首页 > 代码库 > 搭建IPA用户管理服务器&安装ssh远程访问服务

搭建IPA用户管理服务器&安装ssh远程访问服务

1.搭建IPA用户管理服务器

搭建准备前工作

workstation:

#先停掉dhcp服务

systemctl stop dhcpd;systemctl disable dhcpd

#分别在workstation,server1,server2,database上安装ntp服务

yum -y install ntp

#打开ntp配置文件,做如下修改

workstation:

 vim /etc/ntp.conf

 17 restrict 192.168.40.0 mask 255.255.255.0 nomodify notrap

 21 #server 0.centos.pool.ntp.org iburst

 22 #server 1.centos.pool.ntp.org iburst

 23 #server 2.centos.pool.ntp.org iburst

 24 #server 3.centos.pool.ntp.org iburst

 25 server asia.pool.ntp.org iburst//同步为亚洲标准时区

systemctl restart ntpd;systemctl enable ntpd

server1

vim /etc/ntp.conf

#server 0.centos.pool.ntp.org iburst

#server 1.centos.pool.ntp.org iburst

#server 2.centos.pool.ntp.org iburst

#server 3.centos.pool.ntp.org iburst

server 192.168.40.100 iburst//添加同步时间的ip

systemctl restart ntpd;systemctl enable ntpd

server2

vim /etc/ntp.conf

#server 0.centos.pool.ntp.org iburst

#server 1.centos.pool.ntp.org iburst

#server 2.centos.pool.ntp.org iburst

#server 3.centos.pool.ntp.org iburst

server 192.168.40.100 iburst

systemctl restart ntpd;systemctl enable ntpd

database

vim /etc/ntp.conf

#server 0.centos.pool.ntp.org iburst

#server 1.centos.pool.ntp.org iburst

#server 2.centos.pool.ntp.org iburst

#server 3.centos.pool.ntp.org iburst

server 192.168.40.100 iburst

systemctl restart ntpd;systemctl enable ntpd

#在workstation上安装ipa相关包

yum -y install ipa-server ipa-server-dns bind bind-dyndb-ldap

#配置本地静态ip

vim /etc/hosts

192.168.40.100 workstation.example.com

#先架设dns,权威dns,不属于自己管理的域名则转发请求给外部DNS

ipa-server-install --setup-dns

#获取并查看票据,输入刚才admin的密码即可生成

kinit admin

klist


#添加一个51tide的用户,并在该用户首次登录时强制要求更改密码

ipa user-add 51tide --first=tide --last=51 --password

#确认刚添加的用户51tide

ipa user-find 51tide

#添加域名,客户端会根据DNS找到ipa服务器,输入管理员密码即可


ipa dnsrecord-add example.com server1 --a-rec 192.168.40.201;ipa dnsrecord-add example.com server2 --a-rec 192.168.40.202;ipa dnsrecord-add example.com database --a-rec 192.168.40.203

#分别在server1,server2,database上安装ipa客户端服务

yum -y install ipa-client

#分别在三台机子上配置dns

vim /etc/sysconfig/network-scripts/ifcfg-eno16777736

NAME="system eno16777736"修改为NAME=eno16777736

nmcli c modify eno16777736 ipv4.dns 192.168.40.100

systemctl restart network

#配置IPA客户端,输入管理员用户名以及密码

ipa-client-install

#自动创建家目录

authconfig --enablemkhomedir --update

#在server1,server2,database上分别验证:

[root@server1 ~]# su 51tide 

sh-4.2$ exit

[root@server1 ~]# su admin

[admin@server1 root]$ exit


2.安装ssh远程访问服务

#在workstation上生成公钥,并传给server1,server2,database,admin

Enter passphrase (empty for no passphrase): 建议可以直接回车,后续远程直接登录,无需输密码

ssh-copy-id -i server1.example.com;ssh-copy-id -i server2.example.com;ssh-copy-id -i database.example.com

ssh-copy-id -i admin@server1.example.com;ssh-copy-id -i admin@server2.example.com;ssh-copy-id -i admin@database.example.com

#在server1,server2,database上分别做如下修改:

vim /etc/ssh/sshd_config

17 Port 40086//端口号改为40086

49 PermitRootLogin no//不允许root用户远程登录

79 PasswordAuthentication no//不允许密码登录

systemctl restart sshd//重启服务

#在workstation上修改默认远程登录端口号

Port 40086

#验证结果:

  1. 用xshell root/admin远程登录22端口,无法连接

  2. 用xshell root/admin远程登录40086端口,连接被拒绝

  3. 在workstation上使用ssh root远程登录,显示如下信息:

[root@workstation ~]# ssh root@192.168.40.201

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

4.  在workstation使用ssh远程登录admin用户,直接免密码登录,如下: 

[root@workstation ~]# ssh admin@192.168.40.201

Last login: Wed Oct 12 17:48:44 2016

[admin@server1 ~]$


Over


本文出自 “12146768” 博客,请务必保留此出处http://12156768.blog.51cto.com/12146768/1861217

搭建IPA用户管理服务器&安装ssh远程访问服务