Functional Questions (Authorization and Account)
1. What’s the difference between just authorized hosts and authorized host accounts?
Answer: The authorized host account means the account and password of the host have been pre-filled for the user, so they can login directly. But for the only authorized hosts, the user still needs to input the account and password of the host to log in.
2. Are resource groups global? What are their main functions?
Answer: The resource groups are not currently global. Currently, only the creator can see the resource groups under them; admins can see resource groups created by all users. Their main function is to facilitate individual users in batch managing the machines under their own accounts, enabling them to batch authorize operations.
For global operations, please use the department to divide.
3. How to create a new host SSH-Key account through the bastion host and log in to the host through the key in the bastion host?
Answer: Step one: log in to the target host from the bastion host, and create a .ssh folder in the user’s home directory.
Step two: Use the command “ssh-keygen -t rsa” to generate public and private keys in the .ssh folder (i.e., id_rsa.pub and id\_rsa).
Step three: Create an authorized\_keys file in the .ssh folder, use the command cat id_rsa.pub ]]authorized_keys
to copy the content of the public key to authorized\_keys.
Step four: Use the command chmod 600 authorized\_keys
to lower the permissions of authorized\_files.
Step five: Create an account using SSH-Key in the bastion host. The private key required when creating this account corresponds to the private key mentioned above.
4. Why can’t a non-root account, using SSH-Key, log in to the target host?
Answer: The possible reason is that the permission of authorized\_keys is too high, which causes the public key certification to be ineffective.
The solution is to use the command chmod 600 authorized_keys
to lower the permissions of authorized\_files.
5. Some telnet devices only have passwords but no usernames, how can I add them to the bastion host for management?
Answer: The account name can be filled in arbitrarily (such as root). As long as the password is the correct password for the network device, it can be normally added to the bastion host for management.
6. Devices accessed by VNC protocol have no username but only password, how can I add them to the bastion host for management?
Answer: You can enter any username (such as root). As long as the password is the correct password for the VNC device, it can be normally added to the bastion host for management.
7. The user does not need the bastion host to manage the password and wants to manually input the password. Does the bastion host support this?
Answer: Yes, it is supported. In the bastion host, only save the host name and IP, do not add an account. Users need to enter their operating system username and password each time when they log in to the host.
8. A new role has been created and given all permissions of the department, but it’s not possible to choose a superior department when creating
The “admin privileges” need to be enabled for this role.
9. Who can be set as the authorizer for dual-person authorization?
Answer: Departmental administrators and superior administrators can be set in the work order settings. The departmental administrator and superior leaders of the current logged-in user can be configured at the setup time.
For example: If user A wants to set the departmental administrator of User A for authorization, the policy administrator of the department where User A belongs should set the policy and select the departmental administrator and superior leaders of User A.
10. What is the role of dynamic authorization and the operation process?
Answer: Dynamic authorization refers to intercepting character commands first, then applying to the administrator. After the administrator’s approval, the commands can be executed.
Operation Process: Pre-create command sets that need to be intercepted for character operations (SSH, Telnet) and command control policies, as shown below:
If the controlled account inputs commands that need to be intercepted, the display will be as follows:
If users need to use these commands normally, they need to submit an application. After the agreement of the leaders of their superior departments, they will be able to input.