ʻO ka mōʻaukala, ua hoʻomalu ʻia nā ʻae sudo e nā ʻike o nā faila mai /etc/sudoers.d и visado, a ua hoʻokō ʻia ka mana kī me ka hoʻohana ʻana ~/.ssh/authorized_keys. Eia naʻe, i ka ulu ʻana o ka ʻoihana, aia ka makemake e hoʻokele i kēia mau kuleana ma ke kikowaena. I kēia lā, aia kekahi mau koho hoʻonā:
- Pūnaehana hoʻonohonoho hoʻonohonoho - Ke aliʻi, ʻAʻaka, ʻO ke kūpono, Salt
- Kuhikuhi Kuhi + ssd
- ʻO nā perversions like ʻole ma ke ʻano o nā palapala a me ka hoʻoponopono faila manual
I koʻu manaʻo manaʻo, ʻo ka koho maikaʻi loa no ka hoʻokele kikowaena he hui pū Kuhikuhi Kuhi + ssd. ʻO nā pōmaikaʻi o kēia ala:
- ʻOiaʻiʻo kahi papa kuhikuhi mea hoʻohana kikowaena hoʻokahi.
- Ka mahele ana i na pono sudo iho i lalo i ka hoʻohui ʻana i kahi mea hoʻohana i kahi pūʻulu palekana.
- I ka hihia o nā ʻōnaehana Linux like ʻole, pono e hoʻokomo i nā loiloi hou e hoʻoholo ai i ka OS i ka wā e hoʻohana ai i nā ʻōnaehana hoʻonohonoho.
E hoʻolaʻa pono ʻia ka suite o kēia lā i ka pilina Kuhikuhi Kuhi + ssd no ka hooponopono kuleana sudo a me ka waiho ʻana kālepa kī i loko o kahi waihona hoʻokahi.
No laila, ua hauʻoli ka hale i ka hāmau, ua hoʻokiʻekiʻe ke alakaʻi i kāna pahu, a ua mākaukau ka mea hoʻokani pila.
Hele.
Hāʻawiʻia:
— Kahua Papa kuhikuhi Active testtopf.local ma Windows Server 2012 R2.
- Hoʻohana ʻo Linux i ka Centos 7
— Hoʻonohonoho ʻia i ka mana e hoʻohana ana ssd
Hoʻololi nā haʻina ʻelua i ka schema Kuhikuhi Kuhi, no laila e nānā mākou i nā mea a pau i loko o kahi ʻano hoʻāʻo a laila hoʻololi wale i ka ʻōnaehana hana. Makemake wau e hoʻomaopopo i nā hoʻololi a pau a, ʻoiaʻiʻo, hoʻohui wale i nā ʻano pono a me nā papa.
Hana 1: hoʻomalu sudo kuleana ma o Kuhikuhi Kuhi.
E hoʻonui i ke kaapuni Kuhikuhi Kuhi pono ʻoe e hoʻoiho i ka hoʻokuʻu hou
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(Mai poina e hoʻololi i kāu mau waiwai)
Wehe adsiedit.msc a hoʻohui i ka pōʻaiapili paʻamau:
E hana i mahele ma ke kumu o ka waihona sweats. (Ua hoʻopaʻapaʻa ka poʻe bourgeoisie aia i loko o kēia pūʻulu ka daimonio ssd huli i kekahi mea sudoRole mea. Eia naʻe, ma hope o ka hoʻohuli ʻana i ka debugging kikoʻī a me ke aʻo ʻana i nā lāʻau, ua hōʻike ʻia ua hana ʻia ka ʻimi ʻana ma ka lāʻau papa kuhikuhi holoʻokoʻa.)
Hana mākou i ka mea mua o ka papa ma ka mahele sudoRole. Hiki ke koho wale ʻia ka inoa, no ka mea, lawelawe wale ia no ka ʻike maʻalahi.
Ma waena o nā hiʻohiʻona hiki ke loaʻa mai ka hoʻonui schema, ʻo nā mea nui e like me kēia:
- sudoCommand - hoʻoholo i nā kauoha i ʻae ʻia e hoʻokō ʻia ma ka host.
- sudoHost - hoʻoholo i ka mea hoʻokipa e pili ana i kēia kuleana. Hiki ke kuhikuhi ʻia e like me ALL, a no ka mea hoʻokipa hoʻokahi ma ka inoa. Hiki nō ke hoʻohana i ka mask.
- sudoUser - hōʻike i nā mea hoʻohana e ʻae ʻia e hana sudo.
Inā ʻoe e kuhikuhi i kahi hui palekana, e hoʻohui i kahi hōʻailona "%" ma ka hoʻomaka o ka inoa. Inā he mau hakahaka ma ka inoa o ka hui, ʻaʻohe mea e hopohopo ai. Ma ka hoʻoholo ʻana i nā lāʻau, ua lawe ʻia ka hana o ka pakele ʻana i nā wahi e ka mīkini ssd.
Fig 1. nā mea sudoRole ma ka ʻāpana sudoers ma ke kumu o ka papa kuhikuhi
Kiʻi 2. ʻO ka lālā i nā pūʻulu palekana i kuhikuhi ʻia ma nā mea sudoRole.
Hana ʻia kēia hoʻonohonoho ma ka ʻaoʻao Linux.
Ma ka waihona /etc/nsswitch.conf hoʻohui i ka laina i ka hope o ka faila:
sudoers: files sss
Ma ka waihona /etc/sssd/sssd.conf ma ka pauku [sssd] hoʻohui i nā lawelawe sudo
cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo
Ma hope o nā hana āpau, pono ʻoe e holoi i ka cache daemon sssd. Loaʻa nā mea hou i kēlā me kēia 6 mau hola, akā no ke aha mākou e kali lōʻihi ai ke makemake mākou i kēia manawa?
sss_cache -E
ʻAʻole kōkua ka holoi ʻana i ka cache. A laila hoʻopau mākou i ka lawelawe, hoʻomaʻemaʻe i ka waihona, a hoʻomaka i ka lawelawe.
service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start
Hoʻopili mākou ma ke ʻano he mea hoʻohana mua a nānā i nā mea i loaʻa iā ia ma lalo o sudo:
su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user1 may run the following commands on testsshad:
(root) /usr/bin/ls, /usr/bin/cat
Hana like mākou me kā mākou mea hoʻohana lua:
su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user2 may run the following commands on testsshad:
(root) ALL
Hāʻawi kēia ala iā ʻoe e wehewehe kikowaena i nā kuleana sudo no nā hui mea hoʻohana like ʻole.
Mālama a hoʻohana i nā kī ssh i Active Directory
Me ka hoʻonui iki ʻana o ka hoʻolālā, hiki ke mālama i nā kī ssh i nā hiʻohiʻona mea hoʻohana Active Directory a hoʻohana iā lākou i ka wā e ʻae ai i nā pūʻali Linux.
Pono e hoʻonohonoho ʻia ka mana ma o sssd.
Hoʻohui i ke ʻano i makemake ʻia me ka hoʻohana ʻana i kahi palapala PowerShell.
AddsshPublicKeyAttribute.ps1Hana Hou-AttributeID {
$Prefix="1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid().ToString()
$Mahele=@()
$Parts+=[UInt64]::Parse($guid.SubString(0,4), “AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(4,4), “AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(9,4), “AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(14,4), “AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(19,4), “AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(24,6), “AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(30,6), “AllowHexSpecifier”)
$oid=[String]::Format(«{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}»,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$oid
}
$schemaPath = (Get-ADRootDSE).schemaNamingContext
$oid = New-AttributeID
$ʻano = @{
lDAPDisplayName = 'sshPublicKey';
attributeId = $oid;
oMSyntax = 22;
attributeSyntax = "2.5.5.5";
isSingleValued = $ʻoiaʻiʻo;
adminDescription = 'Ke kī lehulehu no ka hoʻopaʻa inoa SSH';
}
New-ADObject -Name sshPublicKey -Type attributeSchema -Path $schemapath -OtherAttributes $ʻano
$userSchema = get-adobject -SearchBase $schemapath -Kānai 'inoa -eq "mea hoʻohana"'
$userSchema | Set-ADObject -Hoʻohui @{mayContain = 'sshPublicKey'}
Ma hope o ka hoʻohui ʻana i ke ʻano, pono ʻoe e hoʻomaka hou i ka Active Directory Domain Services.
E neʻe kākou i nā mea hoʻohana Active Directory. E hana mākou i kahi kī kī no ka pili ssh me ka hoʻohana ʻana i kekahi ala kūpono iā ʻoe.
Hoʻomaka mākou iā PuttyGen, kaomi i ke pihi "Generate" a hoʻoneʻe i ka ʻiole i loko o ka wahi ʻole.
I ka pau ʻana o ke kaʻina hana, hiki iā mākou ke mālama i nā kī ākea a me nā kī pilikino, hoʻouka i ke kī ākea i ka hiʻohiʻona mea hoʻohana Active Directory a hauʻoli i ke kaʻina hana. Eia naʻe, pono e hoʻohana ʻia ke kī lehulehu mai ka "Kiʻi lehulehu no ka hoʻopili ʻana i ka faila OpenSSH authorized_keys:".
Hoʻohui i ke kī i ka ʻano mea hoʻohana.
Koho 1 - GUI:
Koho 2 - PowerShell:
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
No laila, loaʻa iā mākou i kēia manawa: kahi mea hoʻohana me ka ʻano sshPublicKey i hoʻopiha ʻia, kahi mea kūʻai aku ʻo Putty i hoʻonohonoho ʻia no ka ʻae ʻana e hoʻohana ana i nā kī. Ke koe nei kahi wahi liʻiliʻi: pehea e hoʻoikaika ai i ka daemon sshd e unuhi i ke kī ākea e pono ai mākou mai nā ʻano o ka mea hoʻohana. Hiki i kahi palapala liʻiliʻi i loaʻa ma ka punaewele bourgeois ke hoʻokō pono i kēia.
cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'
Hoʻonoho mākou i nā ʻae iā ia i 0500 no ke kumu.
chmod 0500 /usr/local/bin/fetchSSHKeysFromLDAP
Ma kēia laʻana, hoʻohana ʻia kahi moʻokāki luna e hoʻopaʻa i ka papa kuhikuhi. Ma nā kūlana hakakā, pono e loaʻa kahi moʻokāki kaʻawale me ka palena liʻiliʻi o nā kuleana.
Ua pilikia loa wau i ka manawa o ka ʻōlelo huna i kona ʻano maʻemaʻe i ka palapala, ʻoiai nā kuleana i hoʻonohonoho ʻia.
Koho pāʻoihana:
- Mālama wau i ka ʻōlelo huna ma kahi faila ʻokoʻa:
echo -n Supersecretpassword > /usr/local/etc/secretpass
- Hoʻonoho wau i nā ʻae faila i 0500 no ke kumu
chmod 0500 /usr/local/etc/secretpass
- Ke hoʻololi nei i nā ʻāpana hoʻomaka ldapsearch: parameter -w superSecretPassword Ke hoololi nei au i -y /usr/local/etc/secretpass
ʻO ka chord hope loa i ka suite o kēia lā ke hoʻoponopono sshd_config
cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root
ʻO ka hopena, loaʻa iā mākou ke kaʻina aʻe me ka mana kī i hoʻonohonoho ʻia i ka mea kūʻai aku ssh:
- Hoʻopili ka mea hoʻohana i ke kikowaena ma ka hōʻike ʻana i kona komo ʻana.
- ʻO ka daemon sshd, ma o kahi palapala, e unuhi i ka waiwai kī lehulehu mai kahi ʻano mea hoʻohana ma Active Directory a hana i ka ʻae me ka hoʻohana ʻana i nā kī.
- Hōʻoia hou ka daemon sssd i ka mea hoʻohana ma muli o ka hui pū ʻana. Nānā! Inā ʻaʻole i hoʻonohonoho ʻia kēia, a laila e loaʻa i kekahi mea hoʻohana domain ke komo i ka host.
- Ke hoʻāʻo ʻoe e sudo, ʻimi ka daemon sssd i ka Active Directory no nā kuleana. Inā loaʻa nā kuleana, nānā ʻia nā ʻano o ka mea hoʻohana a me nā lālā o ka hui (inā hoʻonohonoho ʻia ʻo sudoRoles e hoʻohana i nā hui mea hoʻohana)
ʻO ka hopena.
No laila, mālama ʻia nā kī i loko o nā hiʻohiʻona mea hoʻohana Active Directory, nā ʻae sudo - like, ke komo ʻana i nā pūʻali Linux e nā moʻokāki domain e hana ʻia ma ka nānā ʻana i ka lālā i ka hui Active Directory.
ʻO ka nalu hope o ka pahu o ka mea alakaʻi - a maloʻo ke keʻena me ka noho mālie.
Nā kumuwaiwai i hoʻohana ʻia ma ke kākau ʻana:
Source: www.habr.com