mirror of
https://github.com/ryan4yin/nixos-and-flakes-book.git
synced 2024-11-21 23:53:12 +01:00
fix(security): sudo password in remote deployment
This commit is contained in:
parent
df0a7055f1
commit
652c174d7d
@ -17,6 +17,7 @@ Before embarking on remote deployment, a few preparatory steps are necessary:
|
|||||||
1. To prevent remote host's sudo password verification failure, choose one of the following methods:
|
1. To prevent remote host's sudo password verification failure, choose one of the following methods:
|
||||||
1. Deploy as the remote host's `root` user.
|
1. Deploy as the remote host's `root` user.
|
||||||
2. Add `security.sudo.wheelNeedsPassword = false;` to the remote host's configuration and manually deploy once in advance to grant the user passwordless sudo permissions..
|
2. Add `security.sudo.wheelNeedsPassword = false;` to the remote host's configuration and manually deploy once in advance to grant the user passwordless sudo permissions..
|
||||||
|
1. **This will allow user-level programs to silently obtain sudo permissions, posing a security risk**! Therefore, if you choose this method, it's advisable to create a dedicated user for remote deployment, rather than using your regular user account!
|
||||||
2. Configure SSH public key authentication for the remote hosts.
|
2. Configure SSH public key authentication for the remote hosts.
|
||||||
|
|
||||||
|
|
||||||
|
@ -14,8 +14,9 @@ Nix 本身的设计就很适合远程部署,Nix 社区也有许多专门用于
|
|||||||
在进行远程部署之前,需要做一些准备工作:
|
在进行远程部署之前,需要做一些准备工作:
|
||||||
|
|
||||||
1. 为了防止远程主机的 sudo 密码验证失败,有两种方法,二选一:
|
1. 为了防止远程主机的 sudo 密码验证失败,有两种方法,二选一:
|
||||||
1. 以远程主机的 `root` 用户身份部署
|
1. 以远程主机的 `root` 用户身份部署,这是推荐使用的方法。
|
||||||
2. 在远程主机的配置中添加 `security.sudo.wheelNeedsPassword = false;` 并提前手动部署一次,从而为用户授予免密码验证的 sudo 权限。
|
2. 在远程主机的配置中添加 `security.sudo.wheelNeedsPassword = false;` 并提前手动部署一次,从而为用户授予免密码验证的 sudo 权限。
|
||||||
|
1. **这会导致用户级别的程序能静默获取 sudo 权限,存在安全风险**!因此如果选用这种方法,建议远程部署创建一个专门的用户,不应该使用自己的常用用户!
|
||||||
2. 为远程主机配置 SSH 公钥身份验证。
|
2. 为远程主机配置 SSH 公钥身份验证。
|
||||||
|
|
||||||
建议使用 `root` 用户进行部署,因为这更方便且不需要额外的配置,没有令人头疼的 sudo 权限问题。
|
建议使用 `root` 用户进行部署,因为这更方便且不需要额外的配置,没有令人头疼的 sudo 权限问题。
|
||||||
|
Loading…
Reference in New Issue
Block a user