1、PAM和google模块实现ssh双因子安全验证。 ```bash 1.安装软件 手机安装google-authenticator，linux安装epel源，下载安装google-authenticator 2.执行google-authenticator [root@localhost ~]# google-authenticator Do you want authentication tokens to be time-based (y/n) y Warning: pasting the following URL into your browser exposes the OTP secret to Google: https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@localhost.localdomain%3Fsecret%3DLSPNX2A64IZYEBKO5JFRQ24ZXQ%26issuer%3Dlocalhost.localdomain 3.修改sshd配置和pam配置 [root@localhost ~]# sed -i '1a\auth required pam_google_authenticator.so' /etc/pam.d/sshd 修改/etc/ssh/sshd_configw文件 ChallengeResponseAuthentication yes 重启sshd [root@localhost ~]# systemctl restart sshd 4.查看二维码，绑定手机 https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@localhost.localdomain%3Fsecret%3DJPHB34W3MSQ6WQRSSTR7GY3AMM%26issuer%3Dlocalhost.localdomain 5验证测试 [root@localhost ~]# ssh 192.168.1.48 Verification code: Password: Verification code: Password: Last failed login: Sun Jun 27 11:46:17 CST 2021 from 192.168.1.47 on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Sun Jun 27 11:44:19 2021 from 192.168.1.156 [root@localhost ~]# hostname -I 192.168.1.48 ``` 2、使用chrony实现内网时间同步（一台node1从外网同步时间，其余机器从node1同步时间）。 ```bash 1.安装chrony软件 [root@localhost ~]# yum install -y chrony 2.修改配置，启动服务 服务器上 [root@localhost ~]# vim /etc/chrony.conf server ntp.aliyun.com iburst 客户端上 [root@localhost ~]# vim /etc/chrony.conf server 192.168.1.48 iburst 启动chrony服务 [root@localhost ~]# systemctl start chronyd 3.验证 服务器 chronyc> sources -v 210 Number of sources = 1 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined, | / '?' = unreachable, 'x' = time may be in error, '~' = time too variable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 203.107.6.88 2 6 33 21 +277us[+2154us] +/- 17ms chronyc> clients Hostname NTP Drop Int IntL Last Cmd Drop Int Last =============================================================================== 192.168.1.47 4 0 1 - 56 0 0 - - 客户端 chronyc> sources -v 210 Number of sources = 1 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined, | / '?' = unreachable, 'x' = time may be in error, '~' = time too variable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 192.168.1.48 3 6 17 27 -1109ns[ -22us] +/- 23ms ``` 2、利用cobbler实现系统自动化安装。 ```bash 1.安装软件 [root@oracle ~]# yum install dhcp cobbler [root@oracle ~]# systemctl enable --now cobblerd httpd tftp dhcpd 2.软件配置 [root@oracle ~]# cobbler check 根据check情况修改配置 [root@oracle ~]# vim /etc/xinetd.d/tftp 修改 disable = yes 改为no [root@oracle ~]# systemctl restart tftp [root@oracle ~]# vim /etc/cobbler/settings 修改server为本机 server：10.0.0.5 next_server: 10.0.0.5 修改密码 [root@oracle ~]# openssl passwd -1 'test' $1$9VKoblnh$V.S5IRzTy1WxU1p5EaKbQ0 [root@oracle ~]# vim /etc/cobbler/settings default_password_crypted: "$1$9VKoblnh$V.S5IRzTy1WxU1p5EaKbQ0" manage_dhcp: 1 修改dhcp配置 [root@oracle ~]# systemctl restart cobblerd 重启服务 3.修改dhcp配置 [root@oracle ~]# vim /etc/cobbler/dhcp.template subnet 10.0.0.0 netmask 255.255.255.0 { option routers 10.0.0.5; option domain-name-servers 10.0.0.5; option subnet-mask 255.255.255.0; range dynamic-bootp 10.0.0.100 10.0.0.200; [root@oracle ~]# cobbler sync [root@oracle ~]# systemctl start dhcpd 4.下载所缺文件 [root@oracle ~]# cobbler get-loaders 5.导入安装wenjian [root@oracle ~]# cobbler import --name=redhat-7 --path=/mnt/iso --arch=x86_64 [root@oracle ~]# cobbler distro list redhat-7-x86_64 6.安装测试 [root@10 ~]# hostname -I 10.0.0.100 [root@10 ~]# ls anaconda-ks.cfg ks-post.log ks-pre.log cobbler.ks ks-post-nochroot.log original-ks.cfg ```