Linux相关知识的第十五回合
PAM
和google
模块实现ssh
双因子安全验证
# 安装google-authenticator并配置
[hooper@magedu-demo ~] $ sudo yum install -y google-authenticator
# 手机下载google-authenticator软件,并添加认证
[hooper@magedu-demo ~] $ google-authenticator
#
# Do you want authentication tokens to be time-based (y/n) y
# Warning: pasting the following URL into your browser exposes the OTP secret to Google:
# 扫描二维码
# Your new secret key is: JNTJELAADE5U3KL4AMGCEDTX6M
# Your verification code is 943049
# Your emergency scratch codes are:
# 21900684
# 75455807
# 53059216
# 62143955
# 38198611
#
# Do you want me to update your "/home/hooper/.google_authenticator" file? (y/n) y
#
# Do you want to disallow multiple uses of the same authentication
# token? This restricts you to one login about every 30s, but it increases
# your chances to notice or even prevent man-in-the-middle attacks (y/n) y
#
# By default, a new token is generated every 30 seconds by the mobile app.
# In order to compensate for possible time-skew between the client and the server,
# we allow an extra token before and after the current time. This allows for a
# time skew of up to 30 seconds between authentication server and client. If you
# experience problems with poor time synchronization, you can increase the window
# from its default size of 3 permitted codes (one previous code, the current
# code, the next code) to 17 permitted codes (the 8 previous codes, the current
# code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
# between client and server.
# Do you want to do so? (y/n) y
#
# If the computer that you are logging into isn't hardened against brute-force
# login attempts, you can enable rate-limiting for the authentication module.
# By default, this limits attackers to no more than 3 login attempts every 30s.
# Do you want to enable rate-limiting? (y/n) y
#
# 修改ssh配置文件
[hooper@magedu-demo ~] $ sudo cp -rp /etc/pam.d/sshd{,.`datebak`}
[hooper@magedu-demo ~] $ sudo egrep -v "^$|#" /etc/pam.d/sshd
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# 添加google_authenticator认证
auth required pam_google_authenticator.so
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
-session optional pam_reauthorize.so prepare
[hooper@magedu-demo ~] $ sudo cp -rp /etc/ssh/sshd_config{,.`datebak`}
[hooper@magedu-demo ~] $ sudo egrep -v "^$|#" /etc/ssh/sshd_config
Port 10022
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
# 添加此行
ChallengeResponseAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
# 重启sshd服务
[hooper@magedu-demo ~] $ sudo systemctl restart sshd
[hooper@magedu-demo ~] $ sudo systemctl status sshd
# =============================================#
# 其他服务器登录ssh测试
➜ ssh hooper@192.168.168.66 -p 10022
Enter passphrase for key '/Users/hooper/.ssh/id_rsa':
Password:
Verification code: # 手机上获取验证码
Last login: Tue Jun 22 10:27:09 2021 from 192.168.168.252
[hooper@magedu-demo ~] $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.168.66 netmask 255.255.255.0 broadcast 192.168.168.255
ether 52:54:00:ed:e8:61 txqueuelen 1000 (Ethernet)
RX packets 40473 bytes 26144871 (24.9 MiB)
RX errors 0 dropped 457 overruns 0 frame 0
TX packets 12670 bytes 865038 (844.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 112 bytes 9256 (9.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 112 bytes 9256 (9.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
使用chrony
实现内网时间同步(一台node1
从外网同步时间,其余机器从node1
同步时间)
# chrony服务端部署
[hooper@magedu-demo ~] $ sudo yum install chrony -y
[hooper@magedu-demo ~] $ sudo cp -rp /etc/chrony.conf{,.`datebak`}
[hooper@magedu-demo ~] $ egrep -v "^$|#" /etc/chrony.conf
pool ntp1.aliyun.com
pool ntp2.aliyun.com
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
allow 192.168.168.0/24
local stratum 10
logdir /var/log/chrony
[hooper@magedu-demo ~] $ sudo systemctl enable chronyd --now
[hooper@magedu-demo ~] $ sudo systemctl status chrony
chronyd.service chrony-wait.service
[hooper@magedu-demo ~] $ sudo systemctl status chronyd
# 客户端部署
[hooper@oracle211 ~] $ sudo yum info chrony
# Loaded plugins: fastestmirror
# Loading mirror speeds from cached hostfile
# * epel: mirrors.bfsu.edu.cn
# Installed Packages
# Name : chrony
# Arch : x86_64
# Version : 3.4
# Release : 1.el7
# Size : 491 k
# Repo : installed
# From repo : nexus-base
# Summary : An NTP client/server
# URL : https://chrony.tuxfamily.org
# License : GPLv2
# Description : A client/server for the Network Time Protocol, this program keeps your
# : computer's clock accurate. It was specially designed to support
# : systems with intermittent internet connections, but it also works well
# : in permanently connected environments. It can use also hardware reference
# : clocks, system real-time clock or manual input as time references.
[hooper@oracle211 ~] $ sudo cp -rp /etc/chrony.conf{,.`datebak`}
[hooper@oracle211 ~] $ sudo egrep -v "^$|#" /etc/chrony.conf
server magedu-demo iburst
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
logchange 0.5
logdir /var/log/chrony
# 添加hosts地址解析
[hooper@oracle211 ~] $ sudo cat /etc/hosts
192.168.168.66 magedu-demo
[hooper@oracle211 ~] $ sudo systemctl start chronyd
[hooper@oracle211 ~] $ sudo systemctl status chronyd
[hooper@oracle211 ~] $ sudo timedatectl
Local time: Tue 2021-06-22 10:05:59 CST
Universal time: Tue 2021-06-22 02:05:59 UTC
RTC time: Tue 2021-06-22 02:05:58
Time zone: Asia/Shanghai (CST, +0800)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: n/a
[hooper@oracle211 ~] $ sudo chronyc sources -v
210 Number of sources = 1
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^? magedu-demo 3 6 77 7 -103us[ -177us] +/- 32ms
# 查看服务端chrony信息
[hooper@magedu-demo ~] $ sudo chronyc clients -v
Hostname NTP Drop Int IntL Last Cmd Drop Int Last
===============================================================================
192.168.168.211 6 0 6 - 1 0 0 - -
利用cobbler
实现系统自动化安装
# 安装cobbler
[hooper@magedu-demo ~] $ sudo yum install -y cobbler
# 安装dhcp服务
[hooper@magedu-demo ~] $ sudo yum install -y dhcp
# 配置cobblerd
[hooper@magedu-demo ~] $ sudo cp -rp /etc/cobbler/settings{,.`datebak`}
[hooper@magedu-demo ~] $ sudo vim /etc/cobbler/settings
[hooper@magedu-demo ~] $ sudo egrep -v "^$|#" /etc/cobbler/settings
---
allow_duplicate_hostnames: 0
allow_duplicate_ips: 0
allow_duplicate_macs: 0
allow_dynamic_settings: 0
anamon_enabled: 0
authn_pam_service: "login"
auth_token_expiration: 3600
build_reporting_enabled: 0
build_reporting_sender: ""
build_reporting_email: [ 'root@localhost' ]
build_reporting_smtp_server: "localhost"
build_reporting_subject: ""
build_reporting_ignorelist: [ "" ]
cheetah_import_whitelist:
- "random"
- "re"
- "time"
createrepo_flags: "-c cache -s sha"
default_kickstart: /var/lib/cobbler/kickstarts/default.ks
default_name_servers: []
default_ownership:
- "admin"
default_password_crypted: "$1$mF86/UHC$WvcIcX2t6crBz2onWxyac."
default_template_type: "cheetah"
default_virt_bridge: xenbr0
default_virt_file_size: 5
default_virt_ram: 512
default_virt_type: xenpv
enable_gpxe: 0
enable_menu: 1
func_auto_setup: 0
func_master: overlord.example.org
http_port: 80
kernel_options:
ksdevice: bootif
lang: ' '
text: ~
kernel_options_s390x:
RUNKS: 1
ramdisk_size: 40000
root: /dev/ram0
ro: ~
ip: off
vnc: ~
ldap_server: "ldap.example.com"
ldap_base_dn: "DC=example,DC=com"
ldap_port: 389
ldap_tls: 1
ldap_anonymous_bind: 1
ldap_search_bind_dn: ''
ldap_search_passwd: ''
ldap_search_prefix: 'uid='
ldap_tls_cacertfile: ''
ldap_tls_keyfile: ''
ldap_tls_certfile: ''
mgmt_classes: []
mgmt_parameters:
from_cobbler: 1
puppet_auto_setup: 0
sign_puppet_certs_automatically: 0
puppetca_path: "/usr/bin/puppet"
remove_old_puppet_certs_automatically: 0
manage_dhcp: 1
manage_dns: 0
bind_chroot_path: ""
bind_master: 127.0.0.1
manage_genders: 0
bind_manage_ipmi: 0
manage_tftpd: 1
manage_rsync: 0
manage_forward_zones: []
manage_reverse_zones: []
next_server: 192.168.168.66
power_management_default_type: 'ipmitool'
power_template_dir: "/etc/cobbler/power"
pxe_just_once: 0
pxe_template_dir: "/etc/cobbler/pxe"
consoles: "/var/consoles"
redhat_management_type: "off"
redhat_management_server: "xmlrpc.rhn.redhat.com"
redhat_management_key: ""
redhat_management_permissive: 0
register_new_installs: 0
reposync_flags: "-l -n -d"
restart_dns: 1
restart_dhcp: 1
run_install_triggers: 1
scm_track_enabled: 0
scm_track_mode: "git"
server: 192.168.168.211
client_use_localhost: 0
client_use_https: 0
snippetsdir: /var/lib/cobbler/snippets
template_remote_kickstarts: 0
virt_auto_boot: 1
webdir: /var/www/cobbler
xmlrpc_port: 25151
yum_post_install_mirror: 1
yum_distro_priority: 1
yumdownloader_flags: "--resolve"
serializer_pretty_json: 0
replicate_rsync_options: "-avzH"
replicate_repo_rsync_options: "-avzH"
always_write_dhcp_entries: 0
proxy_url_ext: ""
proxy_url_int: ""
[hooper@magedu-demo ~] $ sudo cp -rp /etc/cobbler/dhcp.template{,.`datebak`}
[hooper@magedu-demo ~] $ sudo vim /etc/cobbler/dhcp.template
[hooper@magedu-demo ~] $ sudo egrep -v "^$|#" /etc/cobbler/dhcp.template
ddns-update-style interim;
allow booting;
allow bootp;
ignore client-updates;
set vendorclass = option vendor-class-identifier;
option pxe-system-type code 93 = unsigned integer 16;
subnet 192.168.168.0 netmask 255.255.255.0 {
option routers 192.168.168.254;
option domain-name-servers 192.168.168.238;
option subnet-mask 255.255.255.0;
range dynamic-bootp 192.168.168.50 192.168.55;
default-lease-time 21600;
max-lease-time 43200;
next-server $next_server;
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
if option pxe-system-type = 00:02 {
filename "ia64/elilo.efi";
} else if option pxe-system-type = 00:06 {
filename "grub/grub-x86.efi";
} else if option pxe-system-type = 00:07 {
filename "grub/grub-x86_64.efi";
} else if option pxe-system-type = 00:09 {
filename "grub/grub-x86_64.efi";
} else {
filename "pxelinux.0";
}
}
}
group {
host $iface.name {
option dhcp-client-identifier = $mac;
hardware ethernet $mac;
fixed-address $iface.ip_address;
option host-name "$iface.hostname";
option subnet-mask $iface.netmask;
option routers $iface.gateway;
if exists user-class and option user-class = "gPXE" {
filename "http://$cobbler_server/cblr/svc/op/gpxe/system/$iface.owner";
} else if exists user-class and option user-class = "iPXE" {
filename "http://$cobbler_server/cblr/svc/op/gpxe/system/$iface.owner";
} else {
filename "undionly.kpxe";
}
filename "$iface.filename";
next-server $next_server;
}
}
# 启动相关服务,并检查设置及同步信息
[hooper@magedu-demo ~] $ sudo systemctl start cobblerd httpd tftp
[hooper@magedu-demo ~] $ sudo systemctl status cobblerd httpd tftp
● cobblerd.service - Cobbler Helper Daemon
Loaded: loaded (/usr/lib/systemd/system/cobblerd.service; disabled; vendor preset: disabled)
Active: active (running) since 二 2021-06-22 11:03:40 CST; 9s ago
Process: 4184 ExecStartPost=/usr/bin/touch /usr/share/cobbler/web/cobbler.wsgi (code=exited, status=1/FAILURE)
Main PID: 4183 (cobblerd)
CGroup: /system.slice/cobblerd.service
└─4183 /usr/bin/python2 -s /usr/bin/cobblerd -F
6月 22 11:03:40 magedu-demo systemd[1]: Starting Cobbler Helper Daemon...
6月 22 11:03:40 magedu-demo touch[4184]: /usr/bin/touch: cannot touch ‘/usr/share/cobbler/web/cobbler.wsgi’: No such file or directory
6月 22 11:03:40 magedu-demo systemd[1]: Started Cobbler Helper Daemon.
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since 二 2021-06-22 11:03:40 CST; 9s ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 4185 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─4185 /usr/sbin/httpd -DFOREGROUND
├─4188 /usr/sbin/httpd -DFOREGROUND
├─4189 /usr/sbin/httpd -DFOREGROUND
├─4190 /usr/sbin/httpd -DFOREGROUND
├─4191 /usr/sbin/httpd -DFOREGROUND
└─4192 /usr/sbin/httpd -DFOREGROUND
6月 22 11:03:40 magedu-demo systemd[1]: Starting The Apache HTTP Server...
6月 22 11:03:40 magedu-demo httpd[4185]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.168.66. Set t...is message
6月 22 11:03:40 magedu-demo systemd[1]: Started The Apache HTTP Server.
● tftp.service - Tftp Server
Loaded: loaded (/usr/lib/systemd/system/tftp.service; indirect; vendor preset: disabled)
Active: active (running) since 二 2021-06-22 11:03:40 CST; 9s ago
Docs: man:in.tftpd
Main PID: 4186 (in.tftpd)
CGroup: /system.slice/tftp.service
└─4186 /usr/sbin/in.tftpd -s /var/lib/tftpboot
6月 22 11:03:40 magedu-demo systemd[1]: Started Tftp Server.
Hint: Some lines were ellipsized, use -l to show in full.
# 同步信息
[hooper@magedu-demo ~] $ sudo cobbler sync
# 重启DHCP服务并查看状态
[hooper@magedu-demo ~] $ sudo systemctl start dhcpd
[hooper@magedu-demo ~] $ sudo systemctl status dhcpd
# 下载启动文件到执行目录
[hooper@magedu-demo ~] $ sudo cobbler get-loaders
# 同步信息
[hooper@magedu-demo ~] $ sudo cobbler sync
# 更新cobbler signature
[hooper@magedu-demo ~] $ sudo cobbler signature update
# 导入CentOS7、8系统的安装文件
[hooper@magedu-demo ~] $ sudo cobbler import --name=centos-8.1-x86_64 --path=/misc/cd --arch=x86_64
[hooper@magedu-demo ~] $ sudo cobbler import --name=CentOS-7-x86_64 --path=/mnt --arch=x86_64
# 安装kickstart
# 安装pykickstart软件包,其中的ksvalidator工具可以检查kickstart文件语法是否正确
[hooper@magedu-demo ~] $ sudo yum install system-config-kickstart pykickstart
# 将CentOS7、8镜像与ks7.cfg、ks8.cfg文件关联并生成菜单
[hooper@magedu-demo ~] $ sudo cobbler profile --name=centos7 --distro=centos7-x86_64 --kickstart=/var/lib/cobbler/kickstarts/ks7.cfg
[hooper@magedu-demo ~] $ sudo cobbler profile --name=centos8.1 --distro=centos-8.1-x86_64 --kickstart=/var/lib/cobbler/kickstarts/ks8.cfg
# 修改启动菜单名称
[hooper@magedu-demo ~] $ sudo cp -rp /etc/cobbler/pxe/pxedefault.template{,.`datebak`}
[hooper@magedu-demo ~] $ sudo egrep -v "^$|#" /etc/cobbler/pxe/pxedefault.template
DEFAULT menu
PROMPT 0
MENU TITLE Cobbler | xsd homework #修改菜单名字
TIMEOUT 200
TOTALTIMEOUT 6000
ONTIMEOUT $pxe_timeout_profile
LABEL local
MENU LABEL (local)
MENU DEFAULT
LOCALBOOT -1
$pxe_menu_items
MENU end
~
# 同步信息
[hooper@magedu-demo ~] $ sudo cobbler sync
通过网络自动安装系统
选择网卡启动 —> 选择要安装的系统 —> 找到内核并引导 —> 开始自动安装 —> 登录自动安装的系统