1. 添加普通账号
众所周知,linux下的root拥有最高权限,可以执行任何命令。在使用root身份操作时,有时的一个不注意就可能将非常重要的删除(最可怕的是 rm -rf /)。而linux不像windows有可以撤销的回收箱,。所以建议建立普通用户账号,在平时的时候以普通用户身份登录,只在需要root权限时才通过sudo 临时提高普通用户的权限或是通过su - 切换到root用户,执行完任务后立刻exit。
新建普通用户,用户名以example_user 为例
useradd example_user && passwd example_user # 将对应的用户加入wheel组,wheel组用于sudo权限 usermod -aG wheel example_user
2. 创建ssh登录时进行身份验证的密钥对
假设有以下情景,有3台主机:
- node3 ip: 192.168.35.120
- node4 ip: 192.168.35.130
- node5 ip: 192.168.35.140
node3上的用户root 想通过私钥 有密码登录node4,无密码登录node5
# 配置密码登录 node4 # 产生4096位的rsa密钥对 [root@node3 .ssh]# ssh-keygen -b 4096 Generating public/private rsa key pair. # 指定存储路径 Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/node4_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/node4_id_rsa. Your public key has been saved in /root/.ssh/node4_id_rsa.pub. # 将公钥发给node4主机,追加在 root用户的~/.ssh/authorized_keys文件末尾 [root@node3 .ssh]# ssh-copy-id -i /root/.ssh/node4_id_rsa.pub root@node4 The authenticity of host 'node4 (192.168.35.130)' can't be established. ECDSA key fingerprint is a7:13:be:25:f5:b5:28:1f:ce:42:ea:6d:df:e2:1a:83. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@node4's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@node4'" and check to make sure that only the key(s) you wanted were added. # 远程登录 [root@node3 .ssh]# ssh -i ~/.ssh/node4_id_rsa root@node4 Enter passphrase for key '/root/.ssh/node4_id_rsa': Last login: Fri Sep 14 23:21:48 2017 from 192.168.35.1 # 配置无密码登录node5 [root@node3 .ssh]# ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/node5_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/node5_id_rsa. Your public key has been saved in /root/.ssh/node5_id_rsa.pub. The key fingerprint is: 05:ef:46:a2:21:f1:26:28:af:bf:81:36:a7:7d:ed:2b root@node3 [root@node3 .ssh]# ssh-copy-id -i ~/.ssh/node5_id_rsa.pub root@node5 The authenticity of host 'node5 (192.168.35.140)' can't be established. ECDSA key fingerprint is a7:13:be:25:f5:b5:28:1f:ce:42:ea:6d:df:e2:1a:83. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@node5's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@node5'" and check to make sure that only the key(s) you wanted were added. [root@node3 .ssh]# ssh -i ~/.ssh/node5_id_rsa root@node5 Last login: Fri Sep 14 22:45:22 2017 from 192.168.35.1