Jephe Wu - http://linuxtechres.blogspot.com
Envirnment: CentOS 6.4 64bit
Objective: understanding sudo command and common usages.
<username1> <ALL hosts>=(username2) [NOPASSWD:] commands
Above syntax will grant username1 to run commands as username2 on all hosts
1. sudo -l after you ssh into server
sudo -l will list the possible commands you could run
2. sudo -i to become root ( similiar to su - , using root user environment configuration including $HOME and $PATH)
Other similiar command such as sudo -s, sudo su and sudo bash.
3. sudo -k to clear password cache
You can also configure password cache time (minutes) in /etc/sudoers, by default, it's cached for 5 minutes, change to 0 will always ask for
password.
[root@server1 ~]# grep -i timestamp_timeout /etc/sudoers
Defaults timestamp_timeout=1
To totally disable password prompt, use NOPASSWD: between (ALL) and right-most ALL
<username> ALL=(ALL) NOPASSWD: ALL
4. always use visudo to edit /etc/sudoers instead of vi /etc/sudoers
visudo check syntax error
Note:
So you can remember above sudo command parameters by LIK(e), e for edit which uses visudo.
Refer to https://help.ubuntu.com/community/RootSudo
Thinks you should know about sudo command
Use Linux Jumphost as Transparent Proxy
Jephe Wu - http://linuxtechres.blogspot.com
Environment: Office and data center, there's only one or two Linux jump hosts in data center, from office, you are only able to ssh into jump hosts, from jump hosts you can ssh into other servers. your client Linux pc and jump hosts are running CentOS 6.4
Objective: make this ssh process one step only instead of two steps by configuring jump hosts as transparent ssh proxy.
Steps:
1. add jump hosts into your /etc/hosts
[root@jephe .ssh]# grep jump /etc/hosts
172.16.50.1 jump01
172.16.50.2 jump02
2. putting the following into /etc/ssh/ssh_config in your client Linux pc
host jump01
ServerAliveInterval 60
ServerAliveCountMax 30
proxycommand none
host jump02
ServerAliveInterval 60
ServerAliveCountMax 30
proxycommand none
host *
ServerAliveInterval 60
ServerAliveCountMax 30
proxycommand ssh jephe@jump01 -W %h:%p
#proxycommand ssh jephe@jump01 nc %h %p
Note:
a. put host jump01 and host jump02 before host *
b. if your ssh version is lower which doesn't support -W, you can use nc instead
which commented above, take note that the syntax is different for -W and nc
which is %h:%p vs %h %p
3. setting passwordless login from your linux pc to jump hosts
ssh-keygen -d
ssh-copy-id -i /root/.ssh/id_dsa.pub jephe@jump01
ssh-copy-id -i /root/.ssh/id_dsa.pub jephe@jump02
Note: you can also use command below to make passwordless login:
cat /root/.ssh/id_dsa.pub | ssh jephe@jump01 'cat >> /home/jephe/.ssh/authorized_keys'
4. testing
Now, from your Linux client side pc, run 'ssh jephe@jump01' and 'ssh jephe@jump02', you should be able to ssh without password.
Also, from your client pc, run 'ssh user@allotherserver', it should prompt you password.
After you ssh into other server directly, 'w' command will show it comes from jump host, not your Linux PC. It actually ssh into jumphost first in background, then from jumphost ssh into other server.
at 12/05/2013 09:38:00 PM 0 comments
Labels: ssh