1. 生成sshkey
ssh-keygen -f root.pem -N '' -C 'root@local'
ssh-keygen -f ansible.pem -N '' -C 'ansible@local'
ssh-keygen -f app.pem -N '' -C 'app@local'
2. 用户ansible
useradd ansible
mkdir -p /home/ansible/.ssh && chmod 700 /home/ansible/.ssh
cat > /home/ansible/.ssh/authorized_keys <<EOF
ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ansible@local
EOF
chmod 600 /home/ansible/.ssh/authorized_keys
chown -R ansible:ansible /home/ansible/.ssh
3. 用户app
useradd app
mkdir -p /home/app/.ssh && chmod 700 /home/app/.ssh
cat > /home/app/.ssh/authorized_keys <<EOF
ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx app@local
EOF
chmod 600 /home/app/.ssh/authorized_keys
chown -R app:app /home/app/.ssh
4. 部署目录
mkdir -p /opt/app && chown -R app:app /opt/app
5 变更ssh端口29922 (略)
6. sudo
gpasswd -a ansible wheel
usermod -a -G wheel app
chmod 744 /usr/bin/su
# 禁止切换root
Cmnd_Alias DISABLE_SU = /usr/bin/su, /bin/bash
7. 登录
ssh -i root.pem root@srv-001 -p 29922
ssh -i ansible.pem ansible@srv-001 -p 29922
ssh -i app.pem app@srv-001 -p 29922