ααΆαααααααα·ααΆααααα ααΆαα’αα»ααααΆα sudo ααααΌαααΆαααααααααααααααΆαα·ααΆααα―αααΆαααΈ /etc/sudoers.d ΠΈ ααΈααΌααΌα αΎαααΆαα’αα»ααααΆαααααΆααααααΌαααΆαα’αα»αααααααααααΎ ~/.ssh/authorized_keys. αααααΆαααΆαααΆααααα αα ααααααα αααααΆαα ααΆααααααααααΈαα ααααΎα ααΆαααααα ααααααααααααα·αααα·ααΆαααααααΆαααααΆαα αααααααα’αΆα ααΆααααααΎααααααααααΆαααΆα αααΎαα
- αααααααααααααααααααΆαααααααα ααΆαααααααα - αααααΆα, Puppet, Ansible, α’ααα·α
- Active Directory + α’ααα’ααααΈ
- ααΆαααααααααααααααααα»αααααααααΆααααααΈα αα·αααΆαααααααα½αα―αααΆαααααα
ααΆααααα·ααααααααα»α αααααΎαααααα’αααα»ααααααΆααααΆαααααααααααααααΆααα ααααΆααΆααα½ααααα αΌαααααΆ Active Directory + α’ααα’ααααΈ. αα»ααααααααα·αααα·ααΈααΆααααααααααΊα
- αα·αβααΆβαααααΈβα’αααβααααΎβαααααΆαβαααα½αα
- ααΆαα ααα αΆααα·αααα· sudo α α»αααααΎααααΈααααααα’αααααααΎααααΆαααα αααα»ααα»ααααα·ααΆαααΆααααΆααα
- αααα»αααααΈααααααααααΈαα»α αααααα ααΆα αΆαααΆα αααΎααααΈααααΆαααΆααααα½ααα·αα·αααααααααααΎααααΈαααααααααααααααααα·ααααα·ααΆααα αααααααΎααααααααααααααα ααΆααααααααα
αα»ααααααααααΉαααααΌαααΆαα§αααα·αααΆαα·αααα
ααααααΆααααααΆαα Active Directory + α’ααα’ααααΈ αααααΆααααΆαααααααααααα·αααα· sudo αα·αααΆααααα»α ssh ααααΆααα
α»α
αα
αααα»αααααΆαααααα½αα
ααΌα
ααααβα αΎα ααΆαβααΆαβαααααβαααα»αβααΆαβαααααααααΆαα α’αααβααΉαααΆαβααΆαβααΎαβαααα α αΎαβααααααααβααΆαβαααααβαααα½αβααΆβααααα
α
αα
α
ααΆααααααα±ααα
- αααααααααα testopf. αααα»ααααα»α αα
ααΎ Windows Server 2012 R2.
- αααΆαααΈα Linux ααααΎαααΆα Centos 7
- ααααααα
ααΆααααααααααΆαα’αα»ααααΆααααααααΎ α’ααα’ααααΈ
αααααααααΆαααΆααααΈαααααΎααΆαααααΆααααααΌααααααααΆααα Active DirectoryααΌα
αααα ααΎααα·αα·αααα’αααΈαααααααααΆααα
αααα»αααα·ααΆααΆαααΆααααα α αΎαααααΆααααααααΎααΆαααααΆααααααΌααα
ααΎα αααααΆαα
ααΆααααααααααααααα»αααααΎαααΆαααα»αααααα αααα»αα
ααααααααααΆααααΆααΆαααααΆααααααΌαααΆααα’ααααααΌαααΆααααααααααα
α αΎαααΆαααΆααα·ααααααααααα»αααααααα
αΆαααΆα
ααα·αααααΆααα
αααααααΆαααΈ 1: ααΆααααα½ααα·αα·ααα sudo αα½ααΆααΈααΆαααα Active Directory.
ααΎααααΈαααααΈαααααααΈ Active Directory α’αααααααΌαααΆαααααΆαα
ααααααΆαα
α»αααααααααα»αα
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(αα»αααααα
αααα½ααααααααααα’ααα)
ααΎα adsiedit.msc α αΎαααααΆαααα
ααα·ααααααΆαααΎαα
αααααΎαααΆααααα
αααα
α«αααααα αααααΎα. (αα½αβαα αΆααααααΈβααΉαααΌαβα’αα’αΆαβααΆβααΆβαααα·αβαα
βαααα»αβα’αααααΆαβαααβαααβαα·ααΆα
βααα α’ααα’ααααΈ αααααααααΆαα»αα½αα sudoRole ααααα»α αααααΆαααΆαααΆααααα αααααΆααααΈααΎαααΆαααααα α»ααααα’α·α αα·ααα·ααααΆαααααα ααα» ααΆααααΌαααΆααααα αΆαααΆααΆααααααααααααΌαααΆαα’αα»αααααα
ααΌααΆαααααααΆαααααΆααααΌαα)
ααΎααααααΎαααααα»ααΈαα½ααααααΆαααααα·αααα·ααααααααΆαααα
αααα»αααααα sudoRole. αααααα’αΆα
ααααΌαααΆαααααΎαααΎαααΆαα’αααΎα
α·ααα αααααααΆαααααΎαααααΆααααΆααααααα’ααααααααΆαααΆααααα½αααααα»αααααα
αααα»αα
αααααα»ααααααααααα’αΆα
ααΆαααΆαααΈααααααααααααααααααΆααα ααααααααααΆαααααΆαααΌα
ααΆααααααα
- sudoCommand - αααααααΆααααααααΆααΆαα½ααααααααΌαααΆαα’αα»ααααΆαα±ααααααα·ααααα·αα ααΎαααΆαααΈαα
- sudoHost - αααααααΆααΎααα αΆααααααααΆααααα½ααΆααΈαααα’αα»ααααα ααααα α’αΆα ααααΌαααΆααααααΆααααΆ ααΆααα’αααα·ααααααΆααααα αΆαααααααα»ααααααΆααααααα ααΆααα’αΆα ααααΎαααΆαααα»ααααααα
- sudoUser - α
ααα’α»ααααα αΆαα’αααααααΎααααΆααααΆαααααααΌαααΆαα’αα»ααααΆαα±ααααααα·ααααα· sudo.
ααααα·αααΎα’ααααααααΆαααααα»ααα»ααααα·ααΆα αααααααααααΆ β%β αα ααΎααααααα ααααα·αααΎααΆαα ααααααα αααα»αααααααααα»α αααααααΆαα’αααΈαααααααΌααααα½αααΆαααααααααα ααααα·αα·α ααααααααααααα ααα» ααΆααα·α αα ααααΆαααα α ααααΈααααααααΆααΆααααΌαααΆαααααααααααααααααααΆα α’ααα’ααααΈ.
ααΌα 1. ααααα» sudoRole αα
αααα»αααααααα sudoers αααα»α root αααα
ααΌαααΆαααΈ 2. αααΆαα·αααΆααααα»ααααα»αααααα·αα»ααααααΆααααααΆαααα
αααα»αααααα» sudoRole α
ααΆαααα‘αΎαααΆααααααααααΌαααΆαααααΎαα
ααΎαααααααΈαα»α
α
αα
αααα»αα―αααΆα /etc/nsswitch.conf αααααααααααΆαααα
α
α»ααααα
ααααα―αααΆαα
sudoers: files sss
αα αααα»αα―αααΆα /etc/sssd/sssd.conf αα αααα»αααααα [ssd] αααααααα ααααΆαααα sudo
cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo
αααααΆααααΈααααα·ααααα·ααΆαααΆααα’αα α’αααααααΌααααα’αΆαααααΆαααααααΆαααααα·α sssd α ααΆαα’αΆααααααααααααααααααααα·ααΎαα‘αΎααααααΆαα 6 αααααααα ααα»ααααα ααα»α’αααΈααΆαααΆααΎααα½ααααα αΆαααΌααααααα αα ααααααααΎαα ααααΆαααΆα₯α‘αΌαααα?
sss_cache -E
ααΆααΆααΏααααΎαα‘αΎααααααΆααααα’αΆαααααΆαααααααΆαααα·αα’αΆα αα½αααΆαααα αααααΆααααααΎαααααααααααΆαααα αααα’αΆαααΌαααααΆααα·αααααα αα·αα αΆααααααΎαααααΆααααα
service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start
ααΎαααααΆααααΆα’αααααααΎααααΆααααααΌα α αΎααα·αα·αααααΎαα’αααΈαααααΆααααααΆααααΆαααα ααααα sudoα
su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user1 may run the following commands on testsshad:
(root) /usr/bin/ls, /usr/bin/cat
ααΎαααααΎααΌα ααααΆααΆαα½αα’αααααααΎααααΆααααΈααΈαααααααΎαα
su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user2 may run the following commands on testsshad:
(root) ALL
αα·ααΈααΆααααααααα’αα»ααααΆαα±ααα’αααααααααα½ααΆααΈ sudo ααΆαααααΆααααααΆαααααα»αα’αααααααΎααααΆααααααααααααΆα
ααΆααααααΆαα»α αα·αααααΎααααΆααααααΆααα α»α ssh αα αααα»α Active Directory
ααΆαα½αααΉαααΆααααααΈαααααα·α αααααααααΆααα ααΆα’αΆα αααααΆαα»ααα ssh αα αααα»αααααααα’αααααααΎααααΆαα Active Directory α αΎαααααΎααΆαα αααααααααα·αααα·ααΎαααΆαααΈα Linux α
ααΆαα’αα»ααααΆαααΆαααα sssd ααααΌαααααααααα
ααΆααααααααα
αααααααα»ααααααααααααααΌαααΆααααααααΎααααααΈα PowerShell α
AddsshPublicKeyAttribute.ps1αα»αααΆα New-AttributeID {
$Prefix="1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid().ToString()
$Parts=@()
$Parts+=[UInt64]::Parse($guid.SubString(0,4),βAllowHexSpecifierβ)
$Parts+=[UInt64]::Parse($guid.SubString(4,4),βAllowHexSpecifierβ)
$Parts+=[UInt64]::Parse($guid.SubString(9,4),βAllowHexSpecifierβ)
$Parts+=[UInt64]::Parse($guid.SubString(14,4),βAllowHexSpecifierβ)
$Parts+=[UInt64]::Parse($guid.SubString(19,4),βAllowHexSpecifierβ)
$Parts+=[UInt64]::Parse($guid.SubString(24,6),βAllowHexSpecifierβ)
$Parts+=[UInt64]::Parse($guid.SubString(30,6),βAllowHexSpecifierβ)
$oid=[String]::Format(Β«{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}Β»,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$oid
}
$schemaPath = (Get-ADRootDSE).schemaNamingContext
$oid = New-AttributeID
$attributes = @{
lDAPDisplayName = 'sshPublicKey';
attributeId = $oid;
oMSyntax = 22;
attributeSyntax = "2.5.5.5";
isSingleValued = $true;
adminDescription = 'ααΌαααααΆααΆαααα’αααααααΎααααΆαααααααΆααααΆαα
αΌα SSH';
}
New-ADObject -Name sshPublicKey -Type attributeSchema -Path $schemapath -OtherAttributes $attributes
$userSchema = get-adobject -SearchBase $schemapath -Filter 'name -eq "user"'
$userSchema | Set-ADObject -Add @{mayContain = 'sshPublicKey'}
αααααΆααααΈαααααααα»ααααααα α’αααααααΌαααα
αΆααααααΎα Active Directory Domain Services α‘αΎααα·αα
α
αΌααααααα
ααΆααα’αααααααΎααααΆαα Active Directoryα ααΎαααΉααααααΎαααΌαααααΉααααααΆααααΆααααααΆαα ssh αααααααΎαα·ααΈααΆαααααααΆαα½ααααααΆααααα½ααααααΆααα’αααα
ααΎαααΎαααααΎαααΆα PuttyGen α
α»α
αααΌαα»α "αααααΎα" α αΎαααααΆααααΈααααα»ααααΆααααααααααΆαα
αααα»αααααααααα
αα
ααααααα
ααααααΎαααΆα ααΎαα’αΆα
αααααΆαα»αααααΆααΆααα αα·αα―ααα αααα ααααααΆααΆααααα
ααΆαααα»αααααααα’αααααααΎααααΆαα Active Directory α αΎαααΈαααΆαααΉαααααΎαααΆααααα ααααααΆαααΆααααα ααααΆααΆαααααααΌαααααααΎααΈ "ααααΆααΆααααααααΆαααα·αααααΆαααα
αααα»αα―αααΆα OpenSSH authorized_keysα"α
αααααααααα
αα»αααααααα’αααααααΎααααΆααα
αααααΎαααΈ 1 - GUIα
αααααΎαααΈ 2 - PowerShellα
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
ααΌα
αααα αα
αα
α»ααααααααΎαααΆαα α’αααααααΎααααΆαααααααΆααα»ααααααα sshPublicKey αααααααΌαααΆαααααα ααΆαααΆαααΈαααααα Putty αααααΆαααααααα
ααΆαααααααααααααΆααααΆαα’αα»ααααΆααααααααΎααα αα
ααΆαα
ααα»α
ααΌα
αα½αα ααααααααααααα·α sshd α±ααααΆαααααααΆααΆααααααααΎαααααΌαααΆαααΈαα»αααααααααααα’αααααααΎα ααααααΈαααΌα
αα½ααααααααΎααα
ααΎα’ααΈαααΊαα·α bourgeois α’αΆα
αααααααΆααααααααααα
cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'
ααΎααααααααΆαα’αα»ααααΆααα ααΎααΆαα 0500 αααααΆαα root α
chmod 0500 /usr/local/bin/fetchSSHKeysFromLDAP
αααα»αα§ααΆα αααααα ααααΈα’αααααααααααααα½αααααΌαααΆαααααΎααΎααααΈααααΆαααα
ααα αα
αααα»αααααααααααααα»αααααααΌαααααΆαααααΈααΆα
ααααα‘αααα½ααααααΆααααα»ααα·αααα·α’αααααααΆα
αααα»αααααΆααααΆαααΆααααααα
ααα‘ααααΆαααααΆααα
ααααααααααααΆααααααααΆαααα
αααα»αααααααααααα·αα»αααααααααΆαα
αααα»αααααααΈα αααααΈααΆααΆααα·αααα·ααααααααααα
αααααΎααααααααααΆαα
- αααα»ααααααΆαα»αααΆααααααααΆαααα
αααα»αα―αααΆαααΆα
ααααα‘αααα½αα
echo -n Supersecretpassword > /usr/local/etc/secretpass
- αααα»αααΆααααααααΆαα’αα»ααααΆαα―αααΆααα
0500 αααααΆαα root
chmod 0500 /usr/local/etc/secretpass
- ααΆαααααΆααααααΌααααΆαααΆααααααααΎαααααΎαααΆα ldapsearchα αααΆαααΆαααααα -w superSecretPassword αααα»αααααΌαααΆαα -y /usr/local/etc/secretpass
α’αααααααααΌα α»αααααααα αααα»ααα»αααααααααααα»αααααααα½α sshd_config
cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root
ααΆαααααα ααΎαααα½αααΆαααααΆααααΌα ααΆααααααααΆαα½αααΉαααΆαα’αα»ααααΆααααααΉααααααΆαααααααα ααΆαααααααααα αααα»ααααΆαααΈαααααα sshα
- α’αααααααΎααααΆααααααΆαααα αααΆαααΈαααααααααα αΆαααΆαα αΌαααααααΆααα
- αααα·α sshd ααΆααααααααααΈα ααΆααααααααααααΆααΆαααααΈαα»αααααααα’αααααααΎααααΆαααα αααα»α Active Directory α αΎαα’αα»ααααααΆαα’αα»ααααΆααααααααΎααααΆααα α»α α
- αααα·α sssd ααααααααΆααααααααααΆααα’αααααααΎααααΆαααααααα’ααααΎαααΆαα·αααΆααααα»αα ααα α·ααααα»αααΆαα! ααααα·αααΎααΆαα·αααααΌαααΆαααααααα ααΆαααααααααα αααα’αααααααΎααααΆαααααααΆαα½αααΉαααΆααα·αααα·α αΌαααααΎαααΆαααΈαα
- αα αααα’αααααααΆααΆα sudo αααα·α sssd ααααααα Active Directory αααααΆαααα½ααΆααΈα ααααα·αααΎαα½ααΆααΈααΆαααααααΆα αα»αααααααααααα’αααααααΎ αα·ααααΆαα·αααΆααααα»αααααΌαααΆααα·αα·ααα (ααααα·αααΎ sudoRoles ααααΌαααΆαααααααα ααΆααααααααααΎααααΈααααΎαααα»αα’αααααααΎααααΆαα)
ααααααα
ααΌα
αααα ααααΆααα
α»α
ααααΌαααΆααααααΆαα»ααα
αααα»α Active Directory user attributes ααΆαα’αα»ααααΆα sudo - ααααααααααΆαααααα ααΆαα
αΌααα
ααΆαα Linux hosts αααααααΈ domain ααααΌαααΆαα’αα»ααααααααα·αα·αααααΎααααΆαα·αααΆααα
αααα»α Active Directory groupα
αααβα
α»αβαααααβααβααααβααααβα’αααβααΉαααΆα - α αΎαβααΆαβααβαααααβαααα»αβααΆαβαααααααααΆααβαα½αβα±ααβααααα
ααααΆααααααααΎαααα»αααΆααααααα
ααααα: www.habr.com