如何設定 sudo 提升權限和 SSH 金鑰How to configure sudo elevation and SSH keys

重要

已不再支援此版本的 Operations Manager,建議升級至 Operations Manager 2019This version of Operations Manager has reached the end of support, we recommend you to upgrade to Operations Manager 2019.

使用 System Center - Operations Manager,您可以提供要在 UNIX 或 Linux 電腦上使用 sudo 程式提高權限的無權限帳戶認證,讓使用者能夠執行具有其他使用者帳戶之安全性權限的程式。With System Center - Operations Manager, you can provide credentials for an unprivileged account to be elevated on a UNIX or Linux computer by using the sudo program, which allows users to run programs that have the security privileges of another user account. 您也可以使用安全殼層 (SSH) 金鑰 (而不是密碼),在 Operations Manager 與目標的電腦之間進行安全通訊。You can also use Secure Shell (SSH) keys instead of a password for secure communication between Operations Manager and the targeted computer.

本主題提供範例來建立低特殊權限的使用者帳戶、實作 sudo,並在執行 Red Hat Enterprise Linux Server 6 的電腦上建立 SSH 金鑰。This topic provides examples for creating an account for a low-privileged user, implementing sudo, and creating an SSH key on a computer that is running Red Hat Enterprise Linux Server 6. 這些只是範例,可能無法反映您的環境。These are examples only, and might not reflect your environment. 下列範例會提供擁有一組完整權限的使用者。The following examples provide a user with access to a full set of privileges.

若要從 UNIX 和 Linux 電腦取得並設定 SSH 金鑰,您必須在 Windows 電腦上安裝下列軟體︰To obtain and configure the SSH key from the UNIX and Linux computer, you have to install the following software on your Windows-based computer:

  • 從 UNIX 或 Linux 電腦傳輸檔案到 Windows 電腦的檔案傳輸工具,例如 WinSCP。A file transfer tool, such as WinSCP, to transfer files from the UNIX or Linux computer to the Windows-based computer.

  • 在 UNIX 或 Linux 電腦上執行命令的 PuTTY 程式或類似的程式。The PuTTY program, or a similar program, to run commands on the UNIX or Linux computer.

  • 在 Windows 電腦上以 OpenSSH 格式儲存 SHH 私密金鑰的 PuTTYgen 程式。The PuTTYgen program to save the private SHH key in OpenSSH format on the Windows-based computer.

注意

sudo 程式在 UNIX 和 Linux 作業系統中存在於不同的位置。The sudo program exists at different locations on UNIX and Linux operating systems. 為了讓您能統一存取 sudo,UNIX 和 Linux 代理程式安裝指令碼會建立符號連結 /etc/opt/microsoft/scx/conf/sudodir,以指向預期包含 sudo 程式的目錄。To provide uniform access to sudo, the UNIX and Linux agent installation script creates the symbolic link /etc/opt/microsoft/scx/conf/sudodir to point to the directory expected to contain the sudo program. 代理程式會使用此符號連結來叫用 sudo。The agent uses this symbolic link to invoke sudo. 安裝指令碼會自動建立符號連結,因此您在標準的 UNIX 和 Linux 設定上不需採取任何動作。不過,如果您是在非標準位置上安裝 sudo,就必須變更符號連結以指向安裝 sudo 的目錄。The installation script automatically creates the symbolic link, so you do not need to take any action on standard UNIX and Linux configurations; however, if you have sudo installed at a non-standard location, you should change the symbolic link to point to the directory where sudo is installed. 如果您變更符號連結,系統會保留連結的值,以進行代理程式的解除安裝、重新安裝和升級作業。If you change the symbolic link, its value is preserved across uninstall, re-install, and upgrade operations with the agent.

設定 sudo 提升權限的低特殊權限帳戶Configure a low-privileged account for sudo elevation

下列程序會使用 opsuser,為使用者名稱建立低特殊權限的帳戶和 sudo 提升權限。The following procedures create a low-privileged account and sudo elevation by using opsuser for a user name.

建立低特殊權限的使用者To create a low-privileged user

  1. root 登入UNIX 或 Linux 電腦。Log on to the UNIX or Linux computer as root.

  2. 新增使用者:Add the user:

    useradd opsuser

  3. 新增密碼並確認密碼:Add a password and confirm the password:

    passwd opsuser

您現在可以設定 sudo 提升權限,並為 opsuser 建立 SSH 金鑰,如下列程序所述。You can now configure sudo elevation and create an SSH key for opsuser, as described in the following procedures.

為低特殊權限的使用者設定 sudo 提升權限To configure sudo elevation for the low-privileged user

  1. root 登入UNIX 或 Linux 電腦。Log on to the UNIX or Linux computer as root.

  2. 使用 visudo 程式,在 vi 文字編輯器中編輯 sudo 設定。Use the visudo program to edit the sudo configuration in a vi text editor. 執行下列命令:Run the following command:

    visudo

  3. 找出下列這一行:Find the following line:

    root ALL=(ALL) ALL

  4. 在之後插入下列這一行:Insert the following line after it:

    opsuser ALL=(ALL) NOPASSWD: ALL

  5. 不支援 TTY 配置。TTY allocation is not supported. 確定將下列這一行標記為註解:Ensure the following line is commented out:

    # Defaults requiretty

    重要

    您必須進行此步驟,才能讓 sudo 運作。This step is required for sudo to work.

  6. 儲存檔案並結束 visudo:Save the file and exit visudo:

    按下 ESC 鍵 + : (冒號) 後面接 wq!,然後按 Enter 鍵。Press ESC + : (colon) followed by wq!, and then press Enter.

  7. 輸入下列兩個命令來測試設定。Test the configuration by entering in the following two commands. 結果應該會是一個目錄清單,而不是提示輸入密碼:The result should be a listing of the directory without being prompted for a password:

    su - opsuser

    sudo ls /etc

您可以使用 opsuser 帳戶,方法是利用密碼和 sudo 提升權限,在 Operations Manager 精靈中指定認證以及設定執行身分帳戶。You can use the opsuser account by using the password and sudo elevation for specifying credentials in Operations Manager wizards and for configuring Run As accounts.

建立 SSH 金鑰供驗證之用Create an SSH key for authentication

下列程序會為先前範例中所建立的 opsuser 帳戶建立 SSH 金鑰。The following procedures create an SSH key for the opsuser account that was created in the previous examples.

產生 SSH 金鑰To generate the SSH key

  1. opsuser 登入。Log on as opsuser.

  2. 使用數位簽章演算法 (DSA) 演算法來產生金鑰:Generate the key by using the Digital Signature Algorithm (DSA) algorithm:

    ssh-keygen -t dsa

    如果您提供選用的複雜密碼,請記住此密碼。Note the optional passphrase if you provided it.

ssh-keygen 會建立 /home/opsuser/.ssh 目錄,內含私密金鑰檔案 (id_dsa) 和公開金鑰檔案 (id_dsa.pub)。The ssh-keygen creates the /home/opsuser/.ssh directory with the private key file (id_dsa) and the public key file (id_dsa.pub). 您現在可以設定 opsuser 支援的金鑰,如下一個程序所述。You can now configure the key to be supported by opsuser as described in the next procedure.

設定使用者帳戶以支援 SSH 金鑰To configure a user account to support the SSH key

  1. 在命令提示字元中,輸入下列命令。At the command prompt, type the following commands. 瀏覽至使用者帳戶目錄:To navigate to the user account directory:

    cd /home/opsuser

  2. 指定獨佔擁有者可存取該目錄:Specify exclusive owner access to the directory:

    chmod 700 .ssh

  3. 瀏覽至 .ssh 目錄:Navigate to the .ssh directory:

    cd .ssh

  4. 建立含有公用金鑰的授權金鑰檔案:Create an authorized keys file with the public key:

    cat id_dsa.pub >> authorized_keys

  5. 讓使用者對授權金鑰檔案具備讀取和寫入的權限:Give the user read and write permissions to the authorized keys file:

    chmod 600 authorized_keys

您現在可以將 SSH 私密金鑰複製到 Windows 電腦,如下一個程序所述。You can now copy the private SSH key to the Windows-based computer, as described in the next procedure.

將 SSH 私密金鑰複製到 Windows 電腦,並以 OpenSSH 格式儲存To copy the private SSH key to the Windows-based computer and save in OpenSSH format

  1. 使用如 WinSCP 的工具,從 UNIX 或 Linux 電腦傳輸私密金鑰檔案 (id_dsa - 不含副檔名) 到您 Windows 電腦上的目錄。Use a tool, such as WinSCP, to transfer the private key file (id_dsa - with no extension) from the UNIX or Linux computer to a directory on your Windows-based computer.

  2. 執行 PuTTYgen。Run PuTTYgen.

  3. 在 [PuTTY 金鑰產生器] 對話方塊中,按一下 [載入] 按鈕,然後選取從 UNIX 或 Linux 電腦傳輸的私密金鑰 (id_dsa)。In the PuTTY Key Generator dialog box, click the Load button, and then select the private key (id_dsa) that you transferred from the UNIX or Linux computer.

  4. 按一下 [儲存私密金鑰] ,為檔案命名並儲存到想要的目錄。Click Save private key and name and save the file to the desired directory.

您可以使用 opsuser 帳戶,方法是利用 SSH 金鑰和 sudo 提升權限,在 Operations Manager 精靈中指定認證以及設定執行身分帳戶。You can use the opsuser account by using the SSH key and sudo elevation for specifying credentials in Operations Manager wizards and for configuring Run As accounts.

後續步驟Next steps