一般在服务器上免秘钥分为两种:ssh 免秘钥和切换用户免秘钥。首先我们来配置一下 ssh 的免秘钥。
从当前服务器配置到 192.168.43.36 在 ssh 的时候免秘钥。首先生成秘钥,然后将公钥复制过去即可。
[
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:fTz8Wmp4M6GjXc21g71eDTfUmPNDMl1MKKSK1xnwa+o root@k8s-master-01
The key's randomart image is:
+---[DSA 1024]----+
| . .. +o|
| o .. oo+|
| + +++.|
| . + * =o |
| . S * = .o+|
| . o ..=o+=|
| . o.o=+o|
| . .+.=+ +|
| E..+oo.o |
+----[SHA256]-----+
[ ]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.43.36's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.43.36'"
and check to make sure that only the key(s) you wanted were added.
[root@k8s-master-01 ~]# ssh root@192.168.43.36
Last login: Thu Aug 15 22:17:04 2019 from 192.168.43.1
[root@k8s-master-02 ~]# exit
logout
Connection to 192.168.43.36 closed.
具体实验如图:
接下来我们来配置一下用户切换时免秘钥,也就是用 sudo 切换 root 的时候,是去需要输入密码的。
我们先去尝试创建一个组 tigergaotest,和用户 tigergaotest。然后先进行尝试去切换执行 sudo su - root 或者 sudo su - 的时候就会提示要输入密码。
配置用户免秘钥的时候是在 /etc/sudoers 文件中,最后有一句 #includedir /etc/sudoers.d,说明这个文件是包含 sudoers.d 的。我们只需要在 sudoers.d 目录下进行创建 tigergaotest文件并赋权,向里面进行配置即可。
[root@k8s-master-01 ~]# groupadd tigergaotest
[root@k8s-master-01 ~]# useradd -m -s /bin/bash -d /home/tigergaotest -g tigergaotest tigergaotest
[root@k8s-master-01 ~]# id tigergaotest
uid=1001(tigergaotest) gid=1001(tigergaotest) groups=1001(tigergaotest)
[root@k8s-master-01 ~]# su - tigergaotest
[tigergaotest@k8s-master-01 ~]$ su - root
Password:
[root@k8s-master-01 ~]# sed -n '$p' /etc/sudoers
#includedir /etc/sudoers.d
[root@k8s-master-01 ~]# cd /etc/sudo
sudo.conf sudoers sudoers.d/ sudo-ldap.conf
[root@k8s-master-01 ~]# cd /etc/sudo
sudo.conf sudoers sudoers.d/ sudo-ldap.conf
[root@k8s-master-01 ~]# cd /etc/sudoers
sudoers sudoers.d/
[root@k8s-master-01 ~]# cd /etc/sudoers
sudoers sudoers.d/
[root@k8s-master-01 ~]# cd /etc/sudoers
sudoers sudoers.d/
[root@k8s-master-01 ~]# cd /etc/sudoers.d/
[root@k8s-master-01 sudoers.d]# ls
sudo-tigergao
[root@k8s-master-01 sudoers.d]# touch sudo-tigergaotest
[root@k8s-master-01 sudoers.d]# ls -lrt
total 4
-rwxr-xr-x. 1 root root 32 Aug 5 04:02 sudo-tigergao
-rw-r--r-- 1 root root 0 Aug 16 02:38 sudo-tigergaotest
[root@k8s-master-01 sudoers.d]# vim sudo-tigergaotest
[root@k8s-master-01 sudoers.d]# chmod +x sudo-tigergaotest
[root@k8s-master-01 sudoers.d]# ls -lrt
total 8
-rwxr-xr-x. 1 root root 32 Aug 5 04:02 sudo-tigergao
-rwxr-xr-x 1 root root 36 Aug 16 02:38 sudo-tigergaotest
[root@k8s-master-01 sudoers.d]# su - tigergaotest
Last login: Fri Aug 16 02:35:03 EDT 2019 on pts/0
[tigergaotest@k8s-master-01 ~]$ sudo su - root
Last login: Fri Aug 16 02:36:30 EDT 2019 on pts/0
接下来我们来看一下 sudo-tigergaotest 这个文件里面都配置了些什么内容。这个的意思是允许用户 tigergaotest 进行所有操作,并且在切换的时候不需要密码。
[root@k8s-master-01 ~]# cat /etc/sudoers.d/sudo-tigergaotest
tigergaotest ALL=(ALL) NOPASSWD:ALL
[root@k8s-master-01 ~]#
欢迎大家入围运维群,感兴趣的请戳这里:运维群欢迎你
推荐阅读:
懂业务的技术人!
我的世界不只有coding。