在 Azure HDInsight 中管理域帐户的 SSH 访问权限Manage SSH access for domain accounts in Azure HDInsight

默认情况下,在安全群集上,Azure AD DS 中的所有域用户都可以使用 SSH 连接到头节点和边缘节点。On secure clusters, by default, all domain users in Azure AD DS are allowed to SSH into the head and edge nodes. 这些用户不是 sudoers 组的成员,也不会获得根访问权限。These users are not part of the sudoers group and do not get root access. 在群集创建过程中创建的 SSH 用户将具有根访问权限。The SSH user created during cluster creation will have root access.

管理访问权限Manage access

若要修改对特定用户或组的 SSH 访问权限,请更新每个节点上的 /etc/ssh/sshd_configTo modify SSH access to specific users or groups, update /etc/ssh/sshd_config on each of the nodes.

  1. 使用 ssh 命令连接到群集。Use ssh command to connect to your cluster. 编辑以下命令,将 CLUSTERNAME 替换为群集的名称,然后输入该命令:Edit the command below by replacing CLUSTERNAME with the name of your cluster, and then enter the command:

    ssh sshuser@CLUSTERNAME-ssh.azurehdinsight.cn
    
  2. 打开 ssh_config 文件。Open the ssh_config file.

    sudo nano /etc/ssh/sshd_config
    
  3. 根据需要修改 sshd_config 文件。Modify the sshd_config file as desired. 如果将用户限制为特定组,则本地帐户无法通过 SSH 连接到该节点。If you restrict users to certain groups, then the local accounts cannot SSH into that node. 下面只是一个语法示例:The following is only an example of syntax:

    AllowUsers useralias1 useralias2
    
    AllowGroups groupname1 groupname2
    

    然后保存更改:按“Ctrl + X”、“Y”、“Enter”。Then save changes: Ctrl + X, Y, Enter.

  4. 重启 sshd。Restart sshd.

    sudo systemctl restart sshd
    
  5. 对每个节点重复以上步骤。Repeat above steps for each node.

SSH 身份验证日志SSH authentication log

SSH 身份验证日志会写入 /var/log/auth.logSSH authentication log is written into /var/log/auth.log. 如果你看到本地帐户或域帐户通过 SSH 登录失败,则需要检查日志以调试错误。If you see any login failures through SSH for local or domain accounts, you will need to go through the log to debug the errors. 通常,此问题可能与特定用户帐户有关。通常情况下,好的做法是尝试其他用户帐户或通过默认 SSH 用户(本地帐户)使用 SSH,然后尝试执行 kinit。Often the issue might be related to specific user accounts and it's usually a good practice to try other user accounts or SSH using the default SSH user (local account) and then attempt a kinit.

SSH 调试日志SSH debug log

若要启用详细日志记录,需要使用 -d 选项重启 sshdTo enable verbose logging, you will need to restart sshd with the -d option. /usr/sbin/sshd -d 一样,还可以在自定义端口(例如 2222)上运行 sshd,这样就无需停止主 SSH 守护程序。Like /usr/sbin/sshd -d You can also run sshd at a custom port (like 2222) so that you don't have to stop the main SSH daemon. 还可以将 -v 选项与 SSH 客户端一起使用,以获取更多日志(有关失败的客户端视图)。You can also use -v option with the SSH client to get more logs (client side view of the failures).

后续步骤Next steps