缺省情况下,root 角色无法使用安全 Shell 进行远程登录。过去,root 曾使用安全 Shell 执行许多重要任务,例如将 ZFS 池数据发送到远程系统上的存储。在此过程中,root 角色创建一个可担任远程 ZFS 管理员的用户。
开始之前
您必须承担 root 角色。有关更多信息,请参见在 Oracle Solaris 11.2 中确保用户和进程的安全 中的使用所指定的管理权限。
例如,创建 zfsroot 用户,并提供口令。
source # useradd -c "Remote ZFS Administrator" -u 1201 -d /home/zfsroot zfsroot source # passwd zfsroot Enter password: Retype password: #
dest # useradd -c "Remote ZFS Administrator" -u 1201 -d /home/zfsroot zfsroot dest # passwd zfsroot ...
必须在两个系统上以完全相同的方式定义 zfsroot 用户。
密钥对是在源系统上创建的。然后,将公钥复制到目标系统上的 zfsroot 用户。
# ssh-keygen -t rsa -P "" -f ~/id_migrate Generating public/private rsa key pair. Your identification has been saved in /root/id_migrate. Your public key has been saved in /root/id_migrate.pub. The key fingerprint is: 3c:7f:40:ef:ec:63:95:b9:23:a2:72:d5:ea:d1:61:f0 root@source
# scp ~/id_migrate.pub zfsroot@dest: The authenticity of host 'dest (10.134.76.126)' can't be established. RSA key fingerprint is 44:37:ab:4e:b7:2f:2f:b8:5f:98:9d:e9:ed:6d:46:80. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'dest,10.134.76.126' (RSA) to the list of known hosts. Password: id_migrate.pub 100% |*****************************| 399 00:00
source # usermod -P +'ZFS File System Management' -S files zfsroot dest # usermod -P +'ZFS File System Management' -S files zfsroot
dest # profiles zfsroot zfsroot: ZFS File System Management Basic Solaris User All
root@dest # su - zfsroot Oracle Corporation SunOS 5.11 11.1 May 2012 zfsroot@dest $ mkdir -m 700 .ssh zfsroot@dest $ cat id_migrate.pub >> .ssh/authorized_keys
root@source# ssh -l zfsroot -i ~/id_migrate dest \ pfexec /usr/sbin/zfs snapshot zones@test root@source# ssh -l zfsroot -i ~/id_migrate dest \ pfexec /usr/sbin/zfs destroy zones@test
root@source# zfs snapshot -r rpool/zones@migrate-all root@source# zfs send -rc rpool/zones@migrate-all | \ ssh -l zfsroot -i ~/id_migrate dest pfexec /usr/sbin/zfs recv -F zones
root@dest# usermod -P -'ZFS File System Management' zfsroot root@dest# su - zfsroot zfsroot@dest# cp .ssh/authorized_keys .ssh/authorized_keys.bak zfsroot@dest# grep -v root@source .ssh/authorized_keys.bak> .ssh/authorized_keys