我们一般使用linux的时候,都是在Windows上安装一个ssh客户端连接上去。那么从一台linux如何连接到另一条linux呢?使用ssh命令即可,因为每台linux机器自己都有一个ssh客户端。现在我们使用Python的paramiko模块可以实现ssh客户端,通过Python脚本远程登录一台机器并执行相关操作。
为什么要使用Python来实现ssh客户端呢?主要作用是用来作批量管理。如果让你使用ssh命令登录1台linux机器还好,但是如果让1000台机器同时执行一个命令怎么办呢?当然你可以使用shell脚本写一个for循环来实现,我们使用Python也可以实现。
paramiko模块:基于SSH用于连接远程服务器并执行相关操作
首先安装paramiko模块
基本命令:pip install paramiko
C:\Users\Administrator>pip install paramiko #由于我PC上同时安装了Python2和Python3,所以会报错
Fatal error in launcher: Unable to create process using '"' C:\Users\Administrator>python3 -m pip install paramiko #用这个命令安装就好啦
...
Successfully installed asn1crypto-0.24. bcrypt-3.1. cffi-1.12. cryptography-
.6.1 paramiko-2.4. pyasn1-0.4. pycparser-2.19 pynacl-1.3. six-1.12. C:\Users\Administrator>python3 #验证是否安装成功
Python 3.6. (v3.6.5:f59c0932b4, Mar , ::) [MSC v. bit (AMD6
)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import paramiko #不报错说明安装成功
>>> PS:别看上面用命令安装paramiko这么简单,刚开始跟着网上博客离线安装各种报错,浪费了我整整1天的时间,哎,说多了都是泪啊。。。
Win7系统下安装paramiko实操
[root@hadoop ~]# cd /usr/local/python3/bin/
[root@hadoop bin]# pip3 install paramiko #直接安装会报错,所以请按下面步骤安装
pip._vendor.requests.packages.urllib3.exceptions.ReadTimeoutError: HTTPSConnectionPool(host='files.pythonhosted.org', port=): Read timed out. .安装组件
[root@hadoop ~]# install openssl openssl-devel python-dev pycrypto -y
[root@hadoop ~]# yum install zlib-devel zlib #必须安装,不安装会报错
[root@hadoop ~]# cd /usr/local/python3/
[root@hadoop python3]# ./configure #安装zlib-devel需要对python3.5进行重新编译安装
[root@hadoop python3]# make & make install .安装setuptools:
[root@hadoop python3]# cd bin
[root@hadoop bin]# pip3 install setuptools #貌似安装python3.6时已经顺带安装过了
Requirement already satisfied: setuptools in /usr/local/python3/lib/python3./site-packages .安装paramiko
[root@hadoop bin]# pip3 install paramiko #安装成功未报错
Successfully installed asn1crypto-0.24. bcrypt-3.1. cffi-1.12. cryptography-2.6. paramiko-2.4. pyasn1-0.4. pycparser-2.19 pynacl-1.3. six-1.12.
[root@hadoop bin]# python3 #验证是否安装成功
Python 3.6. (default, Sep , ::)
[GCC 4.8. (Red Hat 4.8.-)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import paramiko #不报错说明安装成功
>>> 参考:https://www.cnblogs.com/chimeiwangliang/p/7193187.html
CentOS7系统下安装paramiko实操
SSHClient
用于连接远程服务器并执行基本命令
基于用户名密码连接:
import paramiko # 创建SSH对象
ssh = paramiko.SSHClient() # 允许连接不在know_hosts文件中的主机,否则可能报错:paramiko.ssh_exception.SSHException: Server '192.168.43.140' not found in known_hosts
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) # 连接服务器
ssh.connect(hostname=b'192.168.43.140', port=22, username=b'root', password=b'123123') # 执行命令
# stdin:标准输入(就是你输入的命令);stdout:标准输出(就是命令执行结果);stderr:标准错误(命令执行过程中如果出错了就把错误打到这里),stdout和stderr仅会输出一个
stdin, stdout, stderr = ssh.exec_command('df') # 获取命令结果
result = stdout.read().decode() # 这个有问题,不显示错误,可以修改一下,先判断stdout有没有值,如果输出没有,就显示错误
print(result) # 关闭连接
ssh.close()
#Author:Zheng Na
import paramiko
transport = paramiko.Transport(('192.168.43.140', ))
transport.connect(username='root', password='')
ssh = paramiko.SSHClient()
ssh._transport = transport
stdin, stdout, stderr = ssh.exec_command('df')
result = stdout.read().decode()
print(result)
transport.close()SSHClient 封装 Transport
基于公钥密钥连接:
import paramiko # 首先指定你的私钥在哪个位置(ssh是自动找到这个位置,Python不行,必须指定)
private_key = paramiko.RSAKey.from_private_key_file('id_rsa') # 创建SSH对象
ssh = paramiko.SSHClient() # 允许连接不在know_hosts文件中的主机
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) # 连接服务器
ssh.connect(hostname='192.168.43.140', port=22, username='root', pkey=private_key) # 执行命令
stdin, stdout, stderr = ssh.exec_command('df') # 获取命令结果
result = stdout.read().decode()
print(result) # 关闭连接
ssh.close()
import paramiko
private_key = paramiko.RSAKey.from_private_key_file('id_rsa')
transport = paramiko.Transport(('192.168.43.140', ))
transport.connect(username='root', pkey=private_key)
ssh = paramiko.SSHClient()
ssh._transport = transport
stdin, stdout, stderr = ssh.exec_command('df')
result = stdout.read().decode()
print(result)
transport.close()SSHClient 封装 Transport
#Author:Zheng Na import paramiko
from io import StringIO key_str = """-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA+4kJjKuG2uYNuTZ1SsBr5kCd5GPHV9MU1OsqqXjJlFDvFwa/
/DtPNgeimA6bkHLdd63j0pDpgY/r5jcyH1bLbHMq97hYzNEJZ4GsEDMjnR0qFLTm
QtD2qj+Y6bEmNj39PgGs8sWN+1O4fPWDvGQTnmCytGOTYPA9LtMWkjHcTTNk9UqC
x5kSlhASSuf0DEtBrpKGUDT1G6BYVDQN3rALAZVAtLOEDCZWcKl8bk8OtuIc4WeL
/5JPD0BIquPTcwl7DaALW2isut/RFiqhPWoYgexovQEiHhbuGfJQK9WFUxyOjby
9mS3BdN+1nFg4aWIa+iVH8cUMIJLxO1bJzEdjQIDAQABAoIBAQDEzPdXxGyCoDRk
kSM8FUlWoX/nzdmN8Wz/GfALIKI3FQu77GARrSXQlDC239b/MZ/tn3P8r7zCziQ3
vz/MHVCTzZf0sZtoxLSi82X4VsqqhsMB6HewF2am1ZOCZEQNdHrLJOx4FfF8joht
3Hnx0Cs5Y1bupGoPEmgMVsP2JmTDUMG5ZUCUJigRJ1W38gfx17ZFziaDWPVrMFwy
/zJ8kw5w/ZRn1pw2PeIahSFsGMFVGfm78PXVANr9wOB2YVYuQxOzzHwo8JQnBRke
wYdg1oDHn74HVBNeHUN4YXVwAP8Ggieq/mnHAb36RSIqk6y51KnypR1BiKcSmn+i
VQ6QR7GBAoGBAP81ZcL/pMenSaIQ8nev2evcqXwyJHfDRH1CWPxSygNfcePlEF1I
+OecYswPvlV+iHangnfnt1xZcTTZXQpAyn7xmKk133sOe5f4Jq2vzjqK8mqmWTDw
5OeQIQ3Uuh0XrX93CZpRhgOctL1k6exFSkGkCWnDJOX05+WGrXhoG3IlAoGBAPxQ
uUOJ2k9o1kKylMUYAYpk8y7QwwVSlBhm5Hy1Y6X1Rk2/ERuiebzpSeynXcq+rJyr
tmDaxokzasVcP+YMgDwLF1buENDA2UQzUaZjnPds4M6R89xjWbEJ6q3+jFK8JvSd
KcSJab/fP83tKApmoR0qfXR1yWEe+k5LaBTio/1JAoGAJr4XdbPTcw+9SOIjvPGw
NnMoM5d1G81D73QMCDoVOs/ZfUw/4Ll8N8Tw5qOZNGdiFgk18Df4CQf2/Jvm2PCf
DQhmMYHhLFA1iQt9664ds5t2U6RvM9POHC0wJ2Zc3p/CkfAjQA8SNigq8/mG3Xxj
WnWpjCm4x0QXlCuO2BGN4RUCgYEA0HjOKhyLcVM4vREaVKLaGwP/3e2FRS+Ox360
SMoClIvM084Lj562IT1L5CoBF9RlgGlsHiiFI7WFAZ6P+T7Y8UNkvGGlKSY+Hdid
HPJvLgwazvLO34iDAgEkkzCftnhZY4E7knTLGEqYSEgr7jQP6K5Dy+bKReG3hNtP
GvqL7mkCgYEA+MKBttwVDv8qmOx6UzVhUlVvp8W+/Db1hC0L/bnhx3Fcp0ZpV+dn
3htyqOnP4XYj86PUPFo9Vl3niQKjSuoo4EVchLTIAupndZGw238lX5puqxJJTyxZ
oNrD9RgeiT6GWeLOxnDUsp/hSASix3PRSNTrJGqdOKnwgkBJaLNM6ic=
-----END RSA PRIVATE KEY-----
""" private_key = paramiko.RSAKey(file_obj=StringIO(key_str))
transport = paramiko.Transport(('192.168.43.140', ))
transport.connect(username='root', pkey=private_key) ssh = paramiko.SSHClient()
ssh._transport = transport stdin, stdout, stderr = ssh.exec_command('df') result = stdout.read().decode()
print(result) transport.close()
基于私钥字符串进行连接
SFTPClient
用于连接远程服务器并执行上传下载(ssh本身可以使用scp命令传文件,它是基于sftp协议)
基于用户名密码上传下载
import paramiko
transport = paramiko.Transport(('192.168.43.140', 22))
transport.connect(username='root', password='123123')
sftp = paramiko.SFTPClient.from_transport(transport)
# 将location.txt 上传至服务器 /tmp/f_win.txt
sftp.put('location.txt', '/tmp/f_win.txt')
# 将/tmp/test.txt 下载到本地 f_linux.txt
sftp.get('/tmp/test.txt', 'f_linux.txt')
transport.close()
基于公钥密钥上传下载
import paramiko
private_key = paramiko.RSAKey.from_private_key_file('id_rsa')
transport = paramiko.Transport(('192.168.43.140', 22))
transport.connect(username='root', pkey=private_key)
sftp = paramiko.SFTPClient.from_transport(transport)
# 将location.txt 上传至服务器 /tmp/f_win.txt
sftp.put('location.txt', '/tmp/f_win.txt')
# 将/tmp/test.txt 下载到本地 f_linux.txt
sftp.get('/tmp/test.txt', 'f_linux.txt')
transport.close()#Author:Zheng Na import paramiko
import uuid class Haproxy(object): def __init__(self):
self.host = '192.168.43.140'
self.port =
self.username = 'root'
self.pwd = ''
self.__k = None def create_file(self):
file_name = str(uuid.uuid4())
with open(file_name,'w') as f:
f.write('hello paramiko')
return file_name def run(self):
self.connect()
self.upload()
self.rename()
self.close() def connect(self):
transport = paramiko.Transport((self.host,self.port))
transport.connect(username=self.username,password=self.pwd)
self.__transport = transport def close(self):
self.__transport.close() def upload(self):
# 连接,上传
file_name = self.create_file() sftp = paramiko.SFTPClient.from_transport(self.__transport)
sftp.put(file_name, '/tmp/tttt.txt') def rename(self): ssh = paramiko.SSHClient()
ssh._transport = self.__transport
# 执行命令
stdin, stdout, stderr = ssh.exec_command('mv /tmp/tttt.txt /tmp/oooo.txt')
# 获取命令结果
result = stdout.read().decode() ha = Haproxy()
ha.run()
Demo
补充:
1.使用ssh的密钥来连接远程服务器的原理:
RSA:非对称加密算法
公钥:public key
私钥:private key
如果你想连接服务器,首先本地生成密钥对,然后本地保存私钥,把公钥拷贝给服务器。
比如:本地(172.16.134.128,私钥)——>远程服务器(172.16.134.129,公钥)
步骤:
本地操作:
[root@hadoop ~]# ssh-keygen #生成密钥对
[root@hadoop ~]# ssh-copy-id root@172.16.134.129 #使用命令将公钥拷贝给远程服务器
[root@hadoop ~]# ssh root@172.16.134.129 #登录远程服务器
本地(172.16.134.128)
[root@hadoop ~]# ssh-keygen #生成密钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): #回车,将私钥保存在/root/.ssh/id_rsa默认文件中
Enter passphrase (empty for no passphrase): #回车
Enter same passphrase again: #回车
Your identification has been saved in /root/.ssh/id_rsa. #私钥保存位置
Your public key has been saved in /root/.ssh/id_rsa.pub. #私钥保存位置
The key fingerprint is:
SHA256:Jo4+uE0HO78Hg4+F7Nm//TYx8igi7ddbFk+vkvBH6YI root@hadoop
The key's randomart image is:
+---[RSA ]----+
| |
| |
| |
| |
| ..o. S . .. |
| +=+o o o+o. |
| o=Boo . Bo*. .|
| .+*+= +.EoO o. |
| ..o++*ooo+.=. |
+----[SHA256]-----+
[root@hadoop ~]# more /root/.ssh/id_rsa #查看私钥,注意私钥不要拷贝给任何人
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsE9XuFPI0rHnLn6dDprDbAo+L9l5yYthgC2JsYAJTECchq9h
FdynquzRveBy3t0UgidFSHvTmXYsOAZC1svwWATRtq53/fRCU4Gd5FkYCB/2v2Gm
w7FxRl/ExmNJAlHhx5ZQK5qYRJWOlb1hOh+BfGJHX8ns6TuNwmv8hl9HpElgoqw1
5Lc09NZp8eHwcorKOPK0IMchdxPSQYvFvarKdNN0SQ8DhHoa5bZre46urSfnBZmr
N7AOxegpO7mGPkAqCrG2Deia9EcMLl4uHybSb6LhiueG31qOSpBgR1f71rsSMDMu
srL3MSZCtPAXYuN6yxKSQDbZbrr8HqtfrTwb5QIDAQABAoIBAGwcyyKJpfylAKj/
FNnOxwSqJ0X6KncPFAOgaO3CIHF0sUbZpkPcoafrPhYb2vSURq4k3JQ88h0JXMYh
+Lx0I/YlRl+qDoRYUo+YTLSoeVcKGqlyfOtFFLvdn/EzEqLsiPF1V8XVL4fm2Z8y
mLsmdKVMMo4naTH/xcaxpxDSvkCbhJ1f/mWJ93muLZ46IkkyA4WFBoR59IdFHoKO
Y+EFAW8AaYitvyecjFFfNhDsEcK7/Td90LaEI526+L4VGstH7bxvhyKSBl10X4QG
HWG/IhSItLaif6L32HcZ4qVNR+50fEG7gXGWogBi8kCeF9TWsd/8U2kePiP9f6Ld
JNV0TOECgYEA6HlYPDQE02434lSiwxd+TDCkpqlsy9yer4aeuVowQb0VP6l/Pgjj
vjju06hE3IUDc4502VvqGKdhMFMj7biqLFRY24tFok0CbdvIuuQDy81U7Mxp12Wt
eGjl19ibEB0MMoaw5PatcpU1ow2w9ghT6hf/AmbL6VN1dTH2ypxHZ40CgYEAwib3
mIwfgLKVFK/A/HmRDVB7fBnaqZScqGyNxcqMrg9XQmhpr1gOYJy6ziSy6zfvjZSK
zJ68GxfDwqJImYhAG4+R44yMMrvnIRnFKRUg+c522ErjpTxB/JEMfUo0ig8N2wEO
boWZrDz3d7IZaMvTiYw8ZHpesVU5SS6h19DiI7kCgYEA3VJRH5fClGvVRmOfRS8D
rZON3aFlE7ypUqBOUlY7pQpXxXEf07Zw47OeI+GKFYuI2qXgNuMbvnbzvycYCIUL
dgKjSfiQxdCdJGve8ZaMyqVkWcDObyO8/+qWD2WHUtLkvuGeXY0/WdwV4XLya3lI
MpC/1dB6B1vOclGsC/62uC0CgYBEhbA4/KtZpq2LAYShFt6kzlTmtdFArJylrLpU
pmoEPJHVdDholDFu06Hyg21KKxG27EgYc6V8AmUq2k+5MCdAEumwX7hTZ5HpUskM
+NIMmFvFdpjlhmDbnO3Fgl0MpMeFFdhcFXbpHRNSAV+KZvWfxAjEhZPKDoQLWhPw
sV4+sQKBgQCKsUWeNntWr1LdcSsRigMOJ6ZF/QLXiZkmx97UmqLFQIG9+K0s7hHb
qmsucmYZPs46qkAinimSsZ6HksSKRwRmZNEzKQgH/ua3gsjGqbjNkZKxXOCQ9PCF
l6yw27/x2onIVGj5kVGt1yYfPrBspKimPB3O7p7y3igFF/TRMTHn2A==
-----END RSA PRIVATE KEY-----
[root@hadoop ~]# more /root/.ssh/id_rsa.pub #查看公钥
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwT1e4U8jSsecufp0OmsNsCj4v2XnJi2GALYmxgAlMQJyGr2EV3Keq7NG94HLe3RSCJ0VIe9OZdiw4BkLWy/BYBNG2rnf99EJTgZ3kWRgIH/a/YabDsXFGX8TGY0kCUeHHllArmphElY6VvWE6H4F8Ykd
fyezpO43Ca/yGX0ekSWCirDXktzT01mnx4fByiso48rQgxyF3E9JBi8W9qsp003RJDwOEehrltmt7jq6tJ+cFmas3sA7F6Ck7uYY+QCoKsbYN6Jr0RwwuXi4fJtJvouGK54bfWo5KkGBHV/vWuxIwMy6ysvcxJkK08Bdi43rLEpJANtluuvweq1+tPBvl r
oot@hadoop
[root@hadoop ~]# ssh-copy-id root@172.16.134.129 #使用命令将公钥拷贝给远程服务器
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.134.129's password: Number of key(s) added: Now try logging into the machine, with: "ssh 'root@172.16.134.129'"
and check to make sure that only the key(s) you wanted were added. [root@hadoop ~]# ssh root@172.16.134.129 #成功登录远程服务器
Last login: Fri Mar :: from 172.16.134.128
[root@hadoop ~]# ip addr #查看远程服务器IP
: lo: <LOOPBACK,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN group default qlen
link/loopback ::::: brd :::::
inet 127.0.0.1/ scope host lo
valid_lft forever preferred_lft forever
inet6 ::/ scope host
valid_lft forever preferred_lft forever
: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu qdisc pfifo_fast state UP group default qlen
link/ether :0c::bd:: brd ff:ff:ff:ff:ff:ff
inet 172.16.134.129/ brd 172.16.134.255 scope global noprefixroute dynamic eth0
valid_lft 1339sec preferred_lft 1339sec
inet6 fe80::b46e:fbba:4f30:/ scope link noprefixroute
valid_lft forever preferred_lft forever
[root@hadoop ~]# exit #退出
登出
Connection to 172.16.134.129 closed.
[root@hadoop ~]#
实操
注意这种连接是单向的,如果希望服务器的用户也可以无密码登录我们本地的用户,则同样需要在服务器的用户下生成密钥对,并把公钥拷贝给我们本地的用户。
除了可以使用命令来将公钥拷贝给服务器外,还可以直接登录远程服务器进行手动拷贝。
.复制存放在/root/.ssh/id_rsa.pub的私钥 .用户登录服务器172.16.134. .将私钥拷贝到/root/.ssh/authorized_keys文件中。
[root@hadoop ~]# vi /root/.ssh/authorized_keys
注意:
()公钥在服务器的存放位置由用户来决定。比如我想登录服务器的root用户,就将其拷贝到root文件夹的目标文件中。
()默认如果你登录过这个用户,则这个用户的.ssh文件会自动生成,如果没登录过这个用户,文件可能需要手动创建。
()如果你打开authorized_keys文件后看到其中中已经有一个公钥了,那么这应该是别人的,就是说别人如果也想不通过用户名密码登录这台服务器的话,就也会创建密钥对并把公钥放在这里。
()公钥只有1行,拷贝的时候可能会自动换行变成3行,最终导致登录不成功。可以先把公钥拷到一个txt文件中查看,确定是否只有一行,如果不是,手动删除回车变为一行。更好的办法是用命令拷贝。 .安全起见,查看文件的权限是不是只允许自己读写,如果不是,修改权限。
[root@hadoop ~]# ll /root/.ssh/authorized_keys
-rw-r--r-- root root Mar : /root/.ssh/authorized_keys
[root@hadoop ~]# chmod /root/.ssh/authorized_keys
[root@hadoop ~]# ll /root/.ssh/authorized_keys
-rw------- root root Mar : /root/.ssh/authorized_keys
手动拷贝公钥
本地尝试登录远程服务器时,
若登录不成功,可以使用调试模式查看,-v
[root@hadoop ~]# ssh root@172.16.134.129 -v
若端口不是22,则需要加上端口号,比如
[root@hadoop ~]# ssh root@172.16.134.129 -p52113
登录服务器失败怎么办?
2.为什么要使用公钥连接?
基于用户名密码来连接远程服务器,这是不安全的,一旦被别人拿到你的脚本,获取到用户名密码,别人也就可以连接你的服务器。
3.写Python脚本时,注意不要将名称写为paramiko.py,因为这与模块名重复,执行时会有问题。
4.安装好paramiko模块后第一次运行,可能会出现警告:CryptographyDeprecationWarning
D:\software\Python3.6.5\python3.exe D:/python-study/s14/Day09/paramiko_ssh_pwdlogin.py
D:\software\Python3.6.5\lib\site-packages\paramiko\kex_ecdh_nist.py:: CryptographyDeprecationWarning: encode_point has been deprecated on EllipticCurvePublicNumbers and will be removed in a future version. Please use EllipticCurvePublicKey.public_bytes to obtain both compressed and uncompressed point encoding.
m.add_string(self.Q_C.public_numbers().encode_point())
D:\software\Python3.6.5\lib\site-packages\paramiko\kex_ecdh_nist.py:: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
self.curve, Q_S_bytes
D:\software\Python3.6.5\lib\site-packages\paramiko\kex_ecdh_nist.py:: CryptographyDeprecationWarning: encode_point has been deprecated on EllipticCurvePublicNumbers and will be removed in a future version. Please use EllipticCurvePublicKey.public_bytes to obtain both compressed and uncompressed point encoding.
hm.add_string(self.Q_C.public_numbers().encode_point())
警告信息
C:\Users\Administrator>python3 -m pip uninstall cryptography==2.5
C:\Users\Administrator>python3 -m pip install cryptography==2.4.
参考:https://yq.aliyun.com/articles/690717
解决方法
5.若希望使用公钥从本地win7系统登录到远程linux服务器,该如何在win7本地生成密钥对呢?
方法一:可以直接从一台linux系统拷贝其私钥到本地(注意:此系统必须已将公钥给过你的服务器)
[root@hadoop ~]# sz ~/.ssh/id_rsa #sz命令可以将文件下载到本地
方法二:可以通过打开XShell-->工具-->新建用户密钥生成向导-->...-->...步骤实现
6.假如Linux下光标消失,不要急:
echo -e "\033[?25l" #隐藏光标
echo -e "\033[?25h" #显示光标