ProHoster > Блог > Gudanarwa > Wadanda suka yi nasara a gasar kasa da kasa SSH da sudo sun sake kan mataki. Jagoran Jagoran Distinguished Active Directory

Wadanda suka yi nasara a gasar kasa da kasa SSH da sudo sun sake kan mataki. Jagoran Jagoran Distinguished Active Directory

A tarihi, izinin sudo ana sarrafa su ta hanyar abubuwan da ke cikin fayiloli daga /etc/sudoers.d и amintacce, kuma an aiwatar da mahimmin izini ta amfani da ~/.ssh/maɓallai masu izini. Koyaya, yayin da abubuwan more rayuwa ke haɓaka, akwai sha'awar sarrafa waɗannan hakkoki a tsakiya. A yau ana iya samun zaɓuɓɓukan mafita da yawa:

  • Tsarin Gudanarwar Kanfigareshan - kai, 'Yar tsana, Mai yiwuwa, Salt
  • Active Directory + ssd
  • Daban-daban ɓarna ta hanyar rubutun rubutu da gyaran fayil ɗin hannu

A cikin ra'ayi na ra'ayi na, mafi kyawun zaɓi don gudanarwa na tsakiya shine har yanzu haɗuwa Active Directory + ssd. Fa'idodin wannan hanya sune:

  • Lallai jagorar mai amfani guda ɗaya ce ta tsakiya.
  • Rarraba hakkoki sudo ya sauko don ƙara mai amfani zuwa takamaiman ƙungiyar tsaro.
  • A cikin yanayin tsarin Linux daban-daban, ya zama dole a gabatar da ƙarin bincike don tantance OS yayin amfani da tsarin daidaitawa.

Za a keɓe babban ɗakin yau musamman ga haɗin gwiwa Active Directory + ssd don kula da haƙƙin haƙƙin mallaka sudo da ajiya ssh maɓallai a cikin ma'aji guda ɗaya.
Don haka zauren ya daskare cikin tashin hankali, madugu ya daga sandarsa, kungiyar makada ta shirya.
Mu tafi.

An ba:
- yankin Directory Active testopf.local a kan Windows Server 2012 R2.
- Linux mai masaukin baki yana gudana Centos 7
- Ingantaccen izini ta amfani da ssd
Dukansu mafita suna yin canje-canje ga tsarin Active Directory, don haka muna duba komai a cikin yanayin gwaji sannan kawai mu canza canje-canje ga kayan aikin aiki. Ina so in lura cewa duk canje-canjen an yi niyya ne kuma, a zahiri, ƙara kawai halaye da azuzuwan da ake buƙata.

Aiki 1: sarrafawa sudo rawar ta hanyar Active Directory.

Don fadada kewaye Active Directory kuna buƙatar zazzage sabon saki sudo - 1.8.27 a yau. Cire kaya kuma kwafi fayil ɗin schema.ActiveDirectory daga ./doc directory zuwa mai sarrafa yanki. Daga layin umarni tare da haƙƙin mai gudanarwa daga kundin adireshi inda aka kwafi fayil ɗin, gudanar:
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(Kada ku manta da canza dabi'un ku)
Bude adireshi.msc kuma haɗa zuwa mahallin tsoho:
Ƙirƙiri rarrabuwa a tushen yankin zufa. (Burgeoisie yayi taurin kai cewa a cikin wannan rukunin ne aljanin ssd neman abu sudoRole abubuwa. Duk da haka, bayan kunna cikakkun bayanai da kuma nazarin rajistan ayyukan, an bayyana cewa an gudanar da binciken a cikin dukan bishiyar directory.)
Muna ƙirƙirar abu na farko na cikin aji a cikin rabo sudoRole. Za a iya zaɓar sunan gaba ɗaya ba bisa ƙa'ida ba, saboda yana aiki kawai don ganewa mai dacewa.
Daga cikin abubuwan da za a iya samu daga tsawaita tsarin, manyan su ne kamar haka:

  • sudoCommand - ƙayyade waɗanne umarni ne aka yarda a aiwatar da su akan mai watsa shiri.
  • sudoHost - yana ƙayyade ko wane runduna wannan rawar ta shafi. Za a iya bayyana kamar ALL, kuma ga mai masaukin baki da suna. Hakanan yana yiwuwa a yi amfani da abin rufe fuska.
  • sudoUser - nuna abin da aka yarda masu amfani su aiwatar sudo.
    Idan ka saka ƙungiyar tsaro, ƙara alamar "%" a farkon sunan. Idan akwai sarari a cikin sunan rukuni, babu wani abin damuwa. Yin la'akari da rajistan ayyukan, aikin tserewa sararin samaniya yana ɗaukar nauyin tsarin ssd.

Wadanda suka yi nasara a gasar kasa da kasa SSH da sudo sun sake kan mataki. Jagoran Jagoran Distinguished Active Directory
Hoto 1. Abubuwan sudoRole a cikin sashin sudoers a cikin tushen directory

Wadanda suka yi nasara a gasar kasa da kasa SSH da sudo sun sake kan mataki. Jagoran Jagoran Distinguished Active Directory
Hoto 2. Kasancewa cikin ƙungiyoyin tsaro da aka ƙayyade a cikin abubuwan sudoRole.

Ana yin saitin mai zuwa a gefen Linux.
A cikin fayil /etc/nsswitch.conf ƙara layin zuwa ƙarshen fayil ɗin:

sudoers: files sss

A cikin fayil /etc/sssd/sssd.conf a sashe [ssd] ƙara zuwa ayyuka sudo

cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo

Bayan duk ayyukan, kuna buƙatar share cache sssd daemon. Sabuntawa ta atomatik yana faruwa kowane sa'o'i 6, amma me yasa zamu jira tsawon lokaci lokacin da muke so yanzu?

sss_cache -E

Yakan faru sau da yawa cewa share cache baya taimaka. Sannan mu dakatar da sabis ɗin, tsaftace ma'ajin bayanai, sannan mu fara sabis ɗin.

service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start

Muna haɗi azaman mai amfani na farko kuma muna bincika abin da yake samuwa gare shi ƙarƙashin sudo:

su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user1 may run the following commands on testsshad:
    (root) /usr/bin/ls, /usr/bin/cat

Muna yin haka tare da mai amfani na biyu:

su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user2 may run the following commands on testsshad:
    (root) ALL

Wannan hanyar tana ba ku damar ayyana matsayin sudo a tsakiya don ƙungiyoyin masu amfani daban-daban.

Ajiye da amfani da maɓallan ssh a cikin Active Directory

Tare da ɗan fadada tsarin, yana yiwuwa a adana maɓallan ssh a cikin halayen mai amfani na Active Directory kuma a yi amfani da su lokacin ba da izini akan rundunonin Linux.

Dole ne a saita izini ta hanyar sssd.
Ƙara sifa da ake buƙata ta amfani da rubutun PowerShell.
AddsshPublicKeyAttribute.ps1Sabbin Halayen Aiki {
$ Prefix = "1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid().ToString()
$ Parts=@()
$Parts+=[UInt64]::Parse($guid.SubString(0,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(4,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(9,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(14,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(19,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(24,6),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(30,6),“AllowHexSpecifier”)
$oid=[String]::Format(«{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}»,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$oid
}
$schemaPath = (Samu-ADRootDSE).schemaNamingContext
$oid = Sabon-Hanyoyin ID
$halaye = @{
lDAPDisplayName = 'sshPublicKey';
attributeId = $oid;
oMSyntax = 22;
sifaSyntax = "2.5.5.5";
isSingleValued = $ gaskiya;
adminDescription = 'Maɓallin Jama'a na Mai amfani don shiga SSH';
}

Sabon-ADObject -Sunan sshPublicKey -Nau'in sifaSchema -Path $schemapath -Sauran Halayen halayen $
$userSchema = samun-adobject -SearchBase $schemapath -Tace 'suna -eq "mai amfani"'
$userSchema | Saita-ADObject -Add @{mayContain = 'sshPublicKey'}

Bayan ƙara sifa, dole ne ku sake farawa Active Directory Domain Services.
Bari mu matsa zuwa masu amfani da Directory Active. Za mu samar da maɓalli na biyu don haɗin ssh ta amfani da kowace hanya da ta dace da ku.
Mun kaddamar da PuttyGen, danna maɓallin "Generate" kuma mu matsar da linzamin kwamfuta a cikin fanko.
Bayan kammala aikin, za mu iya ajiye maɓallan jama'a da masu zaman kansu, loda maɓallin jama'a zuwa sifa mai amfani na Directory Active kuma mu ji daɗin tsarin. Koyaya, dole ne a yi amfani da maɓallin jama'a daga "Maɓallin jama'a don liƙa cikin fayil ɗin izini_keys na OpenSSH:".
Wadanda suka yi nasara a gasar kasa da kasa SSH da sudo sun sake kan mataki. Jagoran Jagoran Distinguished Active Directory
Ƙara maɓallin zuwa sifa mai amfani.
Zabin 1 - GUI:
Wadanda suka yi nasara a gasar kasa da kasa SSH da sudo sun sake kan mataki. Jagoran Jagoran Distinguished Active Directory
Zabin 2 - PowerShell:
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
Don haka, a halin yanzu muna da: mai amfani tare da sifa ta sshPublicKey da aka cika, abokin ciniki na Putty da aka tsara don izini ta amfani da maɓalli. Akwai ƙaramin batu guda ɗaya: yadda ake tilasta sshd daemon don cire maɓallin jama'a da muke buƙata daga halayen mai amfani. Ƙananan rubutun da aka samo akan Intanet na bourgeois na iya samun nasarar jimre wa wannan.

cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'

Mun saita izini akan shi zuwa 0500 don tushen.

chmod 0500  /usr/local/bin/fetchSSHKeysFromLDAP

A cikin wannan misalin, ana amfani da asusun mai gudanarwa don ɗaure ga kundin adireshi. A cikin yanayin yaƙi dole ne a sami keɓantaccen asusu tare da mafi ƙarancin saiti na haƙƙoƙi.
Ni da kaina na rikice da lokacin da kalmar sirri ta kasance cikin tsaftataccen tsari a cikin rubutun, duk da haƙƙoƙin da aka saita.
Magani zaɓi:

  • Ina ajiye kalmar sirri a cikin wani fayil daban: 
    echo -n Supersecretpassword > /usr/local/etc/secretpass

  • Na saita izinin fayil zuwa 0500 don tushen 
    chmod 0500 /usr/local/etc/secretpass

  • Canza sigogin ƙaddamar da ldapsearch: siga -w kalmar sirrin sirri Na canza shi zuwa -y /usr/local/etc/secretpass

Ƙarshen ƙarshe a cikin babban ɗakin yau yana gyara sshd_config

cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root

Sakamakon haka, muna samun jeri mai zuwa tare da saita maɓalli mai izini a cikin abokin ciniki ssh:

  1. Mai amfani yana haɗi zuwa uwar garken ta hanyar nuna shigarsa.
  2. Sshd daemon, ta hanyar rubutun, yana fitar da ƙimar maɓalli na jama'a daga sifa mai amfani a cikin Active Directory kuma yana aiwatar da izini ta amfani da maɓallan.
  3. sssd daemon yana ƙara tabbatar da mai amfani bisa ga membobin rukuni. Hankali! Idan ba a saita wannan ba, to kowane mai amfani da yanki zai sami damar shiga mai masaukin baki.
  4. Lokacin da kuke ƙoƙarin sudo, sssd daemon yana bincika Active Directory don ayyuka. Idan ayyuka suna nan, ana duba halayen mai amfani da membobin ƙungiyar (idan an saita sudoRoles don amfani da ƙungiyoyin masu amfani)

Sakamakon.

Don haka, ana adana maɓallan a cikin halayen mai amfani na Active Directory, izini sudo - haka ma, samun damar shiga Linux runduna ta asusun yanki ana aiwatar da shi ta hanyar duba membobin ƙungiyar Active Directory.
Tashin karshe na sandar madugu - kuma zauren ya daskare cikin girmamawa.

Abubuwan da aka yi amfani da su a rubuce:

Sudo ta hanyar Active Directory
Maɓallan Ssh ta Active Directory
Rubutun Powershell, ƙara sifa zuwa Tsarin Jagora Mai Aiki
sudo barga saki

source: www.habr.com

Add a comment