Shulou(Shulou.com)06/02 Report--

I. user management

There are three types of users:

1. Users who log in to jumpserver

Create a user in jumpserver user management, and update the password after creating a submission. You can also set the message in the system settings and set the password by sending the message. Once set up, you can log in. Log in to the web interface, and the command line interface.

2. Manage users

Jumpserver has a function to automate batch execution of commands, and the user who executes this command can also create a system user on a remote machine, so this user calls it an administrative user. Create an administrative user jumpserver, preferably with a private key.

# cd ~ / .ssh # ssh-keygen-f jumpserver / /-f specifies the name of the key [root@CLAY .ssh] # lsauthorized_keys id_rsa id_rsa.pub jumpserver jumpserver.pub known_ hosts [root @ CLAY .ssh] # sz jumpserver / / download the private key and select the private key file. If the private key does not have a password, the password of the jumpserver user is left blank. If the password is set, enter the password of the private key.

3. System users

The users who log on to each machine, usually, are consistent with the users in the user management list, making it easy to manage. The users in the user list log in to jumpserver, and the system users are those who log in to jumpserver and then jump to the system to log in. A user who logs in through the command line interface and jumps to the system. Create a system user, define the name, user name, and select automatic login.

II. Asset management

Web interface, asset management → asset list

The one on the left can be thought of as the host group. Create a new node in it. This node is equivalent to more than N businesses in the company. Name Business 1 and create assets in Business 1.

Define the hostname, IP, administrative user, which must be created and submitted on this machine.

# useradd jumpserver [root@wbs ~] # ls-l / home/jumpserver/ Total usage 0

/ / this jumpserver user is the user to be added for each machine added. Since it is troublesome to add a user to a managed machine for each additional node, think of a way to create this user every time you buy a new Aliyun machine or a physical machine.

[root@wbs jumpserver] # cd / home/jumpserver/# mkdir .ssh # vi .ssh / authorized_keys

/ / copy the previously generated public key to cat ~ / .ssh / jumpserver.pub on the jumpserver machine, so that you can connect to the jumpserver user of the other machine through the key.

[root@CLAY .ssh] # ssh-I jumpserver jumpserver@192.168.149.133

/ / Test the connection. Ssh-I specifies the private key. If you do not need to enter a password to log in to the other party's machine, the configuration is successful.

The possibility of failure: the permission of the public key and private key of the other machine, SELinux.

The administrative user must have the authority of root, which is realized by using sudo.

Two methods:

1. The UID of jumpserver is set to 0, which is not a good method.

2. Set sudo permissions for it.

[root@wbs jumpserver] # visudo...## Allow root to run any commands anywherejumpserver ALL= (ALL) NOPASSWD: ALL / / add a line root ALL= (ALL) ALLuser1 ALL= (ALL) / bin/ls,/bin/chown,/bin/chmod,/bin/tail,/bin/catuser2 ALL= (ALL) ALL...

[root@wbs jumpserver] # su-jumpserver / / Log in to jumpserver last login: Saturday, October 12, 17:29:34 CST 2019 from the 192.168.149.131pts/1 [jumpserver@wbs ~] $sudo ls / root001 123.fifo 20shell anaconda-ks.cfg login test.fifo [jumpserver@wbs ~] $sudo tail-5 / ETC Band shadowgitlabwords prometheusMemetheusGitlabPrometheusFor the last login: 6$ tgTbTKHN$a9S7trCLv3X/GWYP5cM.RMReQ.cMbjbjrK/0c1HNAmuJNOmDXjaKjbG34QAhQGgTextVxa1jeSFaxMkX49qUt/:18170:0:99999:7:: Saslauthrizationsaslauthrizationsaslauthrizationsaslauthrizationsaslauthrizationsslauthrizationsslauthrizationsslauthriuzationsslauthriu0udo saslauthriu0rigs999997lavedrigesudo successfully. It means no problem. Get out of here.

When you update the hardware information in the host of asset management, you can see that the update is successful. In fact, the task is handed over to the job center, and then go back to the host in the asset list to see if the hardware information has been updated.

System users, who want to send it to the asset:

Web interface, rights management → asset authorization → to create authorization rules, name defines the name of a system user, select user, asset, system user, and submit.

Turn on the automatic push function in the system users, refresh it, and then check it in the host computer, # id zhangsan, you can see that it has been pushed to the system.

3. The client logs in to jumpserver

Log in to the jumpserver machine under the ssh terminal, type p, and you will see your machine. Enter the corresponding ID number and log in directly.

# cd / home/zhangsan# ls-la / / you can see the .ssh directory. If you enter it, you can see that there is a key, indicating that you logged in through the key. The total dosage is 12drwxMel. 3 yaowei yaowei 74 October 13 11:46. Drwxr-xr-x. 13 root root 164. October 13 11:43.-rw-r--r--. 1 yaowei yaowei 18 August 3 2017. Bash _ logout-rw-r--r--. 1 yaowei yaowei 193 August 3 2017. Bash _ profile-rw-r--r--. 1 yaowei yaowei 231 August 3 2017. Bashrcdrwx -. 2 yaowei yaowei 29 October 13 11:46 .ssh

Then go to the web interface to create a jumpserver native asset, native IP, native name.

Then go back to the ssh terminal to create a jumpserver user:

# useradd jumpserver# su-jumpserver [jumpserver@CLAY ~] $mkdir .ssh $chmod 700.ssh $vi .ssh / authorized_keys$ chmod 6000.ssh / authorized_keys$ Logout [root@CLAY ~] # visudo...## Allow root to run any commands anywhereroot ALL= (ALL) ALLjumpserver ALL= (ALL) NOPASSWD: ALL / / add a line. [root@CLAY .ssh] # ssh-I jumpserver jumpserver@127.0.0.1 / / Test login

The web interface, authorization rules, adding native asset updates to the original rules, or creating new authorization rules are fine.

Go back to the ssh terminal of jumpserver, reconnect, type p, you can see the local asset and the previous asset, enter the number to connect directly.

Other features:

Session Management:

Command record, you can see the history of commands executed by the user

A historical session that allows video playback of the recording process of user actions

In an online session, you can see the terminal that is currently connected. If the terminal is connected to it, the content being written will not be saved.

Open a new browser, log in with your own user, you can see that there is a web terminal, click to enter, and you can select the corresponding business login on the left.

File management, the directory under the machine is the / tmp directory, the uploaded files will be in the / tmp directory.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.