Pulogalamu ya ProHoster > Blog > Ulamuliro > Opambana pamipikisano yapadziko lonse SSH ndi sudo ali pa siteji kachiwiri. Motsogozedwa ndi Distinguished Active Directory Conductor

Opambana pamipikisano yapadziko lonse SSH ndi sudo ali pa siteji kachiwiri. Motsogozedwa ndi Distinguished Active Directory Conductor

M'mbiri, zilolezo za sudo zinkayendetsedwa ndi zomwe zili mumafayilo kuchokera /etc/sudoers.d и pita, ndipo chilolezo chachikulu chidachitika pogwiritsa ntchito ~/.ssh/authorized_keys. Komabe, pamene zomangamanga zikukula, pali chikhumbo choyang'anira maufuluwa pakati. Masiku ano pakhoza kukhala njira zingapo zothetsera:

  • Configuration Management System - mutu, Chidole, Amatha, Salt
  • Active Directory + Sssd
  • Zosokoneza zosiyanasiyana m'malemba ndikusintha mafayilo pamanja

M'malingaliro anga okhazikika, njira yabwino kwambiri yoyendetsera centralized ikadali kuphatikiza Active Directory + Sssd. Ubwino wa njirayi ndi:

  • Zowonadi chikwatu chimodzi chapakati.
  • Kugawa maufulu sudo amatsika powonjezera wosuta ku gulu linalake lachitetezo.
  • Pankhani ya machitidwe osiyanasiyana a Linux, zimakhala zofunikira kuyambitsa macheke owonjezera kuti mudziwe OS mukamagwiritsa ntchito masinthidwe.

Masiku ano suite idzaperekedwa makamaka kulumikizano Active Directory + Sssd za kasamalidwe ka ufulu sudo ndi kusunga ssh makiyi munkhokwe imodzi.
Choncho, holoyo inazizira kwambiri, ndipo wotsogolera anakweza ndodo yake, ndipo oimba anakonzeka.
Tiyeni tizipita.

Kupatsidwa:
- Active Directory domain testopf.local pa Windows Server 2012 R2.
- Linux host yomwe ikuyendetsa Centos 7
- Chilolezo chokhazikitsidwa pogwiritsa ntchito Sssd
Mayankho onsewa amasintha schema Active Directory, kotero ife timayang'ana chirichonse mu malo oyesera ndiyeno pokhapo timapanga kusintha kwa zomangamanga zogwirira ntchito. Ndikufuna kuzindikira kuti zosintha zonse zimayang'ana ndipo, kwenikweni, zimangowonjezera zofunikira ndi makalasi.

Ntchito 1: kuwongolera sudo maudindo kudzera Active Directory.

Kukulitsa dera Active Directory muyenera kutsitsa kumasulidwa kwaposachedwa sudo - 1.8.27 kuyambira lero. Tsegulani ndikukopera fayilo schema.ActiveDirectory kuchokera ku ./doc chikwatu kupita ku controller domain. Kuchokera pamzere wolamula wokhala ndi ufulu wotsogolera kuchokera ku bukhu komwe fayilo idakopera, thamangani:
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(Osayiwala kusintha mfundo zanu)
Tsegulani adsiedit.msc ndi kulumikizana ndi zomwe zikuchitika:
Pangani magawano pamizu ya domain okonda. (A bourgeoisi amatsutsa mouma khosi kuti ndi m'gawo lino momwe chiwandacho Sssd amafufuza chinthu sudoRole zinthu. Komabe, mutatha kuyatsa kuwongolera mwatsatanetsatane ndikuwerenga zipikazo, zidawululidwa kuti kusaka kunkachitika pamtengo wonse wamakalata.)
Timalenga chinthu choyamba cha kalasi mu magawo sudoRole. Dzinalo litha kusankhidwa mwachisawawa, chifukwa limangodziwika bwino.
Zina mwazinthu zomwe zingapezeke kuchokera pakukulitsa kwa schema, zazikulu ndi izi:

  • sudoCommand - imatsimikizira kuti ndi malamulo ati omwe amaloledwa kuchitidwa kwa wolandirayo.
  • sudoHost - imatsimikizira kuti ndi ndani omwe ali ndi udindowu. Itha kufotokozedwa ngati ZONSE, ndi kwa wolandira alendo payekha ndi dzina. Ndikothekanso kugwiritsa ntchito chigoba.
  • sudoUser - onetsani ogwiritsa ntchito omwe amaloledwa kuchita sudo.
    Ngati mutchula gulu lachitetezo, onjezerani chizindikiro "%" kumayambiriro kwa dzina. Ngati pali malo mu dzina la gulu, palibe chodetsa nkhawa. Poyang'ana zipika, ntchito yothawa malo imatengedwa ndi makina Sssd.

Opambana pamipikisano yapadziko lonse SSH ndi sudo ali pa siteji kachiwiri. Motsogozedwa ndi Distinguished Active Directory Conductor
Chithunzi 1. sudoRole zinthu m'magawo a sudoers muzu wa bukhuli

Opambana pamipikisano yapadziko lonse SSH ndi sudo ali pa siteji kachiwiri. Motsogozedwa ndi Distinguished Active Directory Conductor
Chithunzi 2. Umembala m'magulu achitetezo otchulidwa mu sudoRole zinthu.

Kukonzekera kotsatiraku kumachitika kumbali ya Linux.
Mu fayilo /etc/nsswitch.conf onjezani mzere kumapeto kwa fayilo:

sudoers: files sss

Mu fayilo /etc/sssd/sssd.conf mu gawo [ssd] onjezani ku mautumiki sudo

cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo

Pambuyo pa ntchito zonse, muyenera kuchotsa sssd daemon cache. Zosintha zokha zimachitika maola 6 aliwonse, koma chifukwa chiyani tiyenera kudikirira motalika pamene tikuzifuna tsopano?

sss_cache -E

Nthawi zambiri zimachitika kuti kuchotsa cache sikuthandiza. Kenako timayimitsa ntchitoyo, kuyeretsa nkhokwe, ndikuyamba ntchitoyo.

service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start

Timalumikizana ngati wogwiritsa ntchito woyamba ndikuwona zomwe zikupezeka kwa iye pansi pa sudo:

su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user1 may run the following commands on testsshad:
    (root) /usr/bin/ls, /usr/bin/cat

Timachita chimodzimodzi ndi wogwiritsa ntchito wachiwiri:

su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user2 may run the following commands on testsshad:
    (root) ALL

Njirayi imakupatsani mwayi wofotokozera zapakati maudindo a sudo pamagulu osiyanasiyana ogwiritsa ntchito.

Kusunga ndi kugwiritsa ntchito makiyi a ssh mu Active Directory

Ndi kukulitsa pang'ono kwachiwembu, ndizotheka kusunga makiyi a ssh mu mawonekedwe a Active Directory ndikuwagwiritsa ntchito pakuloleza pa makamu a Linux.

Chilolezo kudzera pa sssd chiyenera kukhazikitsidwa.
Onjezani mawonekedwe ofunikira pogwiritsa ntchito PowerShell script.
AddsshPublicKeyAttribute.ps1Ntchito Yatsopano-AttributeID {
$Prefix="1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid().ToString()
$Zigawo=@()
$Parts+=[UInt64]::Parse($guid.SubString(0,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(4,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(9,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(14,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(19,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(24,6),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(30,6),“AllowHexSpecifier”)
$oid=[String]::Format(«{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}»,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$ ayi
}
$schemaPath = (Get-ADRootDSE).schemaNamingContext
$oid = New-AttributeID
$makhalidwe = @{
lDAPDisplayName = 'sshPublicKey';
attributeId = $oid;
oMSyntax = 22;
attributeSyntax = "2.5.5.5";
isSingleValued = $zoona;
adminDescript = 'User Public key for SSH login';
}

New-ADObject -Name sshPublicKey -Type attributeSchema -Path $schemapath -OtherAttributes $attributes
$userSchema = get-adobject -SearchBase $schemapath -Sefa 'name -eq "user"'
$userSchema | Set-ADObject -Add @{mayContain = 'sshPublicKey'}

Mukawonjezera mawonekedwe, muyenera kuyambitsanso Active Directory Domain Services.
Tiyeni tipite ku Active Directory Users. Tipanga makiyi olumikizirana ndi ssh pogwiritsa ntchito njira iliyonse yabwino kwa inu.
Timatsegula PuttyGen, dinani batani la "Pangani" ndikusuntha mbewa mopanda kanthu.
Mukamaliza ntchitoyi, titha kusunga makiyi agulu ndi achinsinsi, kuyika kiyi yapagulu ku mawonekedwe a Active Directory ndikusangalala ndi ntchitoyi. Komabe, kiyi yapagulu iyenera kugwiritsidwa ntchito kuchokera ku "Kiyi yapagulu yoyika mu fayilo ya OpenSSH authorized_keys:".
Opambana pamipikisano yapadziko lonse SSH ndi sudo ali pa siteji kachiwiri. Motsogozedwa ndi Distinguished Active Directory Conductor
Onjezani kiyi ku mawonekedwe a wogwiritsa.
Njira 1 - GUI:
Opambana pamipikisano yapadziko lonse SSH ndi sudo ali pa siteji kachiwiri. Motsogozedwa ndi Distinguished Active Directory Conductor
Njira 2 - PowerShell:
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
Chifukwa chake, tili ndi: wogwiritsa ntchito sshPublicKey wodzazidwa, kasitomala wokonzedwa wa Putty kuti avomereze kugwiritsa ntchito makiyi. Patsala mfundo imodzi yaying'ono: momwe mungakakamize sshd daemon kuchotsa kiyi yapagulu yomwe timafunikira kuchokera kumalingaliro a wogwiritsa ntchito. Kalemba kakang'ono komwe kamapezeka pa intaneti ya bourgeois kumatha kupirira izi.

cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'

Timayika zilolezo pa izo ku 0500 kwa mizu.

chmod 0500  /usr/local/bin/fetchSSHKeysFromLDAP

Muchitsanzo ichi, akaunti ya administrator imagwiritsidwa ntchito kumangiriza ku chikwatu. M'mikhalidwe yankhondo payenera kukhala akaunti yosiyana yokhala ndi ufulu wocheperako.
Ineyo pandekha ndinasokonezeka kwambiri ndi mphindi yachinsinsi mu mawonekedwe ake oyera mu script, ngakhale ufulu wakhazikitsidwa.
Njira yothetsera:

  • Ndimasunga mawu achinsinsi mufayilo ina: 
    echo -n Supersecretpassword > /usr/local/etc/secretpass

  • Ndinayika zilolezo za fayilo ku 0500 pamizu 
    chmod 0500 /usr/local/etc/secretpass

  • Kusintha magawo oyambitsa ldapsearch: parameter -w superSecretPassword Ndikusintha kukhala -y /usr/local/etc/secretpass

Chotsatira chomaliza mu suite yamasiku ano ndikusintha sshd_config

cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root

Zotsatira zake, timapeza zotsatizanazi ndi chilolezo chofunikira chokhazikitsidwa mu kasitomala wa ssh:

  1. Wogwiritsa amalumikizana ndi seva powonetsa kulowa kwake.
  2. Daemon ya sshd, kupyolera mu script, imachotsa mtengo wachinsinsi kuchokera kwa wogwiritsa ntchito mu Active Directory ndikuchita chilolezo pogwiritsa ntchito makiyi.
  3. Daemon ya sssd imatsimikiziranso wogwiritsa ntchito potengera umembala wagulu. Chenjerani! Ngati izi sizinakonzedwe, ndiye kuti aliyense wogwiritsa ntchito domeni adzakhala ndi mwayi wolandila.
  4. Mukayesa sudo, sssd daemon imafufuza Active Directory kuti mupeze maudindo. Ngati maudindo alipo, mawonekedwe a wogwiritsa ntchito ndi umembala wagulu amawunikidwa (ngati sudoRoles yakonzedwa kuti igwiritse ntchito magulu a ogwiritsa ntchito)

Zotsatira.

Chifukwa chake, makiyi amasungidwa mu Active Directory mawonekedwe a ogwiritsa ntchito, zilolezo za sudo - mofananamo, mwayi wofikira ma Linux ndi maakaunti a domain kumachitika poyang'ana umembala mu gulu la Active Directory.
Mkokomo womaliza wa ndodo ya kondakitala - ndipo holoyo imaundana mwachete mwaulemu.

Zomwe zimagwiritsidwa ntchito polemba:

Sudo kudzera pa Active Directory
Ssh makiyi kudzera Active Directory
Powershell script, kuwonjezera chidziwitso ku Active Directory Schema
kumasulidwa kwa sudo

Source: www.habr.com

Kuwonjezera ndemanga