Jumper跳板机，远程主机相关配置

1、Jumper-server

　　登录方式

　　ssh user@ip登录　　　　【默认22端口，如未添加user,默认使用当前登录账户登录】

　　ssh -luser ip -pport　　　 【使用指定用户，指定端口登录】

　　ssh 使用主机名登录　　　【 需要在跳板机上添加配置hosts文件vim /etc/hosts】　　　

2、app1-server

　　查看ssh命令所在路径

　　[root@app1-server ~]# which ssh

　　/usr/bin/ssh

　　查询软件包

　　[root@app1-server ~]# rpm -qf /usr/sbin/sshd 

　　openssh-server-5.3p1-123.el6_9.x86_64

　　查询软件列表

　　[root@app1-server ~]# rpm -qf /usr/sbin/sshd 

　　openssh-server-5.3p1-123.el6_9.x86_64
　　[root@app1-server ~]# rpm -ql openssh-server
　　/etc/pam.d/ssh-keycat
　　/etc/pam.d/sshd
　　/etc/rc.d/init.d/sshd
　　/etc/ssh/sshd_config
　　/etc/sysconfig/sshd
　　/usr/libexec/openssh/sftp-server
　　/usr/libexec/openssh/ssh-keycat
　　/usr/sbin/.sshd.hmac
　　/usr/sbin/sshd
　　/usr/share/doc/openssh-server-5.3p1
　　/usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat
　　/usr/share/man/man5/moduli.5.gz
　　/usr/share/man/man5/sshd_config.5.gz
　　/usr/share/man/man8/sftp-server.8.gz
　　/usr/share/man/man8/sshd.8.gz
　　/var/empty/sshd

　　

3、任务

1)禁止 root账户远程登录连接

在app1-server中，配置，通过man 5 查询相关配置参数信息

[root@app1-server ~]# man 5 sshd_config　　　　【关键字Root】

 

PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”.
The default is “yes”.

If this option is set to “without-password”, password authentication is disabled for root.

If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command
option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other
authentication methods are disabled for root.

修改配置文件

[root@app1-server ~]# vim /etc/ssh/sshd_config　　　　【复制PermitRootLogin参数，将yes修改为no，并取消前面的注释，原配置保留】

#PermitRootLogin yes
PermitRootLogin no

修改后，重启sshd服务

[root@app1-server ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@app1-server ~]#

在跳转机验证，root账户无法登录，pos1账户可以登录

 

 

备注：非root账户登录后，可以使用 su - root 来切换到root账户登录

 

2)使用指定端口登录

先查看端口是否被占用

netstat -a|grep 10022

ss -a|grep 10022

lsof -i 10022

grep 10022 /etc/services

修改配置文件

vim /etc/ssh/sshd_config

#Port 22
Port 10022

重启服务

[root@app1-server ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

 

跳板机测试验证

 

3)生成随机密码

安装【pwgen-2.08-1.el6.x86_64.rpm】

2台机器，jumper可以连接外网，配置网络yum源下载安装

[root@jumper-server yum.repos.d]# cat epel.repo
[epel]
name=xxx
baseurl=http://mirrors.aliyun.com/epel/6/x86_64/
enabled=1
gpgcheck=0

同时修改【yum.conf文件】，将keepcache由0修改为1，安装时，将会在cachedir目录下保存rpm安装包

[root@jumper-server yum.repos.d]# cat /etc/yum.conf
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=1

 

通过scp，将jumper机器上的 rpm安装包，放到内网机器，app1-server机器上

 

使用【pwgen工具】生成密码

[root@app1-server tmp]# pwgen -help
Usage: pwgen [ OPTIONS ] [ pw_length ] [ num_pw ]

Options supported by pwgen:
-c or --capitalize
Include at least one capital letter in the password
-A or --no-capitalize
Don't include capital letters in the password
-n or --numerals
Include at least one number in the password
-0 or --no-numerals
Don't include numbers in the password
-y or --symbols
Include at least one special symbol in the password
-r <chars> or --remove-chars=<chars>
Remove characters from the set of characters to generate passwords
-s or --secure
Generate completely random passwords
-B or --ambiguous
Don't include ambiguous characters in the password
-h or --help
Print a help message
-H or --sha1=path/to/file[#seed]
Use sha1 hash of given file as a (not so) random generator
-C
Print the generated passwords in columns
-1
Don't print the generated passwords in columns
-v or --no-vowels
Do not use any vowels so as to avoid accidental nasty words
[root@app1-server tmp]# pwgen -s1 11 10　　
aT3KX2FgM7W
GnccCWfm4fQ
kUt4UY2ml3M
kMFDK3k7DS4
FymEft2Hd06
1VvwX3SPzcE
0tC36jmUZtg
w2z7mVUN07c
PFr2hQ0fZRZ
PVdAAhqR5nB
[root@app1-server tmp]#