1、PAM和google模块实现ssh双因子安全验证。

1. 在手机应用市场搜索：身份验证器或authenticator，并安装APP

2. 修改/etc/pam.d/sshd文件，将google的PAM模块加入进去实现

安装google-authenticator模块

[root@centos8 ~]# yum -y install epel-release.noarch
[root@centos8 ~]# yum makecache
[root@centos8 ~]# yum install -y google-authenticator.x86_64

初始化验证功能

[root@centos8 ~]# google-authenticator

Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@centos8%3Fsecret%3DBZVPXXFINW5SMMSPBMVQMB5R54%26issuer%3Dcentos8
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: BZVPXXFINW5SMMSPBMVQMB5R54
Enter code from app (-1 to skip): -1 #这里需要输入用身份验证器扫码上面给出的地址获取到的code。测试的时候跳过这一步，直接输入-1，可以用下面给出的紧急验证码登录测试使用
Code confirmation skipped
Your emergency scratch codes are:
  27273600
  44505367
  78109426
  65720380
  84362481

Do you want me to update your "/root/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

修改ssh登录配置并重启服务

#/etc/pam.d/sshd文件，修改或添加下行保存
#auth required pam_google_authenticator.so
[root@centos8 ~]# sed -i '1a\auth required pam_google_authenticator.so' /etc/pam.d/sshd
#编辑/etc/ssh/sshd_config找到下行
#ChallengeResponseAuthentication no
#更改为
#ChallengeResponseAuthentication yes
[root@centos8 ~]# sed -i 's/.*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
#重启SSH服务
[root@centos8 ~]# service sshd restart  

验证登录

[root@1288-9 ~]# ssh 192.168.1.8
Verification code:
Password:
Last login: Wed Jul 14 09:44:57 2021 from 192.168.1.1
[root@centos8 ~]#

2、使用chrony实现内网时间同步（一台node1从外网同步时间，其余机器从node1同步时间）。

1、 安装chrony软件

yum -y install chrony

2、修改配置文件/etc/chrony.conf

node1 ip 192.168.122.18
server s1b.time.edu.cn iburst
allow 192.168.0.0/16
其他选项默认

其他节点ip在192.168网段内
server 192.168.122.18 iburst
其他选项默认

3、启用chronyd服务,检查服务是否可连接

systemctl start chronyd.service
chronyc sources

210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 192.168.122.18 6 6 377 24 -802ns[ -44us] +/- 140ms

（如果未生效，请检查防火墙规则）

3、利用cobbler实现系统自动化安装。

1、安装cobbler

[root@centos8 ~]# dnf install epel-releas
[root@centos8 ~]# dnf -y module enable cobbler
[root@centos8 ~]# dnf install cobbler
关闭selinux 启动httpd和cobbler服务
setenforce=0
systemctl start cobblerd httpd tftp
systemctl enable cobblerd httpd tftp

2、检测cobbler的运行环境,并根据提示逐步配置cobbler

[root@centos8 ~]# cobbler check
The following are potential configuration items that you may want to fix:

1: The 'server' field in /etc/cobbler/settings must be set to something other than localhost, or automatic installation features will not work.  This should be a resolvable hostname or IP for the boot server as reachable by all machines that will use it.
2: For PXE to be functional, the 'next_server' field in /etc/cobbler/settings must be set to something other than 127.0.0.1, and should match the IP of the boot server on the PXE network.
3: SELinux is enabled. Please review the following wiki page for details on ensuring Cobbler works correctly in your SELinux environment:
    https://github.com/cobbler/cobbler/wiki/Selinux
4: some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a *recent* version of the syslinux package installed and can ignore this message entirely.  Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements.
5: reposync is not installed, install yum-utils or dnf-plugins-core
6: yumdownloader is not installed, install yum-utils or dnf-plugins-core
7: debmirror package is not installed, it will be required to manage debian deployments and repositories
8: ksvalidator was not found, install pykickstart
9: The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'" to generate new one
10: fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use them

Restart cobblerd and then run 'cobbler sync' to apply changes.

• 1. The 'server' field in /etc/cobbler/settings must be set to something other than localhost, or kickstarting features will not work. This should be a resolvable hostname or IP for the boot server as reachable by all machines that will use it.

修改/etc/cobbler/settings中的 server 为本机地址
sed -i.bak s/^server:.*/server:" 192.168.122.18"/ /etc/cobbler/settings

• 2. For PXE to be functional, the 'next_server' field in /etc/cobbler/settings must be set to something other than 127.0.0.1, and should match the IP of the boot server on the PXE network.

修改/etc/cobbler/settings中的 next_server 为本机地址
sed -i.bak s/^next_server:.*/next_server:" 192.168.122.18"/ /etc/cobbler/settings

• 3. SELinux is enabled. Please review the following wiki page for details on ensuring cobbler works correctly in your SELinux environment:
     https://github.com/cobbler/cobbler/wiki/Selinux

设置 SELinux 为disabled,重启服务器
sed -i s/^SELINUX=.*/SELINUX=disabled/ /etc/selinux/config

• 4. some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a recent version of the syslinux package installed and can ignore this message entirely. Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements.

安装syslinux
[root@centos8 ~]# dnf -y install syslinux
联网下载boot引导程序文件
cobbler get-loaders （如果要配置代理在/etc/cobbler/settings文件 proxy_url_ext: 项）
如果报404错误，修改/usr/lib/python2.7/site-packages/cobbler/action_dlcontent.py
#content_server = "https://cobbler.github.io/loaders"
content_server = "https://dgoodwin.fedorapeople.org/loaders"
files 列表修改为https://dgoodwin.fedorapeople.org/loaders存在的对应文件列表（README文件可忽略）
cp -a /usr/share/syslinux/{pxelinux.0,menu.c32} /var/lib/tftpboot

• 5 reposync is not installed, install yum-utils or dnf-plugins-core
• 6 yumdownloader is not installed, install yum-utils or dnf-plugins-core

安装dnf-plugins-core
[root@centos8 ~]# dnf -y install yum-utils dnf-plugins-core

• 7. debmirror package is not installed, it will be required to manage debian deployments and repositories

[root@centos8 ~]# dnf -y install debmirror
安装后再次执行cobbler check会提示需要在/etc/debmirror.conf 中注释掉 dists和arches 行
sed -i.bak '/dists\|arches/s/^/#/' /etc/debmirror.conf

• 8. ksvalidator was not found, install pykickstar

[root@centos8 ~]# dnf -y install pykickstart

• 9. The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'" to generate new one

[root@centos8 ~]# openssl passwd -1 -salt 'cobbler' 'cobbler'
$1$cobbler$M6SE55xZodWc9.vAKLJs6.
[root@centos8 ~]# sed -i.bak '/default_password_crypted:/s#".*"#"$1$cobbler$M6SE55xZodWc9.vAKLJs6."#' /etc/cobbler/settings

• 10. fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use them

[root@centos8 ~]# dnf -y install fence-agents

• 重启服务器关闭SELINUX

• 安装dhcp服务

dnf -y install dhcpd
完成后修改修改dhcp配置文 /etc/cobbler/dhcp.template

subnet 192.168.122.0 netmask 255.255.255.0 {
     option routers             192.168.122.1;
     option domain-name-servers 10.98.48.151,10.72.55.103;
     option subnet-mask         255.255.255.0;
     range dynamic-bootp        192.168.122.100 192.168.122.254;

其他项目默认

• 最后执行cobbler sync ，服务就搭建完成了

3、导入镜像进行配置

更新/var/lib/cobbler/distro_signatures.json文件
[root@centos8 ~]# cobbler signature update

• 上传iso镜像到服务器，创建镜像挂载点

[root@centos8 ~]# mkdir -p /mnt/{7,8,16,18}

• 镜像文件挂载到目录

[root@centos8 ~]# mount /data/CentOS-7-x86_64-Minimal-2009.iso /mnt/7
[root@centos8 ~]# mount /data/ubuntu-16.04.6-server-amd64.iso /mnt/16

执行mount -a 挂载命令

• 把挂载光盘镜像的mnt目录中的内容导入到cobbler

[root@centos8 ~]# cobbler import --name=centos7 --path=/mnt/7 --arch=x86_64
[root@centos8 ~]# cobbler import --name=ubuntu16 --path=/mnt/16 --arch=x86_64

[root@centos8 ~]# cobbler distro list
centos7-x86_64
ubuntu16-hwe-x86_64
ubuntu16-x86_64

4、准备 kickstart文件,并关联至指定的YUM源

kickstart文件可以安装一个模版服务器，从安装好的服务器的/root/anaconda-ks.cfg 复制后修改

[root@centos8 ~]# cat /var/lib/cobbler/templates/centos7.ks
#version=DEVEL
# System authorization information
auth --enableshadow --passalgo=sha512
# Use CDROM installation media
#cdrom
# Use network installation
url --url=$tree     #安装方式使用cobbler默认里的方式
# If any cobbler repo definitions were referenced in the kickstart profile, include them here.
$yum_repo_stanza
# Use graphical install
graphical       #安装界面可用图形或字符 text
# Run the Setup Agent on first boot
firstboot --enable
ignoredisk --only-use=vda
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_US.UTF-8

# Network information
network  --bootproto=dhcp --device=eth0 --ipv6=auto --activate
network  --hostname=localhost.localdomain

# Root password
rootpw --iscrypted $6$v0W40q80/7HPdeHr$dfHh.SdFzcs8ue.OUl7W5.0ku/xhWPKUXT.qSvYSLdz3C2OImdcRSr2Tde3woAK3qQoh.KWU8F1mYuclBTFIE0
# System services
services --enabled="chronyd"
# System timezone
timezone Asia/Shanghai --isUtc
user --groups=wheel --name=wx562635 --password=$6$tGpU7Mbs2bKeqnUu$rqXk6lDnt63cSE5m/LmLiY84HlaGFmgxCfJ27BpAPH2RCsptO6SbwIvaOgQ7W/toOiQvJMvt1qPJS/d47lhrr1 --iscrypted --gecos="wx562635"
# System bootloader configuration
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=vda
autopart --type=lvm
# Partition clearing information
clearpart --all --initlabel

%packages
@^minimal
@core
chrony
kexec-tools

%end

%addon com_redhat_kdump --enable --reserve-mb='auto'

%end

%anaconda
pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
%end

# Reboot after installation
reboot

[root@centos8 ~]# cobbler profile remove --name centos7-x86_64
[root@centos8 ~]# cobbler profile add --name=centos7-x86_64 --distro=centos7-x86_64 --template-files=/var/lib/cobbler/templates/centos7.ks --autoinstall=centos7.ks

全部配置完成就可以在服务器上选择PXE网络启动自动安装系统了