Thinks you should know about sudo command

Jephe Wu - http://linuxtechres.blogspot.com

Envirnment: CentOS 6.4 64bit
Objective:  understanding sudo command and common usages.



<username1> <ALL hosts>=(username2) [NOPASSWD:] commands

Above syntax will grant username1 to run commands as username2 on all hosts

1. sudo -l after you ssh into server

sudo -l will list the possible commands you could run

2. sudo -i  to become root ( similiar to su - , using root user environment configuration including $HOME and $PATH)

Other similiar command such as sudo -s, sudo su and sudo bash.

3. sudo -k to clear password cache 

You can also configure password cache time (minutes) in /etc/sudoers, by default, it's cached for 5 minutes, change to 0 will always ask for

password.

[root@server1 ~]# grep -i timestamp_timeout /etc/sudoers
Defaults timestamp_timeout=1

To totally disable password prompt, use  NOPASSWD: between (ALL) and right-most ALL

<username> ALL=(ALL) NOPASSWD: ALL

4. always use visudo to edit /etc/sudoers instead of vi /etc/sudoers
visudo check syntax error


Note:
So you can remember above sudo command parameters by LIK(e), e for edit which uses visudo.

Refer to https://help.ubuntu.com/community/RootSudo

Use Linux Jumphost as Transparent Proxy

Jephe Wu - http://linuxtechres.blogspot.com

Environment: Office and data center, there's only one or two Linux jump hosts in data center, from office, you are only able to ssh into jump hosts, from jump hosts you can ssh into other servers.  your client Linux pc and jump hosts are running CentOS 6.4

Objective: make this ssh process one step only instead of two steps by configuring jump hosts as transparent ssh proxy.

Steps:
1.  add jump hosts into your /etc/hosts

[root@jephe .ssh]# grep jump /etc/hosts
172.16.50.1 jump01
172.16.50.2 jump02

2. putting the following into /etc/ssh/ssh_config in your client Linux pc

host jump01
ServerAliveInterval 60
ServerAliveCountMax 30
proxycommand none

host jump02
ServerAliveInterval 60
ServerAliveCountMax 30
proxycommand none

host *
ServerAliveInterval 60
ServerAliveCountMax 30
proxycommand ssh jephe@jump01 -W %h:%p
#proxycommand ssh jephe@jump01 nc %h %p

Note: 
a. put host jump01 and host jump02 before host *
b. if your ssh version is lower which doesn't support -W, you can use nc instead 
which commented above, take note that the syntax is different for -W and nc 
which is %h:%p vs %h %p

3. setting passwordless login from your linux pc to jump hosts

ssh-keygen -d 
ssh-copy-id -i /root/.ssh/id_dsa.pub jephe@jump01
ssh-copy-id -i /root/.ssh/id_dsa.pub jephe@jump02

Note: you can also use command below to make passwordless login:

cat /root/.ssh/id_dsa.pub | ssh jephe@jump01 'cat >> /home/jephe/.ssh/authorized_keys'

4. testing
Now, from your Linux client side pc, run 'ssh jephe@jump01' and 'ssh jephe@jump02', you should be able to ssh without password.

Also, from your client pc, run 'ssh user@allotherserver', it should prompt you password. 

After you ssh into other server directly, 'w' command will show it comes from jump host, not your Linux PC. It actually ssh into jumphost first in background, then from jumphost ssh into other server.