Configure the logon server for Centos7
Overview
This document describes how to use Centos7 as the login server configuration.
During the automated O & M process, if you use Ansible to manage Servers Based on SSH, you can deploy Ansible on the login server. to log on to the server, you must use the SSH key to log on to the managed server.
Configuration process
1. Use the root user to create a new userops
And set the password
# useradd ops# passwd ops
2. Configure The sudo permission and set the ops user to use sudo without a password.
# visudo
Addops ALL=(ALL) ALL
## Allow root to run any commands anywhereroot ALL=(ALL) ALLops ALL=(ALL) NOPASSWD:ALL
3. Generate the ops user's key
# su ops$ ssh-keygen -t dsa
- The key location is
/home/ops/.ssh/
- When generating a key, enter the private key password (passphrase)
For security reasons, we do not recommend that you do not set a private key password when generating a private key. After the private key password is generated, you must enter the private key password each time you use the private key.
4. Create a user on the managed Server
Create an ops user in the managed server and set the password
useradd opspasswd ops
Configure sudo
# visudo
Addops ALL=(ALL) ALL
## Allow root to run any commands anywhereroot ALL=(ALL) ALLops ALL=(ALL) NOPASSWD:ALL
5. Upload the Public Key
Log on to the server and copy the public key of the ops user to the managed server. Replace the following IP addresses with your managed Server IP address.
ssh-copy-id -i /home/ops/.ssh/id_dsa.pub ops@192.168.1.200
At this point, you can use the secret key to log on to the managed server. However, it is not convenient to enter the private key password for each login, configure the keychain to cache the private key password.
6 keychain Configuration
Install the keychain on the server. Use the extended yum source in Centos7.
rpm -Uvh http://packages.psychotic.ninja/7/base/x86_64/RPMS/psychotic-release-1.0.0-1.el7.psychotic.noarch.rpm
Install keychain
yum --enablerepo=psychotic install keychain
Edit/home/ops/.bash_profile
, Add the following content
/usr/bin/keychain ~/.ssh/id_dsa source ~/.keychain/$HOSTNAME-sh > /dev/null
After each restart of the login server, when the ops user logs on to the server for the first time, the system will prompt the output of the private key password. Then, the private key password will be cached when logging on to the server, when using the private key later, you do not need to enter the private key password.