規劃安全性認證以存取 Unix 和 Linux 電腦Planning Security Credentials for Accessing Unix and Linux Computers

重要

已不再支援此版本的 Operations Manager,建議升級至 Operations Manager 2019This version of Operations Manager has reached the end of support, we recommend you to upgrade to Operations Manager 2019.

本主題說明在 UNIX 或 Linux 電腦上安裝、維護、升級以及解除安裝代理程式所需的認證。This topic describes the credentials required to install, maintain, upgrade, and uninstall agents on a UNIX or Linux computer.

在 Operations Manager 中,管理伺服器使用兩種通訊協定與 UNIX 或 Linux 電腦進行通訊:In Operations Manager, the management server uses two protocols to communicate with the UNIX or Linux computer:

  • 安全殼層 (SSH) 和安全殼層檔案傳輸通訊協定 (SFTP)Secure Shell (SSH) and Secure Shell File Transfer Protocol (SFTP)

    • 用於安裝、升級和移除代理程式。Used for installing, upgrading, and removing agents.
  • Web Services for Management (WS-Management)Web Services for Management (WS-Management)

    • 用於所有監視操作,並包含探索已安裝的代理程式。Used for all monitoring operations and include the discovery of agents that were already installed.

使用的通訊協定會視管理伺服器上要求的動作或資訊而定。The protocol that is used depends on the action or information that is requested on the management server. 所有動作 (例如代理程式維護、監視、規則、工作和復原) 均會根據其無特殊權限或特殊權限帳戶的需求,設定為使用預先定義的設定檔。All actions, such as agent maintenance, monitors, rules, tasks, and recoveries, are configured to use predefined profiles according to their requirement for an unprivileged or privileged account.

在 Operations Manager 中,不再需要系統管理員將 UNIX 或 Linux 電腦的根密碼提供給管理伺服器。In Operations Manager, the system administrator is no longer is required to provide the root password of the UNIX or Linux computer to the management server. 現在藉由提高權限,無特殊權限的帳戶可以取得 UNIX 或 Linux 電腦上特殊權限帳戶的身分識別。Now by elevation, an unprivileged account can assume the identity of a privileged account on the UNIX or Linux computer. 提高權限程序是由使用管理伺服器提供的認證的 UNIX su (超級使用者) 和 sudo 程式執行。The elevation process is performed by the UNIX su (superuser) and sudo programs that use the credentials that the management server supplies. 針對使用 SSH 的特殊權限代理程式維護作業 (例如探索、部署、升級、解除安裝和代理程式復原),系統提供 su 的支援、sudo 提高權限以及 SSH 金鑰驗證 (有或沒有複雜密碼) 的支援。For privileged agent maintenance operations that use SSH (such as discovery, deployment, upgrades, uninstallation, and agent recovery), support for su, sudo elevation, and support for SSH key authentication (with or without passphrase) is provided. 針對特殊權限 WS-Management 作業 (例如檢視安全記錄檔),系統新增 sudo 提高權限 (沒有密碼) 的支援。For privileged WS-Management operations (such as viewing secure log files), support for sudo elevation (without password) is added.

用於安裝代理程式的認證Credentials for installing agents

Operations Manager 使用安全殼層 (SSH) 通訊協定安裝代理程式,並使用 Web Services for Management (WS-Management) 探索先前安裝的代理程式。Operations Manager uses the Secure Shell (SSH) protocol to install an agent and Web Services for Management (WS-Management) to discover previously installed agents. 安裝作業需透過 UNIX 或 Linux 電腦的特殊權限帳戶來執行。Installation requires a privileged account on the UNIX or Linux computer. 您可透過兩種方法將 [電腦和裝置管理精靈] 取得的認證提供給目標電腦:There are two ways to provide credentials to the targeted computer, as obtained by the Computer and Device Management Wizard:

  • 指定使用者名稱和密碼。Specify a user name and password.

    SSH 通訊協定會使用密碼來安裝代理程式或 WS-Management 通訊協定 (如果已使用簽署憑證安裝代理程式)。The SSH protocol uses the password to install an agent or the WS-Management protocol if the agent was already installed by using a signed certificate.

  • 指定使用者名稱和 SSH 金鑰。Specify a user name and an SSH key. 金鑰可包含選用的複雜密碼。The key can include an optional passphrase.

如果您使用的不是特殊權限帳戶的認證,可以提供額外的認證,讓您的帳戶透過在 UNIX 或 Linux 電腦上提高權限,變成特殊權限帳戶。If you are not using the credentials for a privileged account, you can provide additional credentials so that your account becomes a privileged account through elevation of privilege on the UNIX or Linux computer.

安裝需等到代理程式驗證過後才算完成。The installation is not completed until the agent is verified. 代理程式驗證是由 WS-Management 通訊協定負責執行,而該通訊協定使用的是管理伺服器上維護的認證,與用來安裝代理程式的特殊權限帳戶不同。Agent verification is performed by the WS-Management protocol that uses credentials maintained on the management server, separate from the privileged account that is used to install the agent. 如果您已完成下列其中一項操作,便需提供用來驗證代理程式的使用者名稱和密碼:You are required to provide a user name and password for agent verification if you have done one of the following:

  • 使用金鑰提供特殊權限帳戶。Provided a privileged account by using a key.

  • 提供要使用 sudo 搭配金鑰來提升權限的無特殊權限帳戶。Provided an unprivileged account to be elevated by using sudo with a key.

  • 執行精靈,並將 [探索類型] 設定為 [僅探索已安裝 UNIX/Linux 代理程式的電腦] 。Ran the wizard with the Discovery Type set to Discover only computers with the UNIX/Linux agent installed.

另外,您也可以手動在 UNIX 或 Linux 電腦上安裝代理程式,包括其憑證,然後再探索該電腦。Alternatively, you can install the agent, including its certificate, manually on the UNIX or Linux computer and then discover that computer. 這種方法是安裝代理程式最安全的方法。This method is the most secure way to install agents. 如需詳細資訊,請參閱使用命令列在 UNIX 和 Linux 電腦上安裝代理程式和憑證For more information, see Install the Agent and Certificate on UNIX and Linux Computers Using the Command Line.

用於監視操作與執行代理程式維護的認證Credentials for monitoring operations and performing agent maintenance

Operations Manager 包含三個預先定義的設定檔,可用來監視 UNIX 和 Linux 電腦以及執行代理程式維護:Operations Manager contains three predefined profiles to use in monitoring UNIX and Linux computers and performing agent maintenance:

  • UNIX/Linux 動作帳戶UNIX/Linux action account

    這個設定檔是基本健全狀況和效能監視所需的無特殊權限帳戶設定檔。This profile is an unprivileged account profile that is required for basic health and performance monitoring.

  • UNIX/Linux 特殊權限帳戶UNIX/Linux privileged account

    這個設定檔是用於監視受保護資源 (例如記錄檔) 的特殊權限帳戶設定檔。This profile is a privileged account profile used for monitoring protected resources such as log files.

  • UNIX/Linux 維護帳戶UNIX/Linux maintenance account

    這個設定檔適用於特殊權限維護作業,例如更新與移除代理程式。This profile is used for privileged maintenance operations, such as updating and removing agents.

在 UNIX 和 Linux 管理組件中,所有的規則、監視、工作、復原和其他管理組件元素都會設定成使用這些設定檔。In the UNIX and Linux management packs, all the rules, monitors, tasks, recoveries, and other management pack elements are configured to use these profiles. 因此,除非特殊情況需要,否則不需要使用執行身分設定檔精靈定義其他設定檔。Consequently, there is no requirement to define additional profiles by using the Run As Profiles Wizard unless special circumstances dictate it. 設定檔在領域中並不會累計。The profiles are not cumulative in the scope. 例如,UNIX/Linux 維護帳戶設定檔不能用來取代其他設定檔,因為它是使用特殊權限帳戶設定的設定檔。For example, the UNIX/Linux maintenance account profile cannot be used in place of the other profiles simply because it is configured by using a privileged account.

在 Operations Manager 中,設定檔必須與至少一個執行身分帳戶建立關聯後,才能發揮作用。In Operations Manager, a profile cannot function until it is associated with at least one Run As account. 用來存取 UNIX 或 Linux 電腦的認證是在執行身分帳戶中設定。The credentials for accessing the UNIX or Linux computers are configured in the Run As accounts. 由於系統並未預先定義用於 UNIX 和 Linux 監視的執行身分帳戶,因此您必須建立這種帳戶。Because there are no predefined Run As accounts for UNIX and Linux monitoring, you must create them.

若要建立執行身分帳戶,您必須執行 [UNIX/Linux 執行身分帳戶精靈] ;您可透過在 [系統管理] 工作區選取 [UNIX/Linux 帳戶] 來使用此精靈。To create a Run As account, you must run the UNIX/Linux Run As Account Wizard that is available when you select UNIX/Linux Accounts in the Administration workspace. 這個精靈會根據選擇的執行身分帳戶類型建立執行身分帳戶。The wizard creates a Run As account based on the choice of a Run As account type. 執行身分帳戶類型有兩種:There are two Run As account types:

  • 監視帳戶Monitoring account

    請將這個帳戶用於使用 WS-Management 進行通訊之操作的持續健全狀況與效能監視。Use this account for ongoing health and performance monitoring in operations that communicate by using WS-Management.

  • 代理程式維護帳戶Agent maintenance account

    請將這個帳戶用於使用 WS-Management 進行通訊之操作的代理程式維護 (例如更新與解除安裝)。Use this account for agent maintenance such as updating and uninstalling in operations that communicate by using SSH.

這些執行身分帳戶類型可以根據您提供的認證設定不同的存取層級。These Run As account types can be configured for different levels of access according to the credentials that you supply. 認證可以是無特殊權限帳戶、特殊權限帳戶,或是即將提升為特殊權限帳戶的無特殊權限帳戶。Credentials can be unprivileged or privileged accounts or unprivileged accounts that will be elevated to privileged accounts. 下圖顯示設定檔、執行身分帳戶與存取層級之間的關聯性。The following table shows the relationships between profiles, Run As accounts, and levels of access.

ProfilesProfiles 執行身分帳戶類型Run As account type 允許的存取層級Allowable Access Levels
UNIX/Linux 動作帳戶UNIX/Linux action account 監視帳戶Monitoring account - 無特殊權限- Unprivileged
- 特殊權限- Privileged
- 無特殊權限,提升為特殊權限- Unprivileged, elevated to privileged
UNIX/Linux 特殊權限帳戶UNIX/Linux privileged account 監視帳戶Monitoring account - 特殊權限- Privileged
- 無特殊權限,提升為特殊權限- Unprivileged, elevated to privileged
UNIX/Linux 維護帳戶UNIX/Linux maintenance account 代理程式維護帳戶Agent maintenance account - 特殊權限- Privileged
- 無特殊權限,提升為特殊權限- Unprivileged, elevated to privileged

請注意,設定檔雖然有三種,但是只有兩種執行身分帳戶類型。Note that there are three profiles, but only two Run As Account types.

指定監視執行身分帳戶類型時,您必須指定使用者名稱和密碼,供 WS-Management 通訊協定使用。When you specify a Monitoring Run As Account Type, you must specify a user name and password for use by the WS-Management protocol. 指定代理程維護執行身分帳戶時,您必須指定使用 SSH 通訊協定提供認證給目標電腦的方式:When you specify an Agent Maintenance Run As Account Type, you must specify how the credentials are supplied to the targeted computer by using the SSH protocol:

  • 指定使用者名稱和密碼。Specify a user name and a password.

  • 指定使用者名稱和金鑰。Specify a user name and a key. 您可包含選用的複雜密碼。You can include an optional passphrase.

建立執行身分帳戶後,您必須編輯 UNIX 和 Linux 設定檔,使其與您建立的執行身分帳戶產生關聯。After you created the Run As accounts, you must edit the UNIX and Linux profiles to associate them with the Run As accounts you created. 如需詳細指示,請參閱如何設定執行身分帳戶和設定檔以存取 UNIX 和 LinuxFor detailed instructions, see How to Configure Run As Accounts and Profiles for UNIX and Linux Access

重要安全性考量Important security considerations

Operations Manager Linux/UNIX 代理程式會在 Linux 或 UNIX 電腦上使用標準 PAM (插入式驗證模組) 機制,以驗證動作設定檔及權限設定檔中指定的使用者名稱和密碼。The Operations Manager Linux/UNIX agent uses the standard PAM (Pluggable Authentication Module) mechanism on the Linux or UNIX computer to authenticate the user name and password specified in the Action Profile and Privilege Profile. 任何具備經 PAM 驗證之密碼的使用者名稱,皆能執行監視功能,包括執行收集監視資料的命令列和指令碼。Any user name with a password that PAM authenticates can perform monitoring functions, including running command lines and scripts that collect monitoring data. 這類監視功能一律會在該使用者名稱的內容中執行 (除非該使用者名稱已明確啟用 sudo 提升權限),因此如果使用者名稱登入 Linux/UNIX 系統的話,Operations Manager 代理程式不會提供更多功能。Such monitoring functions are always performed in the context of that user name (unless sudo elevation is explicitly enabled for that user name), so the Operations Manager agent provides no more capability than if the user name were to login to the Linux/UNIX system.

不過,Operations Manager 代理程式所使用的 PAM 驗證,不需要該使用者名稱有與其建立關聯的互動式殼層。However, the PAM authentication used by the Operations Manager agent does not require that the user name have an interactive shell associated with it. 如果您的 Linux/UNIX 帳戶管理實務中,包含移除互動式殼層來為帳戶停用虛擬功能,則這類移除動作將無法防止帳戶被用來連線到 Operations Manager 代理程式與執行監視功能。If your Linux/UNIX account management practices include removing the interactive shell as a way to pseudo-disable an account, such removal does not prevent the account from being used to connect to the Operations Manager agent and perform monitoring functions. 在這些情況下,您應該使用其他 PAM 設定,以確保這些已停用虛擬的帳戶無法向 Operations Manager 代理程式進行驗證。In these cases, you should use additional PAM configuration to ensure that these pseudo-disabled accounts do not authenticate to the Operations Manager agent.

用於升級與解除安裝代理程式的認證Credentials for upgrading and uninstalling agents

[UNIX/Linux 代理程式升級精靈] 和 [UNIX/Linux 代理程式解除安裝精靈] 都會提供認證給其目標電腦。The UNIX/Linux Agent Upgrade Wizard and the UNIX/Linux Agent Uninstall Wizard provide credentials to their targeted computers. 精靈會先提示您選取要升級或解除安裝的目標電腦,接著再選取如何提供認證給目標電腦的選項。The wizards first prompt you to select the targeted computers to upgrade or uninstall, followed by options on how to provide the credentials to the targeted computer:

  • 使用現有的相關聯執行身分帳戶Use existing associated Run As Accounts

    選取此選項可使用與 UNIX/Linux 動作帳戶設定檔和 UNIX/Linux 維護帳戶設定檔相關聯的認證。Select this option to use the credentials associated with the UNIX/Linux action account profile and the UNIX/Linux maintenance account profile.

    如果一或多部選取的電腦在必要的設定檔中沒有相關聯的執行身分帳戶,精靈將會發出警示,而在這種情況下,您必須回到上一步並清除沒有相關聯執行身分帳戶的電腦,或是指定認證。The wizard alerts you if one or more of the selected computers do not have an associated Run As account in the required profiles, in which case you must go back and clear those computers that do not have an associated Run As account, or specify credentials.

  • 指定認證Specify credentials

    選取此選項可使用使用者名稱和密碼或是使用者名稱和金鑰來指定安全殼層 (SSH) 認證。Select this option to specify Secure Shell (SSH) credentials by using a user name and password or a user name and a key. 您可以選擇隨金鑰一起提供複雜密碼。You can optionally provide a passphrase with a key. 如果認證不適用於特殊權限帳戶,您可以在目標電腦上使用 UNIX su 或 sudo 提升權限程式將認證提升為特殊權限帳戶。If the credentials are not for a privileged account, you can have them elevated to a privileged account on the target computered by using the UNIX su or sudo elevation programs. ‘su’ 提升權限需要密碼。The 'su' elevation requires a password. 如果您使用 sudo 提升權限,系統將會提示您輸入使用者名稱和密碼,以使用無特殊權限帳戶驗證代理程式。If you use sudo elevation, you are prompted for a user name and password for agent verification by using an unprivileged account.