Site na akụkọ ihe mere eme, ikike sudo na-achịkwa ọdịnaya nke faịlụ sitere na ya /etc/sudoers.d и visado, na isi ikike ka ejiri mee ya ~/.ssh/igodo nke ikike. Agbanyeghị, ka akụrụngwa na-etolite, enwere ọchịchọ ijikwa ikike ndị a na etiti. Taa enwere ike inwe ọtụtụ nhọrọ ngwọta:
- Sistemụ njikwa nhazi - isi, Nwa nkịta, Eziokwu, nnu
- Ọrụ ndekọ + ssd
- Ọdịiche dị iche iche n'ụdị edemede na ndezi faịlụ ntuziaka
N'echiche nke onwe m, nhọrọ kachasị mma maka njikwa etiti ka bụ ngwakọta Ọrụ ndekọ + ssd. Uru nke usoro a bụ:
- N'ezie otu akwụkwọ ndekọ aha onye ọrụ etiti.
- Nkesa ikike sudo na-agbadata ịgbakwunye onye ọrụ na otu nchekwa akọwapụtara.
- N'ihe banyere sistemụ Linux dị iche iche, ọ ga-adị mkpa ịmebata nyocha ndị ọzọ iji chọpụta OS mgbe ị na-eji sistemụ nhazi.
Ụlọ ụlọ nke taa ga-arara onwe ya kpọmkwem na njikọ ahụ Ọrụ ndekọ + ssd maka njikwa ikike sudo na nchekwa ssh igodo n'otu ebe nchekwa.
N’ihi ya, ụlọ nzukọ ahụ jụrụ n’oké mkpọtụ, onye nduzi weliri mkpanaka ya, ndị egwú ahụ jikerekwa.
Gaba.
Nyere:
- ngalaba ndekọ aha na-arụ ọrụ testopf.local na Windows Server 2012 R2.
- Linux ọbịa na-agba ọsọ Centos 7
- Ahaziri ikike iji ssd
Ihe ngwọta abụọ a na-eme mgbanwe na schema Ọrụ ndekọ, Ya mere, anyị na-elele ihe niile na ebe ule na-eme mgbanwe na akụrụngwa na-arụ ọrụ. Ọ ga-amasị m ịmara na a na-ezubere mgbanwe niile na, n'eziokwu, tinye naanị àgwà na klaasị dị mkpa.
Ihe omume 1: njikwa sudo ọrụ site na Ọrụ ndekọ.
Iji gbasaa sekit Ọrụ ndekọ ịkwesịrị ibudata ntọhapụ ọhụrụ -1.8.27 dị ka taa. Bupụ ma detuo faịlụ ahụ schema.ActiveDirectory site na ndekọ ./doc gaa na ngalaba njikwa. Site na ahịrị iwu nwere ikike onye nchịkwa sitere na ndekọ ebe e depụtaghachiri faịlụ ahụ, mee:
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(Echefula itinye ụkpụrụ gị)
Meghee adsiedit.msc wee jikọọ na ọnọdụ ndabara:
Mepụta nkewa na mgbọrọgwụ nke ngalaba ọsụsọ. (Ndị bourgeoisie ji isi ike na-ekwu na ọ bụ na ngalaba a ka mmụọ ọjọọ ahụ ssd na-achọ ihe sudoRole ihe. Otú ọ dị, mgbe ọ gbanyere nbibi zuru ezu na nyocha ndekọ, achọpụtara na a na-eme nchọpụta ahụ n'ime osisi ndekọ aha dum.)
Anyị na-emepụta ihe mbụ nke klas na nkewa sudoRole. Enwere ike ịhọrọ aha ahụ kpamkpam n'enweghị aka, ebe ọ na-eje ozi naanị maka njirimara dị mma.
N'ime njirimara enwere ike site na ndọtị schema, ndị bụ isi bụ ndị a:
- sudoCommand - na-ekpebi iwu ndị ekwenyere ka emee na onye ọbịa.
- sudoHost - na-ekpebi ndị ọbịa ọrụ a metụtara. Enwere ike ịkọwapụta dị ka ALL, na maka onye ọbịa n'otu n'otu n'aha. Ọ dịkwa ike iji ihe nkpuchi.
- sudoUser - gosi ndị ọrụ ekwenyere ime sudo.
Ọ bụrụ na ị kọwapụta otu nchekwa, tinye akara “%” na mbido aha ahụ. Ọ bụrụ na enwere oghere na aha otu, ọ nweghị ihe ga-echegbu onwe gị. Na-ekpe ikpe site na ndekọ, ọrụ nke ịgbanarị oghere na-ewere usoro ahụ ssd.
Fig 1. ihe sudoRole dị na mpaghara sudoers na mgbọrọgwụ nke ndekọ aha
Ọgụgụ 2. Otu n'ime otu nchekwa akọwapụtara na ihe sudoRole.
A na-eme nhazi nke a n'akụkụ Linux.
Na faịlụ /etc/nsswitch.conf tinye ahịrị na njedebe nke faịlụ:
sudoers: files sssNa faịlụ /etc/sssd/sssd.conf na ngalaba [ssd] tinye na ọrụ sudo
cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo
Mgbe arụchara ọrụ niile, ịkwesịrị ikpochapụ cache sssd daemon. Mmelite akpaaka na-eme kwa awa 6, mana gịnị kpatara anyị ga-eji chere ogologo oge mgbe anyị chọrọ ya ugbu a?
sss_cache -EỌ na-emekarị na ikpochapụ cache anaghị enyere aka. Mgbe ahụ, anyị kwụsịrị ọrụ ahụ, hichaa nchekwa data, wee malite ọrụ ahụ.
service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start
Anyị jikọọ dị ka onye ọrụ mbụ wee lelee ihe dị ya n'okpuru sudo:
su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user1 may run the following commands on testsshad:
(root) /usr/bin/ls, /usr/bin/catAnyị na-eme otu ihe ahụ na onye ọrụ nke abụọ anyị:
su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user2 may run the following commands on testsshad:
(root) ALL
Usoro a na-enye gị ohere ịkọwapụta ọrụ sudo maka otu ndị ọrụ dị iche iche.
Na-echekwa na iji igodo ssh na ndekọ ndekọ ọrụ
N'iji ntakịrị mgbasawanye nke atụmatụ a, ọ ga-ekwe omume ịchekwa igodo ssh na njirimara onye ọrụ ndekọ aha ma jiri ha mgbe ị na-enye ikike na ndị ọbịa Linux.
Ekwesịrị ịhazi ikike site na sssd.
Tinye njirimara achọrọ site na iji edemede PowerShell.
AddsshPublicKeyAttribute.ps1Njirimara njirimara Ọhụrụ {
$Prefix = "1.2.840.113556.1.8000.2554"
$GUID = [System.Guid] :: NewGuid () .ToString ()
$ Akụkụ = @ ()
$ Parts+=[UInt64]::Pase($guid.SubString(0,4),“AllowHexSpecifier”)
$ Parts+=[UInt64]::Pase($guid.SubString(4,4),“AllowHexSpecifier”)
$ Parts+=[UInt64]::Pase($guid.SubString(9,4),“AllowHexSpecifier”)
$ Parts+=[UInt64]::Pase($guid.SubString(14,4),“AllowHexSpecifier”)
$ Parts+=[UInt64]::Pase($guid.SubString(19,4),“AllowHexSpecifier”)
$ Parts+=[UInt64]::Pase($guid.SubString(24,6),“AllowHexSpecifier”)
$ Parts+=[UInt64]::Pase($guid.SubString(30,6),“AllowHexSpecifier”)
$oid=[String]::Format(«{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}»,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$oid
}
$schemaPath = (Nweta-ADRootDSE).schemaNamingContext
$oid = Ọhụrụ-Njirimara
$mma = @{
lDAPDisplayAha = 'sshPublicKey';
attributeId = $ oid;
oMSyntax = 22;
attributeSyntax = "2.5.5.5";
isSingleValued = $ eziokwu;
adminDescription = ' igodo ọha onye ọrụ maka nbanye SSH';
}
Ọhụrụ-ADObject -Aha sshPublicKey -Ụdị njirimaraSchema -Path $schemapath -Njirimara ndị ọzọ $mma
$userSchema = nweta-adobject -SearchBase $schemapath -Filter 'aha -eq "onye ọrụ"'
$ onye ọrụSchema | Set-ADObject -Tinye @{mayContain = 'sshPublicKey'}
Mgbe ịgbakwunye njirimara, ị ga-amalitegharị Ọrụ ngalaba ndekọ aha.
Ka anyị gaa n'ihu na ndị ọrụ ndekọ aha. Anyị ga-ewepụta ụzọ isi maka njikọ ssh site na iji usoro ọ bụla dabara gị mma.
Anyị na-ebuputa PuttyGen, pịa bọtịnụ "Mepụta" ma jiri obi ọjọọ na-ebugharị òké n'ime ebe efu.
Mgbe emechara usoro a, anyị nwere ike chekwaa igodo ọha na nke nzuzo, bulite igodo ọha na njirimara onye ọrụ ndekọ aha ma nwee ọ enjoyụ na usoro a. Agbanyeghị, a ga-eji igodo ọha mee ihe site na "Igodo ọha maka ịmanye n'ime faịlụ ikike_key OpenSSH:".
Tinye igodo na njirimara onye ọrụ.
Nhọrọ 1 - GUI:
Nhọrọ 2 - PowerShell:
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
Yabụ, anyị nwere ugbu a: onye ọrụ nwere njirimara sshPublicKey jupụtara, onye ahịa Putty ahaziri maka ikike iji igodo. A ka nwere otu obere isi: otu esi amanye sshd daemon wepụ igodo ọha anyị chọrọ na njirimara onye ọrụ. Obere edemede achọtara na ịntanetị bourgeois nwere ike ịnagide nke a nke ọma.
cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'Anyị na-etinye ikike na ya na 0500 maka mgbọrọgwụ.
chmod 0500 /usr/local/bin/fetchSSHKeysFromLDAP
N'ihe atụ a, a na-eji akaụntụ nchịkwa jikọọ na ndekọ aha. N'ọnọdụ ọgụ a ga-enwerịrị akaụntụ dị iche nwere oke ikike.
Mụ onwe m nwere mgbagwoju anya site na oge paswọọdụ n'ụdị ya dị ọcha na edemede ahụ, n'agbanyeghị ikike setịpụrụ.
Ngwọta nhọrọ:
- Ana m echekwa paswọọdụ na faịlụ dị iche:
echo -n Supersecretpassword > /usr/local/etc/secretpass - Etinyere m ikikere faịlụ na 0500 maka mgbọrọgwụ
chmod 0500 /usr/local/etc/secretpass - Na-agbanwe paramita mmalite mmalite ldapsearch: paramita -w superSecretPassword M na-agbanwe ya -y /usr/local/etc/secretpass
Ụkwụ ikpeazụ na ụlọ nke taa na-edezi sshd_config
cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root
N'ihi ya, anyị na-enweta usoro a site na iji ikike ahaziri na onye ahịa ssh:
- Onye ọrụ na-ejikọta na ihe nkesa site na igosi nbanye ya.
- Sshd daemon, site na edemede, na-ewepụta uru igodo ọha site na njirimara onye ọrụ na Active Directory wee rụọ ikike site na iji igodo.
- sssd daemon na-egosipụtakwa onye ọrụ dabere na otu. Ntị! Ọ bụrụ na ahazighị nke a, mgbe ahụ, onye ọrụ ngalaba ọ bụla ga-enwe ohere ịnweta onye ọbịa.
- Mgbe ị na-agbalị sudo, sssd daemon na-achọ akwụkwọ ndekọ aha maka ọrụ. Ọ bụrụ na ọrụ dị, a na-enyocha njirimara onye ọrụ na otu onye (ọ bụrụ na ahaziri sudoRoles ka ọ jiri otu ndị ọrụ)
Ihe si na ya pụta.
Ya mere, a na-echekwa igodo ndị ahụ na njirimara onye ọrụ Active Directory, ikike sudo - n'otu aka ahụ, a na-eme ịnweta ndị ọbịa Linux site na akaụntụ ngalaba site na ịlele ndị otu na Active Directory.
Oge ikpeazụ nke baton onye na-eduzi - na ụlọ nzukọ ahụ na-agbachi nkịtị na nkwanye ùgwù.
Akụrụngwa ejiri dee:
isi: www.habr.com