Linux第十五周_linux is watching required 1 times-CSDN博客

本文链接：https://blog.csdn.net/weixin_42911225/article/details/118067040

1、PAM和google模块实现ssh双因子安全验证。

在手机应用市场搜索：身份验证器或authenticator，并安装APP
官方网站：https://github.com/google/google-authenticator-android

# 安装
[root@localhost ~]# yum -y install epel-release
[root@localhost ~]# yum -y install google-authenticator
# 配置
[root@localhost ~]# google-authenticator
Do you want authentication tokens to be time-based (y/n) y

Warning: pasting the following URL into your browser exposes the OTP secret to Google:
# 浏览器打开此url，手机打开身份验证器APP，扫描当前二维码，进行绑定
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@localhost.localdomain%3Fsecret%3DJHMRPIYCOXPL2I3MIJI2N2MABE%26issuer%3Dlocalhost.localdomain 
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: JHMRPIYCOXPL2I3MIJI2N2MABE

# 输入手机APP上的数字，后续都回答 y 即可
Enter code from app (-1 to skip): 183942        
Code confirmed
Your emergency scratch codes are:
  86312869
  28402767
  18459417
  61247087
  91401033

[root@localhost ~]# vim /etc/pam.d/sshd
auth       required     pam_google_authenticator.so

[root@localhost ~]# vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes

[root@localhost ~]# systemctl restart sshd

2、使用chrony实现内网时间同步（一台node1从外网同步时间，其余机器从node1同步时间）。

# server
[root@localhost ~]# timedatectl set-timezone Asia/Shanghai
[root@localhost ~]# yum -y install chrony
[root@localhost ~]# vim /etc/chrony.conf
server ntp1.aliyun.com iburst
server ntp2.aliyun.com iburst

allow 172.16.0.0/24
[root@localhost ~]# systemctl restart chronyd

# client
[root@localhost ~]# timedatectl set-timezone Asia/Shanghai
[root@localhost ~]# yum -y install chrony
[root@localhost ~]# vim /etc/chrony.conf
server 172.16.0.1 iburst

[root@localhost ~]# systemctl restart chronyd

# 查看时间同步源
[root@localhost ~]# chronyc sources -v
# 查看时间同步源状态
[root@localhost ~]# chronyc sourcestats -v
# 查看时间同步源状态
[root@localhost ~]# chronyc tracking

3、利用cobbler实现系统自动化安装。

1.环境准备

一台主机充当Cobbler、http、dchp、tftp服务器

一台主机充当测试机，用于实现自动化安装Linux系统

2.安装配置

[root@localhost ~]# yum -y install epel-release
[root@localhost ~]# yum -y install cobbler httpd tftp-server dhcp cobbler-web pykickstart

# 配置dhcp
[root@localhost ~]# \cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf[root@localhost ~]# \cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
[root@localhost ~]# vim /etc/dhcp/dhcpd.conf
option domain-name "example.org";
option domain-name-servers 202.101.172.35, 202.101.172.47;
default-lease-time 600;
max-lease-time 7200;
subnet 172.16.0.0 netmask 255.255.255.0 {
  range 172.16.0.100 172.16.0.200;
  option routers 172.16.0.254;
  next-server 172.16.0.7;
  filename "pxelinux.0";
}

[root@localhost ~]# vim /etc/cobbler/dhcp.template
subnet 172.16.0.0 netmask 255.255.255.0 {
     option routers             172.16.0.254;
     option domain-name-servers 202.101.172.35,202.101.172.47;
     option subnet-mask         255.255.255.0;
     range dynamic-bootp        172.16.0.100 172.16.0.200;

[root@localhost ~]# systemctl enable --now cobblerd httpd tftp dhcpd

# 配置cobbler
[root@localhost ~]# cobbler check
The following are potential configuration items that you may want to fix:

1 : The 'server' field in /etc/cobbler/settings must be set to something other than localhost, or kickstarting features will not work.  This should be a resolvable hostname or IP for the boot server as reachable by all machines that will use it.
2 : For PXE to be functional, the 'next_server' field in /etc/cobbler/settings must be set to something other than 127.0.0.1, and should match the IP of the boot server on the PXE network.
3 : SELinux is enabled. Please review the following wiki page for details on ensuring cobbler works correctly in your SELinux environment:
    https://github.com/cobbler/cobbler/wiki/Selinux
4 : change 'disable' to 'no' in /etc/xinetd.d/tftp
5 : Some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a *recent* version of the syslinux package installed and can ignore this message entirely.  Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements.
6 : enable and start rsyncd.service with systemctl
7 : debmirror package is not installed, it will be required to manage debian deployments and repositories
8 : ksvalidator was not found, install pykickstart
9 : The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'" to generate new one
10 : fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use them

# 生成新密码，默认安装好的系统root密码为cobbler
[root@localhost ~]# openssl passwd -1 '123456'
$1$UVbLtR0e$8g05R.RjO6n9nMnW6d94H.

# 根据以上提示，只需要做1，2，8这三项
[root@localhost ~]# vim /etc/cobbler/settings 
default_password_crypted: "$1$UVbLtR0e$8g05R.RjO6n9nMnW6d94H."
next_server：< tftp服务器的 IP 地址>
server：<cobbler服务器的 IP 地址>
manage_dhcp：1 #设置为1，表示通过cobbler生成dhcpd.conf配置文件

[root@localhost ~]# systemctl restart cobblerd

[root@localhost ~]# cobbler get-loaders
[root@localhost ~]# ls /var/lib/cobbler/loaders/
COPYING.elilo  COPYING.syslinux  COPYING.yaboot  elilo-ia64.efi  grub-x86_64.efi  grub-x86.efi  menu.c32  pxelinux.0  README  yaboot

[root@localhost ~]# cobbler sync
[root@localhost ~]# tree /var/lib/tftpboot/
/var/lib/tftpboot/
├── boot
│   └── grub
│       └── menu.lst
├── etc
├── grub
│   ├── efidefault
│   ├── grub-x86_64.efi
│   ├── grub-x86.efi
│   └── images -> ../images
├── images
├── images2
├── memdisk
├── menu.c32
├── ppc
├── pxelinux.0
├── pxelinux.cfg
│   └── default
├── s390x
│   └── profile_list
└── yaboot

10 directories, 10 files

# 可修改菜单标题
[root@localhost ~]# vim /etc/cobbler/pxe/pxedefault.template 
MENU TITLE Cobbler | http://www.centos.org/

[root@localhost ~]# cobbler sync

# 挂载光盘并导入系统
[root@localhost ~]# mount /dev/sr0 /mnt/
[root@localhost ~]# cobbler import --name=CentOS-7-x86_64-Minimal-2009 --path=/mnt/ --arch=x86_64

# 准备 kickstart文件,并关联至指定的YUM源
[root@localhost ~]# vim /var/lib/cobbler/kickstarts/centos7.cfg
url --url=$tree #注意此行必须指定

# 将kickstart文件，关联指定的YUM源和生成菜单列表
[root@localhost ~]# cobbler distro list
[root@localhost ~]# cobbler profile add --name=CentOS-7-Minimal --distro=CentOS-7-Minimal-2009-x86_64 --kickstart=/var/lib/cobbler/kickstarts/centos7.cfg