ืืืืื ื ืืืกืืืจืืช, ืืจืฉืืืช sudo ื ืฉืืื ืขื ืืื ืืชืืื ืฉื ืงืืฆืื ื /etc/sudoers.d ะธ ืืืกืืื, ืืืจืฉืืช ืืคืชื ืืืฆืขื ืืืืฆืขืืช ~/.ssh/authorized_keys. ืขื ืืืช, ืืื ืฉืชืฉืชืืืช ืืืืืช, ืืฉ ืจืฆืื ืื ืื ืืช ืืืืืืืช ืืืื ืืืืคื ืืจืืื. ืืืื ืขืฉืืืืช ืืืืืช ืืกืคืจ ืืคืฉืจืืืืช ืคืชืจืื:
- ืืขืจืืช ื ืืืื ืชืฆืืจื - ืฉืึถืฃ, ืึผืึผืึผึธื, ืืืชื ืืคืฉืจื, ืืื
- ืฉื Active Directory + ssd
- ืกืืืืช ืฉืื ืืช ืืฆืืจืช ืกืงืจืืคืืื ืืขืจืืืช ืงืืฆืื ืืื ืืช
ืืืขืชื ืืกืืืืืงืืืืืช, ืืืคืฉืจืืช ืืืืื ืืืืชืจ ืื ืืืื ืจืืืืื ืืื ืขืืืื ืฉืืืื ืฉื Active Directory + ssd. ืืืชืจืื ืืช ืฉื ืืืฉื ืื ืื:
- ืืืืช ืกืคืจืืืช ืืฉืชืืฉืื ืืจืืืืช ืืืช.
- ืืืืงืช ืืืืืืช sudo ืืกืชืื ืืืืกืคืช ืืฉืชืืฉ ืืงืืืฆืช ืืืืื ืกืคืฆืืคืืช.
- ืืืงืจื ืฉื ืืขืจืืืช ืืื ืืงืก ืฉืื ืืช, ืืฉ ืฆืืจื ืืืฆืื ืืืืงืืช ื ืืกืคืืช ืืื ืืงืืืข ืืช ืืขืจืืช ืืืคืขืื ืืขืช ืฉืืืืฉ ืืืขืจืืืช ืชืฆืืจื.
ืืกืืืืื ืฉื โโืืืื ืชืืงืืฉ ืืืืืื ืืืืืืจ ืฉื Active Directory + ssd ืื ืืืื ืืืืืืช sudo ืืืืกืื ssh ืืคืชืืืช ืืืืืจ ืืืื.
ืื, ืืืืื ืงืคื ืืืืื ืืชืืื, ืืื ืฆื ืืจืื ืืช ืฉืจืืืื ืืืชืืืืจืช ืืชืืื ื ื.
ืืื ื ืื.
ืืืชืืฉื you
- ืชืืื Active Directory testopf.local ื-Windows Server 2012 R2.
- ืืืจื ืืื ืืงืก ืืืจืืฅ ืืช Centos 7
- ืืจืฉืื ืืืืืจืช ืืืืฆืขืืช ssd
ืฉื ื ืืคืชืจืื ืืช ืืืฆืขืื ืฉืื ืืืื ืืกืืืื ืฉื Active Directory, ืื ืื ืื ื ืืืืงืื ืืื ืืกืืืืช ืืืืงื ืืจืง ืื ืืืฆืขืื ืฉืื ืืืื ืืชืฉืชืืช ืืขืืืื. ืื ื ืจืืฆื ืืฆืืื ืฉืื ืืฉืื ืืืื ืืืืงืืื ืืืืขืฉื ืืืกืืคืื ืจืง ืืช ืืชืืื ืืช ืืืืืืงืืช ืื ืืจืฉืืช.
ืคืขืืื 1: ืฉืืืื sudo ืชืคืงืืืื ืืจื ืฉื Active Directory.
ืืื ืืืจืืื ืืช ืืืขืื ืฉื Active Directory ืืชื ืฆืจืื ืืืืจืื ืืช ืืืืืืจื ืืืืจืื ื
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(ืื ืชืฉืื ืืืืืืฃ ืืช ืืขืจืืื ืฉืื)
ืคืชืื adsiedit.msc ืืืชืืืจ ืืืงืฉืจ ืืจืืจืช ืืืืื:
ืฆืืจ ืืืืงื ืืฉืืจืฉ ืืชืืื ืืืืข. (ืืืืจืื ืืช ืืืขื ืช ืืขืงืฉื ืืช ืฉืืืืืื ืื ืืฉื ssd ืืืคืฉ ืคืจืื sudoRole ืืคืฆืื. ืขื ืืืช, ืืืืจ ืืคืขืืช ื ืืคืื ืืืืื ืืคืืจื ืืืืืื ืืืืื ืื, ืืชืืจืจ ืฉืืืืคืืฉ ืืืฆืข ืืื ืขืฅ ืืกืคืจืืืช.)
ืื ื ืืืฆืจืื ืืช ืืืืืืืงื ืืจืืฉืื ืืฉืืื ืืืืืงื ืืืืืงื sudoRole. ื ืืชื ืืืืืจ ืืช ืืฉื ืืืืคื ืฉืจืืจืืชื ืืืืืืื, ืืืืืื ืฉืืื ืืฉืืฉ ืื ืืจืง ืืืืืื ื ืื.
ืืื ืืชืืื ืืช ืืืืื ืืช ืืืคืฉืจืืืช ืืืจืืืช ืืกืืืื, ืืขืืงืจืืืช ืฉืืื ืื ืืืืืช:
- sudoCommand - ืงืืืข ืืืื ืคืงืืืืช ืืืชืจ ืืืคืขืื ืขื ืืืืจื.
- sudoHost - ืงืืืข ืืืืื ืืืจืืื ืชืคืงืื ืื ืื. ื ืืชื ืืฆืืื ื ืืื, ืืืืืจื ืืืื ืืฉื. ืืคืฉืจ ืื ืืืฉืชืืฉ ืืืกืื.
- sudoUser - ืฆืืื ืืืื ืืฉืชืืฉืื ืจืฉืืื ืืืฆืข sudo.
ืื ืืชื ืืฆืืื ืงืืืฆืช ืืืืื, ืืืกืฃ ืกืืื "%" ืืชืืืืช ืืฉื. ืื ืืฉ ืจืืืืื ืืฉื ืืงืืืฆื, ืืื ืื ืืืืื. ืื ืืฉืคืื ืืคื ืืืืื ืื, ืืฉืืืช ืืืจืืื ืืืืืื ื ืฉืืืช ืขื ืืื ืืื ืื ืื ssd.
ืืืืจ 1. ืืืืืืงืืื sudoRole ืืชืช-ืืืืงืช sudoers ืืฉืืจืฉ ืืกืคืจืืื
ืืืืจ 2. ืืืจืืช ืืงืืืฆืืช ืืืืื ืืืฆืืื ืืช ืืืืืืืงืืื sudoRole.
ืืืืืจื ืืืื ืืชืืฆืขืช ืืฆื ืฉื ืืื ืืงืก.
ืืงืืืฅ /etc/nsswitch.conf ืืืกืฃ ืืช ืืฉืืจื ืืกืืฃ ืืงืืืฅ:
sudoers: files sss
ืืงืืืฅ /etc/sssd/sssd.conf ืืกืขืืฃ [sssd] ืืืืกืืฃ ืืฉืืจืืชืื sudo
cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo
ืืืืจ ืื ืืคืขืืืืช, ืขืืื ืื ืงืืช ืืช ืืืืื ื-sssd daemon. ืขืืืื ืื ืืืืืืืืื ืืชืจืืฉืื ืื 6 ืฉืขืืช, ืืื ืืื ืื ืื ื ืฆืจืืืื ืืืืืช ืื ืื ืืจืื ืืื ืืฉืื ืื ื ืจืืฆืื ืืช ืื ืขืืฉืื?
sss_cache -E
ืืขืชืื ืงืจืืืืช ืงืืจื ืฉื ืืงืื ืืืืืื ืื ืขืืืจ. ืืืืจ ืืื ืื ื ืืคืกืืงืื ืืช ืืฉืืจืืช, ืื ืงืื ืืช ืืกื ืื ืชืื ืื ืืืชืืืืื ืืช ืืฉืืจืืช.
service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start
ืื ืื ื ืืชืืืจืื ืืืฉืชืืฉ ืืจืืฉืื ืืืืืงืื ืื ืืืื ืื ืชืืช sudo:
su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user1 may run the following commands on testsshad:
(root) /usr/bin/ls, /usr/bin/cat
ืื ืื ื ืขืืฉืื ืืช ืืืชื ืืืืจ ืขื ืืืฉืชืืฉ ืืฉื ื ืฉืื ื:
su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user2 may run the following commands on testsshad:
(root) ALL
ืืืฉื ืื ืืืคืฉืจืช ืื ืืืืืืจ ืืืืคื ืืจืืื ืชืคืงืืื sudo ืขืืืจ ืงืืืฆืืช ืืฉืชืืฉืื ืฉืื ืืช.
ืืืกืื ืืฉืืืืฉ ืืืคืชืืืช ssh ื-Active Directory
ืขื ืืจืืื ืงืื ืฉื ืืกืืืื, ื ืืชื ืืืืกื ืืคืชืืืช ssh ืืชืืื ืืช ืืฉืชืืฉ ืฉื Active Directory ืืืืฉืชืืฉ ืืื ืืขืช ืืจืฉืื ืืืืจืื ืืื ืืงืก.
ืืฉ ืืืืืืจ ืืจืฉืื ืืืืฆืขืืช sssd.
ืืืกืฃ ืืช ืืชืืื ื ืื ืืจืฉืช ืืืืฆืขืืช ืกืงืจืืคื PowerShell.
AddsshPublicKeyAttribute.ps1ืคืื ืงืฆืื New-AttributeID {
$Prefix="1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid().ToString()
$Parts=@()
$Parts+=[UInt64]::Parse($guid.SubString(0,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(4,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(9,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(14,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(19,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(24,6),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(30,6),"AllowHexSpecifier")
$oid=[String]::Format(ยซ{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}ยป,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$oid
}
$schemaPath = (Get-ADRootDSE).schemaNamingContext
$oid = New-AttributeID
$attributes = @{
lDAPDisplayName = 'sshPublicKey';
attributeId = $oid;
oMSyntax = 22;
attributeSyntax = "2.5.5.5";
isSingleValued = $true;
adminDescription = 'ืืคืชื ืฆืืืืจื ืฉื ืืฉืชืืฉ ืขืืืจ ืื ืืกื ื-SSH';
}
New-ADObject -ืฉื sshPublicKey -Type attributeSchema -Path $schemapath -OtherAttributes $attributes
$userSchema = get-adobject -SearchBase $schemapath -Filter 'name -eq "user"'
$userSchema | Set-ADObject -Add @{mayContain = 'sshPublicKey'}
ืืืืจ ืืืกืคืช ืืชืืื ื, ืขืืื ืืืคืขืื ืืืืฉ ืืช Active Directory Domain Services.
ืืืื ื ืขืืืจ ืืืฉืชืืฉื Active Directory. ืื ื ื ืืฆืืจ ืืื ืืคืชืืืช ืืืืืืจ ssh ืืื ืฉืืื ืื ืืื ืื.
ืื ื ืืฉืืงืื ืืช PuttyGen, ืืืืฆืื ืขื ืืคืชืืจ "ืืคืง" ืืืืืืื ืืืืจืืฃ ืืช ืืขืืืจ ืืชืื ืืืืืจ ืืจืืง.
ืืกืืื ืืชืืืื ื ืืื ืืฉืืืจ ืืช ืืืคืชืืืช ืืฆืืืืจืืื ืืืคืจืืืื, ืืืขืืืช ืืช ืืืคืชื ืืฆืืืืจื ืืชืืื ืช ืืืฉืชืืฉ ืฉื Active Directory ืืืืื ืืช ืืืชืืืื. ืขื ืืืช, ืืฉ ืืืฉืชืืฉ ืืืคืชื ืืฆืืืืจื ืื-"ืืคืชื ืฆืืืืจื ืืืืืงื ืืงืืืฅ Authorized_keys ืฉื OpenSSH:".
ืืืกืฃ ืืช ืืืคืชื ืืชืืื ืช ืืืฉืชืืฉ.
ืืคืฉืจืืช 1 - ืืืฉืง ืืฉืชืืฉ:
ืืคืฉืจืืช 2 - PowerShell:
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
ืื, ืืฉ ืื ื ืืจืืข: ืืฉืชืืฉ ืขื ืืชืืื ื sshPublicKey ืฉืืืืื, ืืงืื Putty ืืืืืจ ืืืจืฉืื ืืืืฆืขืืช ืืคืชืืืช. ื ืืชืจื ื ืงืืื ืงืื ื ืืืช: ืืืฆื ืืืืฅ ืืช ืืืืื sshd ืืืืฅ ืืช ืืืคืชื ืืฆืืืืจื ืฉืื ื ืฆืจืืืื ืืืชืืื ืืช ืฉื ืืืฉืชืืฉ. ืชืกืจืื ืงืื ืฉื ืืฆื ืืืื ืืจื ื ืืืืจืื ื ืืืื ืืืชืืืื ืขื ืื ืืืฆืืื.
cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'
ืืืืจื ื ืืช ืืืจืฉืืืช ืฉืื ื-0500 ืขืืืจ root.
chmod 0500 /usr/local/bin/fetchSSHKeysFromLDAP
ืืืืืื ืื, ื ืขืฉื ืฉืืืืฉ ืืืฉืืื ืื ืื ืืื ืืืื ืืช ืืกืคืจืืื. ืืชื ืื ืืืืื ืืืื ืืืืืช ืืฉืืื ื ืคืจื ืขื ืกื ืืื ืืืื ืฉื ืืืืืืช.
ืื ื ืืืฉืืช ืืืืชื ืืืื ืืืืืื ืืจืืข ืืกืืกืื ืืฆืืจืชื ืืืืืจื ืืชืกืจืื, ืืืจืืช ืืืืืืืช ืฉื ืงืืขื.
ืืคืฉืจืืช ืคืชืจืื:
- ืื ื ืฉืืืจ ืืช ืืกืืกืื ืืงืืืฅ ื ืคืจื:
echo -n Supersecretpassword > /usr/local/etc/secretpass
- ืืืืจืชื ืืช ืืจืฉืืืช ืืงืืืฅ ื-0500 ืขืืืจ root
chmod 0500 /usr/local/etc/secretpass
- ืฉืื ืื ืคืจืืืจื ืืฉืงืช ldapsearch: ืคืจืืืจ -w superSecretPassword ืื ื ืืฉื ื ืืช ืื ื -y /usr/local/etc/secretpass
ืืืงืืจื ืืืืจืื ืืกืืืืื ืฉื โโืืืื ืืื ืขืจืืืช sshd_config
cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root
ืืชืืฆืื ืืื, ืื ื ืืงืืืื ืืช ืืจืฆืฃ ืืื ืขื ืืจืฉืืช ืืคืชื ืฉืืืืืจื ืืืงืื ssh:
- ืืืฉืชืืฉ ืืชืืืจ ืืฉืจืช ืขื ืืื ืฆืืื ืืื ืืกื ืฉืื.
- ืืืืื sshd, ืืืืฆืขืืช ืกืงืจืืคื, ืืืืฅ ืืช ืขืจื ืืืคืชื ืืฆืืืืจื ืืชืืื ืช ืืฉืชืืฉ ื-Active Directory ืืืืฆืข ืืจืฉืื ืืืืฆืขืืช ืืืคืชืืืช.
- ืืืืื sssd ืืืืช ืขืื ืืืชืจ ืืช ืืืฉืชืืฉ ืืืชืืกืก ืขื ืืืจืืช ืืงืืืฆื. ืชืฉืืืช ืืื! ืื ืื ืื ืืืืืจ, ืื ืืื ืืฉืชืืฉ ืืืืืื ืชืืื ืืืฉื ืืืืจื.
- ืืฉืืชื ืื ืกื ืืขืฉืืช sudo, ืืืืื sssd ืืืคืฉ ืชืคืงืืืื ื-Active Directory. ืื ืงืืืืื ืชืคืงืืืื, ืชืืื ืืช ืืืฉืชืืฉ ืืืืืจืืช ืืงืืืฆื ื ืืืงืืช (ืื sudoRoles ืืืืืจ ืืืฉืชืืฉ ืืงืืืฆืืช ืืฉืชืืฉืื)
ืืชืืฆืื.
ืืคืืื, ืืืคืชืืืช ืืืืืกื ืื ืืชืืื ืืช ืืฉืชืืฉ ืฉื Active Directory, ืืจืฉืืืช sudo - ืืืืคื ืืืื, ืืืฉื ืืืืจืื ืืื ืืงืก ืขื ืืื ืืฉืืื ืืช ืืืืืื ืืชืืฆืขืช ืขื ืืื ืืืืงืช ืืืจืืช ืืงืืืฆืช Active Directory.
ืืื ืืืืจืื ืฉื ืฉืจืืื ืืื ืฆื - ืืืืืื ืงืืคื ืืืืื ืืจืืช ืืืื.
ืืฉืืืื ืืืฉืืฉืื ืืืชื:
ืืงืืจ: www.habr.com