWcKl8bk8OtuIc4WeL 1/5JPD0BIquPTcwl7DaALW2isut/RFiqhPWoYgexovQEiHhbuGfJQK9WFUxyOjby 9mS3BdN+1nFg4aWIa+iVH8cUMIJLxO1bJzEdjQIDAQABAoIBAQDEzPdXxGyCoDRk kSM8FUlWoX/nzdmN8Wz/GfALIKI3FQu77GARrSXQlDC239b/MZ/tn3P8r7zCziQ3 vz/MHVCTzZf0sZtoxLSi82X4VsqqhsMB6HewF2am1ZOCZEQNdHrLJOx4FfF8joht 3Hnx0Cs5Y1bupGoPEmgMVsP2JmTDUMG5ZUCUJigRJ1W38gfx17ZFziaDWPVrMFwy /zJ8kw5w/ZRn1pw2PeIahSFsGMFVGfm78PXVANr9wOB2YVYuQxOzzHwo8JQnBRke wYdg1oDHn74HVBNeHUN4YXVwAP8Ggieq/mnHAb36RSIqk6y51KnypR1BiKcSmn+i VQ6QR7GBAoGBAP81ZcL/pMenSaIQ8nev2evcqXwyJHfDRH1CWPxSygNfcePlEF1I +OecYswPvlV+iHangnfnt1xZcTTZXQpAyn7xmKk133sOe5f4Jq2vzjqK8mqmWTDw 5OeQIQ3Uuh0XrX93CZpRhgOctL1k6exFSkGkCWnDJOX05+WGrXhoG3IlAoGBAPxQ uUOJ2k9o1kKylMUYAYpk8y7QwwVSlBhm5Hy1Y6X1Rk2/ERuiebzpSeynXcq+rJyr tmDaxokzasVcP+YMgDwLF1buENDA2UQzUaZjnPds4M6R89xjWbEJ6q3+jFK8JvSd KcSJab/fP83tKApmoR0qfXR1yWEe+k5LaBTio/1JAoGAJr4XdbPTcw+9SOIjvPGw NnMoM5d1G81D73QMCDoVOs/ZfUw/4Ll8N8Tw5qOZNGdiFgk18Df4CQf2/Jvm2PCf DQhmMYHhLFA1iQt9664ds5t2U6RvM9POHC0wJ2Zc3p/CkfAjQA8SNigq8/mG3Xxj WnWpjCm4x0QXlCuO2BGN4RUCgYEA0HjOKhyLcVM4vREaVKLaGwP/3e2FRS+Ox360 SMoClIvM084Lj562IT1L5CoBF9RlgGlsHiiFI7WFAZ6P+T7Y8UNkvGGlKSY+Hdid HPJvLgwazvLO34iDAgEkkzCftnhZY4E7knTLGEqYSEgr7jQP6K5Dy+bKReG3hNtP GvqL7mkCgYEA+MKBttwVDv8qmOx6UzVhUlVvp8W+/Db1hC0L/bnhx3Fcp0ZpV+dn 3htyqOnP4XYj86PUPFo9Vl3niQKjSuoo4EVchLTIAupndZGw238lX5puqxJJTyxZ oNrD9RgeiT6GWeLOxnDUsp/hSASix3PRSNTrJGqdOKnwgkBJaLNM6ic= -----END RSA PRIVATE KEY----- """ private_key = paramiko.RSAKey(file_obj=StringIO(key_str)) transport = paramiko.Transport(('192.168.43.140', 22)) transport.connect(username='root', pkey=private_key) ssh = paramiko.SSHClient() ssh._transport = transport stdin, stdout, stderr = ssh.exec_command('df') result = stdout.read().decode() print(result) transport.close()
SFTPClient
用于连接远程服务器并执行上传下载(ssh本身可以使用scp命令传文件,它是基于sftp协议)
基于用户名密码上传下载
import paramiko
transport = paramiko.Transport(('192.168.43.140', 22))
transport.connect(username='root', password='123123')
sftp = paramiko.SFTPClient.from_transport(transport)
# 将location.txt 上传至服务器 /tmp/f_win.txt
sftp.put('location.txt', '/tmp/f_win.txt')
# 将/tmp/test.txt 下载到本地 f_linux.txt
sftp.get('/tmp/test.txt', 'f_linux.txt')
transport.close()
基于公钥密钥上传下载
import paramiko
private_key = paramiko.RSAKey.from_private_key_file('id_rsa')
transport = paramiko.Transport(('192.168.43.140', 22))
transport.connect(username='root', pkey=private_key)
sftp = paramiko.SFTPClient.from_transport(transport)
# 将location.txt 上传至服务器 /tmp/f_win.txt
sftp.put('location.txt', '/tmp/f_win.txt')
# 将/tmp/test.txt 下载到本地 f_linux.txt
sftp.get('/tmp/test.txt', 'f_linux.txt')
transport.close()
#Author:Zheng Na import paramiko import uuid class Haproxy(object): def __init__(self): self.host = '192.168.43.140' self.port = 22 self.username = 'root' self.pwd = '123123' self.__k = None def create_file(self): file_name = str(uuid.uuid4()) with open(file_name,'w') as f: f.write('hello paramiko') return file_name def run(self): self.connect() self.upload() self.rename() self.close() def connect(self): transport = paramiko.Transport((self.host,self.port)) transport.connect(username=self.username,password=self.pwd) self.__transport = transport def close(self): self.__transport.close() def upload(self): # 连接,上传 file_name = self.create_file() sftp = paramiko.SFTPClient.from_transport(self.__transport) sftp.put(file_name, '/tmp/tttt.txt') def rename(self): ssh = paramiko.SSHClient() ssh._transport = self.__transport # 执行命令 stdin, stdout, stderr = ssh.exec_command('mv /tmp/tttt.txt /tmp/oooo.txt') # 获取命令结果 result = stdout.read().decode() ha = Haproxy() ha.run()
补充:
1.使用ssh的密钥来连接远程服务器的原理:
RSA:非对称加密算法
公钥:public key
私钥:private key
如果你想连接服务器,首先本地生成密钥对,然后本地保存私钥,把公钥拷贝给服务器。
比如:本地(172.16.134.128,私钥)——>远程服务器(172.16.134.129,公钥)
步骤:
本地操作: [root@hadoop ~]# ssh-keygen #生成密钥对 [root@hadoop ~]# ssh-copy-id root@172.16.134.129 #使用命令将公钥拷贝给远程服务器 [root@hadoop ~]# ssh root@172.16.134.129 #登录远程服务器
本地(172.16.134.128) [root@hadoop ~]# ssh-keygen #生成密钥对 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): #回车,将私钥保存在/root/.ssh/id_rsa默认文件中 Enter passphrase (empty for no passphrase): #回车 Enter same passphrase again: #回车 Your identification has been saved in /root/.ssh/id_rsa. #私钥保存位置 Your public key has been saved in /root/.ssh/id_rsa.pub. #私钥保存位置 The key fingerprint is: SHA256:Jo4+uE0HO78Hg4+F7Nm//TYx8igi7ddbFk+vkvBH6YI root@hadoop The key's randomart image is: +---[RSA 2048]----+ | | | | | | | | | ..o. S . .. | | +=+o o o+o. | | o=Boo . Bo*. .| | .+*+= +.EoO o. | | ..o++*ooo+.=. | +----[SHA256]-----+ [root@hadoop ~]# more /root/.ssh/id_rsa #查看私钥,注意私钥不要拷贝给任何人 -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAsE9XuFPI0rHnLn6dDprDbAo+L9l5yYthgC2JsYAJTECchq9h FdynquzRveBy3t0UgidFSHvTmXYsOAZC1svwWATRtq53/fRCU4Gd5FkYCB/2v2Gm w7FxRl/ExmNJAlHhx5ZQK5qYRJWOlb1hOh+BfGJHX8ns6TuNwmv8hl9HpElgoqw1 5Lc09NZp8eHwcorKOPK0IMchdxPSQYvFvarKdNN0SQ8DhHoa5bZre46urSfnBZmr N7AOxegpO7mGPkAqCrG2Deia9EcMLl4uHybSb6LhiueG31qOSpBgR1f71rsSMDMu srL3MSZCtPAXYuN6yxKSQDbZbrr8HqtfrTwb5QIDAQABAoIBAGwcyyKJpfylAKj/ FNnOxwSqJ0X6KncPFAOgaO3CIHF0sUbZpkPcoafrPhYb2vSURq4k3JQ88h0JXMYh +Lx0I/YlRl+qDoRYUo+YTLSoeVcKGqlyfOtFFLvdn/EzEqLsiPF1V8XVL4fm2Z8y mLsmdKVMMo4naTH/xcaxpxDSvkCbhJ1f/mWJ93muLZ46IkkyA4WFBoR59IdFHoKO Y+EFAW8AaYitvyecjFFfNhDsEcK7/Td90LaEI526+L4VGstH7bxvhyKSBl10X4QG HWG/IhSItLaif6L32HcZ4qVNR+50fEG7gXGWogBi8kCeF9TWsd/8U2kePiP9f6Ld JNV0TOECgYEA6HlYPDQE02434lSiwxd+TDCkpqlsy9yer4aeuVowQb0VP6l/Pgjj vjju06hE3IUDc4502VvqGKdhMFMj7biqLFRY24tFok0CbdvIuuQDy81U7Mxp12Wt eGjl19ibEB0MMoaw5PatcpU1ow2w9ghT6hf/AmbL6VN1dTH2ypxHZ40CgYEAwib3 mIwfgLKVFK/A/HmRDVB7fBnaqZScqGyNxcqMrg9XQmhpr1gOYJy6ziSy6zfvjZSK zJ68GxfDwqJImYhAG4+R44yMMrvnIRnFKRUg+c522ErjpTxB/JEMfUo0ig8N2wEO boWZrDz3d7IZaMvTiYw8ZHpesVU5SS6h19DiI7kCgYEA3VJRH5fClGvVRmOfRS8D rZON3aFlE7ypUqBOUlY7pQpXxXEf07Zw47OeI+GKFYuI2qXgNuMbvnbzvycYCIUL dgKjSfiQxdCdJGve8ZaMyqVkWcDObyO8/+qWD2WHUtLkvuGeXY0/WdwV4XLya3lI MpC/1dB6B1vOclGsC/62uC0CgYBEhbA4/KtZpq2LAYShFt6kzlTmtdFArJylrLpU pmoEPJHVdDholDFu06Hyg21KKxG27EgYc6V8AmUq2k+5MCdAEumwX7hTZ5HpUskM +NIMmFvFdpjlhmDbnO3Fgl0MpMeFFdhcFXbpHRNSAV+KZvWfxAjEhZPKDoQLWhPw sV4+sQKBgQCKsUWeNntWr1LdcSsRigMOJ6ZF/QLXiZkmx97UmqLFQIG9+K0s7hHb qmsucmYZPs46qkAinimSsZ6HksSKRwRmZNEzKQgH/ua3gsjGqbjNkZKxXOCQ9PCF l6yw27/x2onIVGj5kVGt1yYfPrBspKimPB3O7p7y3igFF/TRMTHn2A== -----END RSA PRIVATE KEY----- [root@hadoop ~]# more /root/.ssh/id_rsa.pub #查看公钥 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwT1e4U8jSsecufp0OmsNsCj4v2XnJi2GALYmxgAlMQJyGr2EV3Keq7NG94HLe3RSCJ0VIe9OZdiw4BkLWy/BYBNG2rnf99EJTgZ3kWRgIH/a/YabDsXFGX8TGY0kCUeHHllArmphElY6VvWE6H4F8Ykd fyezpO43Ca/yGX0ekSWCirDXktzT01mnx4fByiso48rQgxyF3E9JBi8W9qsp003RJDwOEehrltmt7jq6tJ+cFmas3sA7F6Ck7uYY+QCoKsbYN6Jr0RwwuXi4fJtJvouGK54bfWo5KkGBHV/vWuxIwMy6ysvcxJkK08Bdi43rLEpJANtluuvweq1+tPBvl r oot@hadoop [root@hadoop ~]# ssh-copy-id root@172.16.134.129 #使用命令将公钥拷贝给远程服务器 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@172.16.134.129's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@172.16.134.129'" and check to make sure that only the key(s) you wanted were added. [root@hadoop ~]# ssh root@172.16.134.129 #成功登录远程服务器 Last login: Fri Mar 8 02:26:32 2019 from 172.16.134.128 [root@hadoop ~]# ip addr #查看远程服务器IP 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:bd:97:52 brd ff:ff:ff:ff:ff:ff inet 172.16.134.129/24 brd 172.16.134.255 scope global noprefixroute dynamic eth0 valid_lft 1339sec preferred_lft 1339sec inet6 fe80::b46e:fbba:4f30:8322/64 scope link noprefixroute valid_lft forever preferred_lft forever [root@hadoop ~]# exit #退出 登出 Connection to 172.16.134.129 closed. [root@hadoop ~]#
注意这种连接是单向的,如果希望服务器的用户也可以无密码登录我们本地的用户,则同样需要在服务器的用户下生成密钥对,并把公钥拷贝给我们本地的用户。
除了可以使用命令来将公钥拷贝给服务器外,还可以直接登录远程服务器进行手动拷贝。
1.复制存放在/root/.ssh/id_rsa.pub的私钥 2.用户登录服务器172.16.134.129 3.将私钥拷贝到/root/.ssh/authorized_keys文件中。 [root@hadoop ~]# vi /root/.ssh/authorized_keys 注意: (1)公钥在服务器的存放位置由用户来决定。比如我想登录服务器的root用户,就将其拷贝到root文件夹的目标文件中。 (2)默认如果你登录过这个用户,则这个用户的.ssh文件会自动生成,如果没登录过这个用户,文件可能需要手动创建。 (3)如果你打开authorized_keys文件后看到其中中已经有一个公钥了,那么这应该是别人的,就是说别人如果也想不通过用户名密码登录这台服务器的话,就也会创建密钥对并把公钥放在这里。 (4)公钥只有1行,拷贝的时候可能会自动换行变成3行,最终导致登录不成功。可以先把公钥拷到一个txt文件中查看,确定是否只有一行,如果不是,手动删除回车变为一行。更好的办法是用命令拷贝。 4.安全起见,查看文件的权限是不是只允许自己读写,如果不是,修改权限。 [root@hadoop ~]# ll /root/.ssh/authorized_keys -rw-r--r-- 1 root root 393 Mar 8 02:01 /root/.ssh/authorized_keys [root@hadoop ~]# chmod 600 /root/.ssh/authorized_keys [root@hadoop ~]# ll /root/.ssh/authorized_keys -rw------- 1 root root 393 Mar 8 02:01 /root/.ssh/authorized_keys
本地尝试登录远程服务器时, 若登录不成功,可以使用调试模式查看,-v [root@hadoop ~]# ssh root@172.16.134.129 -v 若端口不是22,则需要加上端口号,比如 [root@hadoop ~]# ssh root@172.16.134.129 -p52113
2.为什么要使用公钥连接?
基于用户名密码来连接远程服务器,这是不安全的,一旦被别人拿到你的脚本,获取到用户名密码,别人也就可以连接你的服务器。
3.写Python脚本时,注意不要将名称写为paramiko.py,因为这与模块名重复,执行时会有问题。
4.安装好paramiko模块后第一次运行,可能会出现警告:CryptographyDeprecationWarning
D:softwarePython3.6.5python3.exe D:/python-study/s14/Day09/paramiko_ssh_pwdlogin.py D:softwarePython3.6.5libsite-packagesparamikokex_ecdh_nist.py:39: CryptographyDeprecationWarning: encode_point has been deprecated on EllipticCurvePublicNumbers and will be removed in a future version. Please use EllipticCurvePublicKey.public_bytes to obtain both compressed and uncompressed point encoding. m.add_string(self.Q_C.public_numbers().encode_point()) D:softwarePython3.6.5libsite-packagesparamikokex_ecdh_nist.py:96: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point self.curve, Q_S_bytes D:softwarePython3.6.5libsite-packagesparamikokex_ecdh_nist.py:111: CryptographyDeprecationWarning: encode_point has been deprecated on EllipticCurvePublicNumbers and will be removed in a future version. Please use EllipticCurvePublicKey.public_bytes to obtain both compressed and uncompressed point encoding. hm.add_string(self.Q_C.public_numbers().encode_point())
C:UsersAdministrator>python3 -m pip uninstall cryptography==2.5 C:UsersAdministrator>python3 -m pip install cryptography==2.4.2 参考:https://yq.aliyun.com/articles/690717
5.若希望使用公钥从本地win7系统登录到远程linux服务器,该如何在win7本地生成密钥对呢?
方法一:可以直接从一台linux系统拷贝其私钥到本地(注意:此系统必须已将公钥给过你的服务器)
[root@hadoop ~]# sz ~/.ssh/id_rsa #sz命令可以将文件下载到本地
方法二:可以通过打开XShell-->工具-->新建用户密钥生成向导-->...-->...步骤实现
6.假如Linux下光标消失,不要急:
echo -e "�33[?25l" #隐藏光标 echo -e "�33[?25h" #显示光标