sudo examples

配置sudo限制用户ssh自动登录服务器的例子

1.ssh认证密钥放在s3op用户下
私钥加密
其它服务器root用户下配好认证公钥 authorized_keys
启动ssh-agent代理
过程略


2.配置sudo限制登录服务器
s3op1用户可以登录qa-app-1,dev-app-?
oracle用户可以登录任何机器

运行visudo命令编辑sudo配置,保存退出
visudo

[root@MGT tmp]# visudo
[root@MGT tmp]# cat /etc/sudoers
Defaults logfile = /var/log/sudo.log
User_Alias ORACLE = oracle
User_Alias S3OP1 = s3op1
Runas_Alias S3OP = s3op
Cmnd_Alias SSH_QA_APP_1 = /usr/bin/ssh qa-app-1 *
Cmnd_Alias SSH_DEV_APP = /usr/bin/ssh dev-app-? *
Cmnd_Alias SSH_APP = SSH_QA_APP_1,SSH_DEV_APP
Cmnd_Alias SSH = /usr/bin/ssh
root ALL=(ALL) ALL
S3OP1 ALL = (S3OP) NOPASSWD: SSH_APP
ORACLE ALL = (S3OP) NOPASSWD: SSH
[root@MGT tmp]#

解释略


3.
s3op1用户设置SSH_AUTH_SOCK环境变量

[s3op1@MGT ~]$ SSH_AUTH_SOCK=/tmp/ssh-KGbqxg6150/agent.6150; export SSH_AUTH_SOCK;
[s3op1@MGT ~]$

运行sudo 以root登录qa-app-1
sudo -u s3op /usr/bin/ssh qa-app-1 -x -l root "hostname;whoami"

[s3op1@MGT ~]$ sudo -u s3op /usr/bin/ssh qa-app-1 -x -l root "hostname;whoami"
QA-app-1
root
[s3op1@MGT ~]$
[oracle@MGT ~]$

也能登录dev-app-?等服务器
sudo -u s3op ssh dev-app-1 -x -l root "hostname;whoami"
sudo -u s3op ssh dev-app-2 -x -l root "hostname;whoami"

[s3op1@MGT ~]$ sudo -u s3op ssh dev-app-1 -x -l root "hostname;whoami"
DEV-app-1
root
[s3op1@MGT ~]$ sudo -u s3op ssh dev-app-2 -x -l root "hostname;whoami"
DEV-app-2
root
[s3op1@MGT ~]$

不允许登录qa-app-2
sudo -u s3op ssh qa-app-2 -x

[s3op1@MGT ~]$ sudo -u s3op ssh qa-app-2 -x
Password:

这里输入当前用户s3op1的密码, 然后显示

Sorry, user s3op1 is not allowed to execute '/usr/bin/ssh qa-app-2 -x' as s3op on MGT.s3lab.mot.com.
[s3op1@MGT ~]$

ssh命令是按通配符匹配的,格式必须像"/usr/bin/ssh qa-app-2 *"这样, 所以最后至少要有个参数, 如果没有也不能登录
sudo -u s3op ssh dev-app-1

[s3op1@MGT ~]$ sudo -u s3op ssh dev-app-1
Sorry, user s3op1 is not allowed to execute '/usr/bin/ssh dev-app-1' as s3op on MGT.s3lab.mot.com.
[s3op1@MGT ~]$

随便加个参数, 改成
sudo -u s3op ssh dev-app-1 --

[s3op1@MGT ~]$ sudo -u s3op ssh dev-app-1 --
Password:
Last login: Thu Jan 22 08:46:55 2009 from mgt.s3lab.mot.com
Could not chdir to home directory /data/s3op: No such file or directory
-bash-3.00$

能登了
dev-app-1上的用户s3op没有自动认证, 需要输入密码

用sudo能实现限制用户登录, 但是不好用


4.oracle用户运行sudo
被允许运行ssh命令, 后面参数不限, 所以可以登录任何机器

sudo -u s3op ssh root@dev-app-1 "date"

[oracle@MGT ~]$ sudo -u s3op ssh root@dev-app-1 "date"
Thu Jan 22 08:52:11 GMT 2009
[oracle@MGT ~]$

sudo -u s3op ssh root@dev-blur-db-1 "date"

[oracle@MGT ~]$ sudo -u s3op ssh root@dev-blur-db-1 "date"
Thu Jan 22 08:52:33 GMT 2009
[oracle@MGT ~]$

5.
首次运行sudo, 会显示提示信息(lecture)

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

#1) Respect the privacy of others.
#2) Think before you type.

或

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

可以在配置文件中修改这个属性



-fin-