1、总结ssh常用参数、用法
ssh命令是ssh客户端,允许实现对远程系统经验证地加密安全访问。ssh客户端配置文件是:/etc/ssh/ssh_config
ssh命令配合的常见选项:
-p port:远程服务器监听的端口
ssh 192.168.1.8 -p 2222
-b 指定连接的源IP
ssh 192.168.1.8 -p 2222 -b 192.168.1.88
-v 调试模式
ssh 192.168.1.8 -p 2222 -v
-C 压缩方式
-X 支持x11转发
支持将远程linux主机上的图形工具在当前设备使用
-t 强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh
remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i <file> 指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, /.ssh/id_ed25519,/.ssh/id_rsa等
2、总结sshd服务常用参数。
服务器端的配置文件: /etc/ssh/sshd_config
常用参数:
Port #端口号
ListenAddress ipLoginGraceTime 2m #宽限期
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file #以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers
AllowGroups
(科学上网的方法不要往博客写,访问量超过一万,博客会被封。)
3、PAM和google模块实现ssh双因子安全验证。
4、使用chrony实现内网时间同步(一台node1从外网同步时间,其余机器从node1同步时间)。
node1:10.0.0.7 node2:10.0.08
node1:
安装chrony
yum install chrony -y
修改chrony.conf文件,加入时间服务器为 ntp.aliyun.com, 修改允许10.0.0.0网段的主机同步。
[root@node1 ~]# cat /etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server ntp.aliyun.com iburst
......
# Allow NTP client access from local network.
allow 10.0.0.0/24
# Serve time even if not synchronized to a time source.
local stratum 10
重启服务
systemctl restart chronyd
[root@node1 ~]# chronyc sources -v
210 Number of sources = 1
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 203.107.6.88 2 6 377 55 -243us[ -531us] +/- 22ms
node2
安装chrony
[root@node2 ~]# dnf install chrony -y
修改chrony.conf的同步主机
pool 10.0.0.7 iburst
[root@node2 ~]# chronyc sources -v
210 Number of sources = 1
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 10.0.0.7 3 6 17 12 -2982ns[ -38us] +/- 134ms
5、利用cobbler实现系统自动化安装。
环境准备
两台主机
一台主机:CentOS 7 充当 Cobbler,http,dhcp,tftp 服务器,并关闭防火墙和SELinux
一台主机:充当测试机,用于实现自动化安装Linux系统
安装相关包并启动服务
[root@centos7 ~]#yum install cobbler dhcp -y
[root@centos7 ~]#systemctl enable --now cobblerd httpd tftp dhcpd
** 修改cobbler相关的配置 **
[root@localhost ~]#cobbler check
The following are potential configuration items that you may want to fix:
1 : The 'server' field in /etc/cobbler/settings must be set to something other than localhost, or kickstarting features will not work. This should be a resolvable hostname or IP for the boot server as reachable by all machines that will use it.
2 : For PXE to be functional, the 'next_server' field in /etc/cobbler/settings must be set to something other than 127.0.0.1, and should match the IP of the boot server on the PXE network.
3 : change 'disable' to 'no' in /etc/xinetd.d/tftp
4 : Some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a *recent* version of the syslinux package installed and can ignore this message entirely. Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements.
5 : enable and start rsyncd.service with systemctl
6 : debmirror package is not installed, it will be required to manage debian deployments and repositories
7 : ksvalidator was not found, install pykickstart
8 : The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'" to generate new one
9 : fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use them
Restart cobblerd and then run 'cobbler sync' to apply changes.
#默认安装好的系统root密码为cobbler
#根据以上提示,只需要做1,2,8这三项即可,修改下面四行
[root@centos7 ~]#vim /etc/cobbler/settings
next_server:< tftp服务器的 IP 地址>
server:<cobbler服务器的 IP 地址>
manage_dhcp:1 #设置为1,表示通过cobbler生成dhcpd.conf配置文件
[root@centos7 ~]#systemctl restart cobblerd
实现dhcp服务
#修改dhcp的模版文件下面的行,用来生成dhcp的配置文件
#vi /etc/cobbler/dhcp.template
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.2;
option domain-name-servers 114.114.114.114;
option subnet-mask 255.255.255.0;
range dynamic-bootp 10.0.0.200 10.0.0.250;
[root@localhost ~]#cobbler sync
task started: 2021-08-16_123044_sync
task started (id=Sync, time=Mon Aug 16 12:30:44 2021)
running pre-sync triggers
cleaning trees
removing: /var/lib/tftpboot/grub/images
copying bootloaders
trying hardlink /usr/share/syslinux/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0
trying hardlink /usr/share/syslinux/menu.c32 -> /var/lib/tftpboot/menu.c32
trying hardlink /usr/share/syslinux/memdisk -> /var/lib/tftpboot/memdisk
copying distros to tftpboot
copying images
generating PXE configuration files
generating PXE menu structure
rendering DHCP files
generating /etc/dhcp/dhcpd.conf
rendering TFTPD files
generating /etc/xinetd.d/tftp
cleaning link caches
running post-sync triggers
running python triggers from /var/lib/cobbler/triggers/sync/post/*
running python trigger cobbler.modules.sync_post_restart_services
running: dhcpd -t -q
received on stdout:
received on stderr:
running: service dhcpd restart
received on stdout:
received on stderr: Redirecting to /bin/systemctl restart dhcpd.service
running shell triggers from /var/lib/cobbler/triggers/sync/post/*
running python triggers from /var/lib/cobbler/triggers/change/*
running python trigger cobbler.modules.manage_genders
running python trigger cobbler.modules.scm_track
running shell triggers from /var/lib/cobbler/triggers/change/*
*** TASK COMPLETE ***
[root@localhost ~]#systemctl start dhcpd
下载启动的相关文件
#cobbler get-loaders
[root@localhost ~]#ll /var/lib/cobbler/loaders
total 0
-rw-r--r-- 1 root root 0 Aug 16 12:33 COPYING.elilo
-rw-r--r-- 1 root root 0 Aug 16 12:36 COPYING.syslinux
-rw-r--r-- 1 root root 0 Aug 16 12:35 COPYING.yaboot
-rw-r--r-- 1 root root 0 Aug 16 12:36 elilo-ia64.efi
-rw-r--r-- 1 root root 0 Aug 16 12:40 grub-x86_64.efi
-rw-r--r-- 1 root root 0 Aug 16 12:40 grub-x86.efi
-rw-r--r-- 1 root root 0 Aug 16 12:39 menu.c32
-rw-r--r-- 1 root root 0 Aug 16 12:39 pxelinux.0
-rw-r--r-- 1 root root 0 Aug 16 12:32 README
-rw-r--r-- 1 root root 0 Aug 16 12:37 yaboot
[root@localhost loaders]#tree /var/lib/tftpboot/
/var/lib/tftpboot/
├── boot
│ └── grub
│ └── menu.lst
├── etc
├── grub
│ ├── efidefault
│ ├── grub-x86_64.efi
│ ├── grub-x86.efi
│ └── images -> ../images
├── images
├── images2
├── memdisk
├── menu.c32
├── ppc
├── pxelinux.0
├── pxelinux.cfg
│ └── default
├── s390x
│ └── profile_list
└── yaboot
10 directories, 10 files
修改菜单的标题信息
[root@localhost loaders]#vim /etc/cobbler/pxe/pxedefault.template
DEFAULT menu
PROMPT 0
MENU TITLE Cobbler | http://www.magedu.com/
#cobbler sync
导入CentOS系统的安装文件,生成相应的YUM源
[root@localhost misc]#mount /dev/sr0 /mnt
mount: /dev/sr0 is write-protected, mounting read-only
[root@localhost misc]#df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/centos-root 100G 1.4G 99G 2% /
devtmpfs 475M 0 475M 0% /dev
tmpfs 487M 0 487M 0% /dev/shm
tmpfs 487M 7.8M 479M 2% /run
tmpfs 487M 0 487M 0% /sys/fs/cgroup
/dev/mapper/centos-data 50G 33M 50G 1% /data
/dev/sda1 1014M 146M 869M 15% /boot
tmpfs 98M 0 98M 0% /run/user/0
/dev/sr0 4.3G 4.3G 0 100% /mnt
#cobbler import --name=centos-7.6-x86_64 --path=/mnt --arch=x86_64
准备 kickstart文件,并关联至指定的YUM源
root@localhost kickstarts]#cat /var/lib/cobbler/kickstarts/centos7.cfg
ignoredisk --only-use=sda
zerombr
text
reboot
clearpart --all --initlabel
selinux --disabled
firewall --disabled
url --url=$tree #注意此行必须指定
keyboard --vckeymap=us --xlayouts='us'
lang en_US.UTF-8
network --bootproto=dhcp --device=ens160 --ipv6=auto --activate
network --hostname=centos7-test
rootpw "Centos"
firstboot --enable
skipx
services --disabled="chronyd"
timezone Asia/Shanghai --isUtc --nontp
part / --fstype="xfs" --ondisk=sda --size=102400
part /data --fstype="xfs" --ondisk=sda --size=51200
part swap --fstype="swap" --ondisk=sda --size=2048
part /boot --fstype="ext4" --ondisk=sda --size=1024
%packages
@^minimal-environment
kexec-tools
%end
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end
%anaconda
pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
%end
#将kickstart文件,关联指定的YUM源和生成菜单列表
#cobbler profile add --name=CentOS-7.6_test --distro=CentOS-7.6-x86_64 --kickstart=/var/lib/cobbler/kickstarts/centos7.cfg
#删除默认生成的菜单
#cobbler profile remove --name=centos-7.6-x86_64
[root@localhost kickstarts]#cobbler profile list
CentOS-7.6_test
测试客户端基于Cobbler实现自动安装
image.png
