全双机互信脚本

#!/bin/bash set -euo pipefail

############################################ 
# 配置区 
nodes=("192.168.120.15" "192.168.120.16" "192.168.120.17" "192.168.120.18") 
user="root" 
password="你的密码" 
############################################

log() { echo -e ">>> $*"; }
err() { echo -e "✗ $*" >&2; exit 1; }

require_cmd() { command -v "$1" >/dev/null 2>&1 || return 1 }

install_sshpass_local() {
if require_cmd sshpass; then
log "[本机] 已检测到 sshpass"
return 0
fi
log "[本机] 未检测到 sshpass，尝试安装..."
if ! yum install -y epel-release >/dev/null 2>&1; then
log "[本机] 安装 epel-release 失败（可能已安装或无网络），继续尝试安装 sshpass..."
fi
yum install -y sshpass || err "[本机] 安装 sshpass 失败，请检查 yum 源/网络"
log "[本机] sshpass 安装完成"
}

remote_yum_install_sshpass() {
local host="$1"
log "[$host] 安装 sshpass（若已安装会跳过）..."
sshpass -p "$password" ssh -o StrictHostKeyChecking=no $user@"$host" \
"yum install -y epel-release >/dev/null 2>&1 || true; yum install -y sshpass >/dev/null 2>&1 || true"
}

remote_generate_key_if_needed() {
local host="$1"
log "[$host] 检查/生成 SSH 密钥..."
sshpass -p "$password" ssh -o StrictHostKeyChecking=no $user@"$host" '
mkdir -p ~/.ssh && chmod 700 ~/.ssh
if [ ! -s ~/.ssh/id_rsa ] || [ ! -s ~/.ssh/id_rsa.pub ]; then
ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa >/dev/null
fi
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
'
}

collect_all_pubkeys() {
mkdir -p /tmp/all_keys
: > /tmp/all_keys/authorized_keys
for host in "${nodes[@]}"; do
log "从 [$host] 获取公钥..."
sshpass -p "$password" scp -o StrictHostKeyChecking=no $user@"$host":/root/.ssh/id_rsa.pub \
/tmp/all_keys/id_rsa_"$host".pub
cat /tmp/all_keys/id_rsa_"$host".pub >> /tmp/all_keys/authorized_keys
done
# 去重，避免重复行
sort -u /tmp/all_keys/authorized_keys -o /tmp/all_keys/authorized_keys
}

distribute_authorized_keys() {
for host in "${nodes[@]}"; do
log "向 [$host] 分发 authorized_keys..."
sshpass -p "$password" scp -o StrictHostKeyChecking=no /tmp/all_keys/authorized_keys \
$user@"$host":/root/.ssh/authorized_keys
sshpass -p "$password" ssh -o StrictHostKeyChecking=no $user@"$host" '
chmod 600 ~/.ssh/authorized_keys
'
done
}

quick_verify() {
# 抽样验证：从第一个节点免密到其它几点执行 hostname
local src="${nodes[0]}"
log "[验证] 在 $src 上测试免密到其它节点..."
for dst in "${nodes[@]}"; do
# 跳过自己
[ "$dst" = "$src" ] && continue
sshpass -p "$password" ssh -o StrictHostKeyChecking=no $user@"$src" \
"ssh -o BatchMode=yes -o StrictHostKeyChecking=no $user@$dst 'hostname'" \
>/dev/null 2>&1 || err "[验证失败] $src -> $dst 仍需密码，请检查 $dst 的 sshd 或防火墙/安全组"
done
log "✅ 抽样验证通过：$src 可以免密到其它节点"
log "📌 如需全矩阵验证，可任意节点执行：for h in ${nodes[*]}; do ssh \$h hostname; done"
}

main() {
install_sshpass_local

# 基础连通性快速检查（可选）
for host in "${nodes[@]}"; do
log "检查与 [$host] 的 22 端口连通性..."
if ! timeout 2 bash -c "</dev/tcp/$host/22" 2>/dev/null; then
err "无法连通 $host:22，请检查网络/防火墙/安全组"
fi
done

# 远端准备
for host in "${nodes[@]}"; do
remote_yum_install_sshpass "$host"
remote_generate_key_if_needed "$host"
done

collect_all_pubkeys
distribute_authorized_keys
quick_verify

log "🎉 全互信配置完成！"
}

main "$@"