参考Centralized authorized_keys (AuthorizedKeysFile) for sshdssh key management
需求 登录用户有3类权限,访客权限,部署权限,管理权限. 访客权限为最小权限,仅能对登录用户目录进行读写,对其他用户目录只读,系统目录无读写. 部署权限对app部署用户目录具有读写权限(程序不依赖系统服务,如java -jar 程序). 管理权限对系统目录具读写权限(程序依赖系统服务,nginx, mysql, tomcat).
不同主机对不同用户权限不同。 运维组具有管理权限,业务组管理的主机具有部署权限或者管理权限,访客权限一般不开,除非有特殊要求,如需要查看部署结果.
usergroupsudo app?sudo root?sudo su?adminadmyyywebappyyndbnyntestnnn生成服务器匙
ssh-keygen -t rsa -f /tmp/admin # /tmp/admin & /tmp/admin.pub ssh-keygen -t rsa -f /tmp/test # /tmp/test & /tmp/test.pub ssh-keygen -t rsa -f /tmp/web # /tmp/web & /tmp/web.pub ssh-keygen -t rsa -f /tmp/db # /tmp/db & /tmp/db.pub目标服务器
# /etc/ssh/sshd_config Port 60022 ListenAddress 192.168.100.100 # 绑定主机内网地址 PermitRootLogin no # without-password AuthorizedKeysFile /etc/ssh/authorized_keys/%u PasswordAuthentication no GSSAPIAuthentication no GSSAPIKeyExchange no GSSAPIStoreCredentialsOnRekey no GSSAPICleanupCredentials no GSSAPIStrictAcceptorCheck no ChallengeResponseAuthentication no UsePAM yes UseDNS no mkdir /etc/ssh/authorized_keys # 建立key目录 /etc/init.d/sshd restart # 重启ssh服务 useradd -u 500 -d /opt/app app # 建立部署用户app, 用户id 500, 用户目录/opt/app chmod 755 /opt/app # 改变用户权限为755 useradd -u 501 admin # 建立登录用户admin, 用户id 501 cp /tmp/admin.pub /etc/ssh/authorized_keys/admin # 拷贝用户公匙到key目录,文件名为用户名 chmod 644 /etc/ssh/authorized_keys/admin # 改变key权限为644 ssh -i /tmp/admin admin@192.168.100.100 # 测试key登录非wheel组成员禁用su
/etc/pam.d/su #auth required pam_wheel.so use_uid auth required pam_wheel.so use_uid usermod -G adm admin usermod -G web appsudo配置
/etc/sudoers.d/security # User alias specification User_Alias ADMIN = admin User_Alias SERVICE = db User_Alias APP = web # Cmnd alias specification Cmnd_Alias SU = /bin/su # Cmnd alias specification Cmnd_Alias SU = /bin/su # User specification ADMIN ALL=(ALL) NOPASSWD: ALL, !SU APP ALL=(ALL) NOPASSWD: !SU, /bin/chgrp, /bin/chmod, /bin/chown, (app) NOPASSWD: ALL SERVICE ALL=(ALL) NOPASSWD: !SU, /bin/chgrp, /bin/chmod, /bin/chown, (app) NOPASSWD: ALL # nginx %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/nginx start %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/nginx stop %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/nginx restart %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/nginx reload %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/nginx status # php-fpm %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/php-fpm start %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/php-fpm stop %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/php-fpm restart %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/php-fpm reload %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/php-fpm status # apache %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/httpd start %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/httpd stop %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/httpd restart %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/httpd reload %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/httpd status # mysql %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/mysqld start %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/mysqld stop %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/mysqld restart %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/mysqld reload %SERVICE ALL =(ALL) NOPASSWD: /etc/init.d/mysqld status # web sudo -u app vim /opt/app/1.txt sudo su - posted on 2014-11-18 15:04 北京涛子 阅读( ...) 评论( ...) 编辑 收藏转载于:https://www.cnblogs.com/liujitao79/p/4105834.html
