Keeb kwm, sudo kev tso cai tau tswj hwm los ntawm cov ntsiab lus ntawm cov ntaub ntawv los ntawm /etc/sudoers.d и visudo, thiab kev tso cai tseem ceeb tau ua tiav siv ~/.ssh/authorized_keys. Txawm li cas los xij, raws li kev tsim kho vaj tse loj hlob, muaj lub siab xav tswj cov cai no hauv nruab nrab. Niaj hnub no tej zaum yuav muaj ntau txoj kev daws teeb meem:
- Configuration Management System - lub taub hau, Menyuam dev, Ua tau zoo, ntsev
- Active Directory + sssd ua
- Ntau yam perversions nyob rau hauv daim ntawv ntawm scripts thiab phau ntawv kho cov ntaub ntawv
Hauv kuv qhov kev xav, qhov kev xaiv zoo tshaj plaws rau kev tswj hwm hauv nruab nrab tseem yog kev sib xyaw ua ke Active Directory + sssd ua. Qhov zoo ntawm txoj kev no yog:
- Tiag tiag ib tug centralized neeg siv directory.
- Kev faib cov cai sudo nqis los ntxiv ib tus neeg siv rau ib pab pawg kev ruaj ntseg tshwj xeeb.
- Nyob rau hauv rooj plaub ntawm ntau lub tshuab Linux, nws yuav tsum tau ua kom paub cov tshev ntxiv los txiav txim siab OS thaum siv cov txheej txheem teeb tsa.
Cov chav suite niaj hnub no yuav mob siab rau tshwj xeeb rau kev sib txuas Active Directory + sssd ua rau kev tswj txoj cai sudo thiab khaws cia SSH yuam sij nyob rau hauv ib lub repository.
Yog li ntawd, lub tsev froze nyob rau hauv tense silence, tus neeg xyuas pib tsa nws rab chais, thiab lub orchestra npaj txhij.
Peb mus.
Muab:
- Active Directory sau npe testopf.loj ntawm Windows Server 2012 R2.
- Linux host khiav Centos 7
- Configured tso cai siv sssd ua
Ob qho kev daws teeb meem hloov pauv rau lub schema Active Directory, yog li peb xyuas txhua yam hauv ib puag ncig kev sim thiab tsuas yog tom qab ntawd hloov pauv rau kev ua haujlwm hauv vaj tse. Kuv xav kom nco ntsoov tias tag nrho cov kev hloov pauv yog tsom thiab, qhov tseeb, tsuas yog ntxiv cov yam ntxwv tsim nyog thiab cov chav kawm.
Txoj Haujlwm 1: tswj sudo luag hauj lwm dhau Active Directory.
Txhawm rau nthuav lub voj voog Active Directory koj yuav tsum download tau qhov tseeb tso tawm — 1.8.27 Nws. Unpack thiab luam cov ntaub ntawv schema.ActiveDirectory los ntawm ./doc directory mus rau tus tswj tswj. Los ntawm kab hais kom ua nrog cov thawj coj txoj cai los ntawm cov npe uas cov ntaub ntawv tau theej, khiav:
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(Tsis txhob hnov qab hloov koj cov txiaj ntsig)
Qhib adsiedit.msc thiab txuas mus rau lub ntsiab lus tseem ceeb:
Tsim ib qho kev faib ntawm lub hauv paus ntawm tus sau sudoers. (Cov bourgeoisie tawv tawv hais tias nws nyob hauv chav tsev no uas dab sssd ua nrhiav ib yam khoom sudoRole khoom. Txawm li cas los xij, tom qab tig rau cov ncauj lus kom ntxaws debugging thiab kawm cov cav, nws tau qhia tias kev tshawb fawb tau ua thoob plaws hauv tag nrho cov npe ntoo.)
Peb tsim thawj yam khoom uas yog nyob rau hauv chav kawm ntawm kev faib sudoRole. Lub npe tuaj yeem xaiv tau kiag li arbitrarily, vim nws tsuas yog ua haujlwm rau kev txheeb xyuas yooj yim.
Ntawm qhov muaj peev xwm muaj peev xwm los ntawm qhov txuas ntxiv schema, cov tseem ceeb yog cov hauv qab no:
- sudoCommand - txiav txim siab seb cov lus txib twg raug tso cai rau ua tiav ntawm tus tswv tsev.
- sudoHost - txiav txim seb tus tswv tsev twg lub luag haujlwm no siv rau. Yuav tau teev raws li TAG NRHO, thiab rau tus tswv tsev los ntawm lub npe. Nws tseem tuaj yeem siv lub npog ntsej muag.
- sudoUser - qhia cov neeg siv twg raug tso cai ua sudo.
Yog tias koj teev ib pab pawg ruaj ntseg, ntxiv "%" kos npe rau ntawm lub npe pib. Yog tias muaj chaw nyob hauv pab pawg npe, tsis muaj dab tsi txhawj txog. Judging los ntawm cov cav, txoj hauj lwm ntawm kev khiav qhov chaw yog coj los ntawm lub mechanism sssd ua.
Fig 1. sudoRole cov khoom nyob rau hauv sudoers subdivision nyob rau hauv lub hauv paus ntawm cov directory
Daim duab 2. Kev ua tswv cuab hauv pab pawg ruaj ntseg tau teev tseg hauv sudoRole cov khoom.
Kev teeb tsa hauv qab no yog ua tiav ntawm sab Linux.
Hauv cov ntaub ntawv /etc/nsswitch.conf ntxiv kab rau qhov kawg ntawm cov ntaub ntawv:
sudoers: files sssHauv cov ntaub ntawv /etc/sssd/sssd.conf hauv seem [ssd] ntxiv rau cov kev pabcuam sudo
cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo
Tom qab txhua qhov haujlwm, koj yuav tsum tshem tawm sssd daemon cache. Tsis siv neeg hloov tshiab tshwm sim txhua 6 teev, tab sis vim li cas peb yuav tsum tau tos ntev heev thaum peb xav tau tam sim no?
sss_cache -ENws feem ntau tshwm sim tias tshem cov cache tsis pab. Tom qab ntawd peb nres qhov kev pabcuam, ntxuav cov ntaub ntawv, thiab pib qhov kev pabcuam.
service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start
Peb txuas raws li thawj tus neeg siv thiab tshawb xyuas dab tsi muaj rau nws hauv sudo:
su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user1 may run the following commands on testsshad:
(root) /usr/bin/ls, /usr/bin/catPeb ua tib yam nrog peb tus neeg siv thib ob:
su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user2 may run the following commands on testsshad:
(root) ALL
Txoj hauv kev no tso cai rau koj los txiav txim siab lub luag haujlwm sudo rau ntau pawg neeg siv.
Khaws thiab siv ssh yuam sij hauv Active Directory
Nrog kev nthuav dav me ntsis ntawm cov tswv yim, nws muaj peev xwm khaws cov yuam sij ssh hauv Active Directory cov neeg siv cov cwj pwm thiab siv lawv thaum tso cai rau Linux hosts.
Kev tso cai ntawm sssd yuav tsum tau teeb tsa.
Ntxiv tus cwj pwm xav tau siv PowerShell tsab ntawv.
AddsshPublicKeyAttribute.ps1Function New-AttributeID {
$Prefix = "1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid().ToString()
$Parts=@()
$Parts+=[UInt64]::Parse($guid.SubString(0,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(4,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(9,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(14,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(19,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(24,6),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(30,6),“AllowHexSpecifier”)
$oid=[String]::Format(«{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}»,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$id
}
$schemaPath = (Get-ADRootDSE).schemaNamingContext
$oid = New-AttributeID
$attributes = @{
lDAPDisplayName = 'sshPublicKey';
attributeId = $id;
oMSyntax = 22;
attributeSyntax = "2.5.5.5";
yogSingleValued = $true;
adminDescription = 'User Public key for SSH login';
}
Tshiab-ADObject -Npe sshPublicKey -Type attributeSchema -Path $schemapath -OtherAttributes $attributes
$userSchema = get-adobject -SearchBase $schemapath -Filter 'name -eq "neeg siv"'
$userSchema | Set-ADObject -Add @{mayContain = 'sshPublicKey'}
Tom qab ntxiv tus cwj pwm, koj yuav tsum rov pib Active Directory Domain Services.
Cia peb mus rau Active Directory cov neeg siv. Peb yuav tsim kom muaj tus khub tseem ceeb rau kev sib txuas ssh siv txhua txoj kev yooj yim rau koj.
Peb tso PuttyGen, nias lub pob "Tsim" thiab txav tus nas mus rau hauv qhov chaw khoob.
Thaum ua tiav cov txheej txheem, peb tuaj yeem khaws cov yuam sij rau pej xeem thiab ntiag tug, xa cov yuam sij pej xeem mus rau Active Directory tus neeg siv tus cwj pwm thiab txaus siab rau cov txheej txheem. Txawm li cas los xij, tus yuam sij pej xeem yuav tsum tau siv los ntawm "Public key rau pasting rau hauv OpenSSH authorized_keys file:".
Ntxiv tus yuam sij rau tus neeg siv tus cwj pwm.
Option 1 - GUI:
Option 2 - PowerShell:
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
Yog li, tam sim no peb muaj: tus neeg siv nrog tus cwj pwm sshPublicKey sau rau hauv, tus neeg siv Putty teeb tsa rau kev tso cai siv cov yuam sij. Tseem muaj ib qho me me: yuav ua li cas yuam tus sshd daemon kom rho tawm cov ntsiab lus pej xeem peb xav tau los ntawm tus neeg siv tus cwj pwm. Ib tsab ntawv me me pom nyob rau hauv bourgeois Internet tuaj yeem ua tiav nrog qhov no.
cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'Peb teeb tsa kev tso cai rau nws rau 0500 rau hauv paus.
chmod 0500 /usr/local/bin/fetchSSHKeysFromLDAP
Hauv qhov piv txwv no, tus thawj tswj hwm tus account yog siv los khi rau cov npe. Hauv cov xwm txheej kev sib ntaus sib tua yuav tsum muaj ib tus as khauj cais nrog cov cai tsawg kawg nkaus.
Kuv tus kheej tau tsis meej pem los ntawm lub sijhawm ntawm tus password hauv nws daim ntawv ntshiab hauv tsab ntawv, txawm tias muaj cai teev tseg.
Kev xaiv daws:
- Kuv khaws tus password rau hauv ib daim ntawv cais:
echo -n Supersecretpassword > /usr/local/etc/secretpass - Kuv teeb tsa cov ntaub ntawv tso cai rau 0500 rau hauv paus
chmod 0500 /usr/local/etc/secretpass - Hloov ldapsearch launch tsis: parameter -w superSecretPassword Kuv hloov nws mus -y /usr/local/etc/secretpass
Qhov kawg chord hauv suite hnub no yog kho sshd_config
cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root
Raws li qhov tshwm sim, peb tau txais cov kab ke hauv qab no nrog kev tso cai tseem ceeb tau teeb tsa hauv tus neeg siv ssh:
- Tus neeg siv txuas mus rau lub server los ntawm kev qhia nws tus ID nkag mus.
- Lub sshd daemon, dhau ntawm tsab ntawv, rho tawm cov nqi tseem ceeb ntawm pej xeem los ntawm tus neeg siv tus cwj pwm hauv Active Directory thiab ua kev tso cai siv cov yuam sij.
- Lub sssd daemon ntxiv authenticates tus neeg siv raws li pab pawg neeg ua tswv cuab. Nco ntsoov! Yog tias qhov no tsis tau teeb tsa, ces txhua tus neeg siv sau npe yuav nkag mus rau tus tswv tsev.
- Thaum koj sim sudo, sssd daemon tshawb nrhiav Active Directory rau lub luag haujlwm. Yog tias muaj lub luag haujlwm tam sim no, tus neeg siv tus cwj pwm thiab pab pawg neeg koom nrog raug kuaj xyuas (yog tias sudoRoles tau teeb tsa los siv pawg neeg siv)
Qhov txiaj ntsig.
Yog li, cov yuam sij tau muab khaws cia rau hauv Active Directory cov neeg siv cov yam ntxwv, sudo kev tso cai - zoo ib yam, kev nkag mus rau Linux hosts los ntawm cov nyiaj sau npe yog ua los ntawm kev txheeb xyuas cov tswv cuab hauv pawg Active Directory.
Qhov kawg nthwv dej ntawm tus neeg xyuas pib lub baton - thiab lub tsev freezes nyob rau hauv reverent silence.
Cov ntaub ntawv siv hauv kev sau ntawv:
Tau qhov twg los: www.hab.com