add auto fetch ssl certs
This commit is contained in:
@@ -13,7 +13,7 @@
|
||||
"articleSection" : "post",
|
||||
"name" : "筆記- 啟用群暉NAS (Synology NAS)的SSH Server 透過Publickey 認證免密碼登入",
|
||||
"headline" : "筆記- 啟用群暉NAS (Synology NAS)的SSH Server 透過Publickey 認證免密碼登入",
|
||||
"description" : "\x3cp\x3e公司內有幾台NAS,其中有一台用來放開發人員的postgresql dump file\n之前都是主要的開發人員上傳到google drive,分享出來 ,然後其他人去抓回來\x3c\/p\x3e\n\n\x3cp\x3e這樣子有個問題是,當server要存取這些檔案時,就沒辦法了,除非透過一些 3rd party的軟體\n像是這篇\x3c\/p\x3e\n\n\x3cp\x3e\x3ca href=\x22https:\/\/www.omgubuntu.co.uk\/2017\/04\/mount-google-drive-ocamlfuse-linux\x22\x3ehttps:\/\/www.omgubuntu.co.uk\/2017\/04\/mount-google-drive-ocamlfuse-linux\x3c\/a\x3e\x3c\/p\x3e\n\n\x3cp\x3e或者是這篇\x3c\/p\x3e\n\n\x3cp\x3e\x3ca href=\x22https:\/\/www.maketecheasier.com\/mount-google-drive-ubuntu\/\x22\x3ehttps:\/\/www.maketecheasier.com\/mount-google-drive-ubuntu\/\x3c\/a\x3e\x3c\/p\x3e\n\n\x3cp\x3e但是手邊的伺服器,原則上除非有必要,不然都沒有開放internet\n所以導致明明檔案就在那邊,但是要取得就是很麻煩\x3c\/p\x3e",
|
||||
"description" : "\x3cp\x3e公司內有幾台NAS,其中有一台用來放開發人員的postgresql dump file\n之前都是主要的開發人員上傳到google drive,分享出來 ,然後其他人去抓回來\x3c\/p\x3e\n\x3cp\x3e這樣子有個問題是,當server要存取這些檔案時,就沒辦法了,除非透過一些 3rd party的軟體\n像是這篇\x3c\/p\x3e\n\x3cp\x3e\x3ca href=\x22https:\/\/www.omgubuntu.co.uk\/2017\/04\/mount-google-drive-ocamlfuse-linux\x22\x3ehttps:\/\/www.omgubuntu.co.uk\/2017\/04\/mount-google-drive-ocamlfuse-linux\x3c\/a\x3e\x3c\/p\x3e\n\x3cp\x3e或者是這篇\x3c\/p\x3e\n\x3cp\x3e\x3ca href=\x22https:\/\/www.maketecheasier.com\/mount-google-drive-ubuntu\/\x22\x3ehttps:\/\/www.maketecheasier.com\/mount-google-drive-ubuntu\/\x3c\/a\x3e\x3c\/p\x3e\n\x3cp\x3e但是手邊的伺服器,原則上除非有必要,不然都沒有開放internet\n所以導致明明檔案就在那邊,但是要取得就是很麻煩\x3c\/p\x3e",
|
||||
"inLanguage" : "en",
|
||||
"author" : "Eric Chang",
|
||||
"creator" : "Eric Chang",
|
||||
@@ -45,9 +45,9 @@
|
||||
|
||||
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.3.1/css/all.css" integrity="sha384-mzrmE5qonljUremFsqc01SB46JvROS7bZs3IO2EmfFsd15uHvIt+Y8vEf7N7fWAU" crossorigin="anonymous">
|
||||
|
||||
<link href="https://h.cowbay.org/css/style.css?v=1626744134" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>
|
||||
<link href="https://h.cowbay.org/css/style.css?v=1629951055" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>
|
||||
|
||||
<link href="https://h.cowbay.org/css/custom.css?v=1626744134" rel="stylesheet" type='text/css' media='all'>
|
||||
<link href="https://h.cowbay.org/css/custom.css?v=1629951055" rel="stylesheet" type='text/css' media='all'>
|
||||
<link rel="shortcut icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
|
||||
<link rel="icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
|
||||
|
||||
@@ -81,10 +81,6 @@ if (!doNotTrack) {
|
||||
|
||||
<ul id="menu-secondary-items" class="menu-secondary-items">
|
||||
|
||||
<li class="menu-item menu-item-type-taxonomy menu-item-object-category">
|
||||
<a href="/categories/"></a>
|
||||
</li>
|
||||
|
||||
<li class="menu-item menu-item-type-taxonomy menu-item-object-category">
|
||||
<a href="/categories/ansible">ansible</a>
|
||||
</li>
|
||||
@@ -310,109 +306,60 @@ if (!doNotTrack) {
|
||||
<article>
|
||||
<p>公司內有幾台NAS,其中有一台用來放開發人員的postgresql dump file
|
||||
之前都是主要的開發人員上傳到google drive,分享出來 ,然後其他人去抓回來</p>
|
||||
|
||||
<p>這樣子有個問題是,當server要存取這些檔案時,就沒辦法了,除非透過一些 3rd party的軟體
|
||||
像是這篇</p>
|
||||
|
||||
<p><a href="https://www.omgubuntu.co.uk/2017/04/mount-google-drive-ocamlfuse-linux">https://www.omgubuntu.co.uk/2017/04/mount-google-drive-ocamlfuse-linux</a></p>
|
||||
|
||||
<p>或者是這篇</p>
|
||||
|
||||
<p><a href="https://www.maketecheasier.com/mount-google-drive-ubuntu/">https://www.maketecheasier.com/mount-google-drive-ubuntu/</a></p>
|
||||
|
||||
<p>但是手邊的伺服器,原則上除非有必要,不然都沒有開放internet
|
||||
所以導致明明檔案就在那邊,但是要取得就是很麻煩</p>
|
||||
|
||||
<p>Dev_A upload to google drive —> Dev_B Download from google drive —> Dev_B scp download file to me —> I upload to server.</p>
|
||||
|
||||
<p>有沒有?是不是很stupid (講話一定要烙英文)</p>
|
||||
|
||||
<p>既然有現成的NAS在那邊,幹嘛不用呢?(攤手)</p>
|
||||
|
||||
<p>聽說之前的人一直沒成功弄出來,讓Server可以直接去NAS存取檔案的方式,我記得這個不是很難啊
|
||||
就順手整理一下</p>
|
||||
|
||||
<h3 id="新增使用者帳號-確認家目錄存在">新增使用者帳號/ 確認家目錄存在</h3>
|
||||
|
||||
<p>在NAS 的管理界面上新增一個帳號,假設叫 eric 好了</p>
|
||||
|
||||
<p><del>建立時,注意一下要指定家目錄路徑</del></p>
|
||||
|
||||
<p>更正: 群暉的界面好像不能指定家目錄</p>
|
||||
|
||||
<p>預設的路徑如下</p>
|
||||
|
||||
<pre><code>eric:x:1071:100::/var/services/homes/eric:/sbin/nologin
|
||||
</code></pre>
|
||||
|
||||
<p>不過我覺得怪怪的,因為在我手邊的幾台NAS底下 /var/services/homes 都切不過去
|
||||
</code></pre><p>不過我覺得怪怪的,因為在我手邊的幾台NAS底下 /var/services/homes 都切不過去
|
||||
確認一下路徑,發現那個 <code>@fake_home_link</code> 根本就不存在啊!</p>
|
||||
|
||||
<pre><code>admin@storage:/volume1$ ls -lart /var/services/homes
|
||||
lrwxrwxrwx 1 root root 24 May 23 14:14 /var/services/homes -> /volume1/@fake_home_link
|
||||
admin@storage:/volume1$
|
||||
</code></pre>
|
||||
|
||||
<p>我在想是不是之前的人有改過什麼..
|
||||
</code></pre><p>我在想是不是之前的人有改過什麼..
|
||||
anyway ,反正先不管這邊,直接修改 /etc/passwd檔案</p>
|
||||
|
||||
<pre><code>sudo vim /etc/passwd
|
||||
</code></pre>
|
||||
|
||||
<p>修正到正確的路徑,順便把shell 也改掉,不然不能登入</p>
|
||||
|
||||
</code></pre><p>修正到正確的路徑,順便把shell 也改掉,不然不能登入</p>
|
||||
<pre><code>eric:x:1071:100::/volume1/homes/eric:/bin/sh
|
||||
</code></pre>
|
||||
|
||||
<h3 id="修改-etc-ssh-sshd-config">修改 /etc/ssh/sshd_config</h3>
|
||||
|
||||
</code></pre><h3 id="修改-etcsshsshd_config">修改 /etc/ssh/sshd_config</h3>
|
||||
<p>再來修正預設沒有啟用 Publickey 驗證的 ssh</p>
|
||||
|
||||
<pre><code>sudo vim /etc/ssh/sshd_config
|
||||
</code></pre>
|
||||
|
||||
<p>確認底下三行存在</p>
|
||||
|
||||
</code></pre><p>確認底下三行存在</p>
|
||||
<pre><code>RSAAuthentication yes
|
||||
PubkeyAuthentication yes
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
</code></pre>
|
||||
|
||||
<h3 id="將key傳到-nas上">將KEY傳到 NAS上</h3>
|
||||
|
||||
</code></pre><h3 id="將key傳到-nas上">將KEY傳到 NAS上</h3>
|
||||
<p>先建立相關目錄,順便修正一下目錄權限</p>
|
||||
|
||||
<pre><code>chmod 755 /volume1/homes/eric
|
||||
mkdir -p /volume1/homes/eric/.ssh
|
||||
chmod 700 /volume1/homes/eric/.ssh
|
||||
</code></pre>
|
||||
|
||||
<p>再來把Publickey 傳到NAS,複製貼上也好,ssh-copy-id也可以,同時修正權限</p>
|
||||
|
||||
</code></pre><p>再來把Publickey 傳到NAS,複製貼上也好,ssh-copy-id也可以,同時修正權限</p>
|
||||
<pre><code>vim /volume1/homes/eric/.ssh/authorized_keys
|
||||
chmod 0600 /volume1/eric/.ssh/authorized_keys
|
||||
</code></pre>
|
||||
|
||||
<h3 id="重啟ssh">重啟SSH</h3>
|
||||
|
||||
</code></pre><h3 id="重啟ssh">重啟SSH</h3>
|
||||
<p>本來這個步驟應該可以用</p>
|
||||
|
||||
<pre><code>synoservicectl --restart sshd
|
||||
</code></pre>
|
||||
|
||||
<p>來解決
|
||||
</code></pre><p>來解決
|
||||
但是實際上這個指令只會把你踢出 SSH session ….( WTF!!! )</p>
|
||||
|
||||
<p>所以還是要去NAS的管理界面,去關閉再打開SSH (有點蠢..)
|
||||
<img src="https://i.imgur.com/jcDQmI1.png" alt="Synology WEB UI" /></p>
|
||||
|
||||
<img src="https://i.imgur.com/jcDQmI1.png" alt="Synology WEB UI"></p>
|
||||
<p>然後就可以測試用Publickey 來登入NAS了</p>
|
||||
|
||||
<pre><code>2018-11-05 14:47:12 [mini@s009 ansiblecontrol]$ ssh admin@storage
|
||||
admin@storage:~$
|
||||
</code></pre>
|
||||
|
||||
<p>確認免密碼登入無誤了!</p>
|
||||
</code></pre><p>確認免密碼登入無誤了!</p>
|
||||
</article>
|
||||
</div>
|
||||
|
||||
@@ -693,7 +640,7 @@ title="pinterest icon"></i>
|
||||
|
||||
</ul> <div class="design-credit">
|
||||
|
||||
<p>© 2018 Göran Svensson</p>
|
||||
<p>© 2018 Göran Svensson</p>
|
||||
|
||||
<p>Nederburg Hugo Theme by <a href="https://appernetic.io">Appernetic</a>.</p>
|
||||
|
||||
@@ -705,7 +652,7 @@ title="pinterest icon"></i>
|
||||
</div>
|
||||
<script src="https://h.cowbay.org/js/jquery.min.js"></script>
|
||||
<script src="https://h.cowbay.org/js/jquerymigrate.js"></script>
|
||||
<script src="https://h.cowbay.org/js/production.min.js?v=1626744134"></script>
|
||||
<script src="https://h.cowbay.org/js/production.min.js?v=1629951055"></script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Reference in New Issue
Block a user