O le au manumalo o tauvaga faavaomalo SSH ma sudo ua toe i luga o le tulaga. Ta'ita'ia e le Distinguished Active Directory Conductor

I le tala faasolopito, o faʻatagaga sudo na pulea e mea o loʻo i totonu o faila mai /etc/sudoers.d и visado, ma sa faia le faatagaga autu i le faaaogaina ~/.ssh/authorized_keys. Peita'i, a'o fa'atupula'ia atina'e tetele, o lo'o iai le mana'o e fa'atautaia fa'atotonugalemu nei aia tatau. I aso nei atonu e tele ni filifiliga fofo:

• Faiga Fa'atonu Fa'atonu - ulu, Papeti, E mafai, māsima
• Active Directory + ssd
• Fa'asesega eseese i le tulaga o tusitusiga ma fa'atonu faila faila

I loʻu manatu faʻapitoa, o le filifiliga sili mo pulega faʻapitoa o se tuʻufaʻatasiga Active Directory + ssd. O le lelei o lenei auala o:

• E moni lava ose fa'atonuga fa'aoga tutotonu e tasi.
• Tufatufaina o aia tatau sudo e sau i lalo i le faʻaopoopoina o se tagata faʻaoga i se vaega faʻapitoa saogalemu.
• I le tulaga o faiga Linux eseese, e tatau ona faʻafeiloaʻi siaki faʻaopoopo e fuafua ai le OS pe a faʻaogaina faiga faʻatulagaina.

O le seti o aso nei o le a faʻapitoa i le fesoʻotaʻiga Active Directory + ssd mo le pulega o aia tatau sudo ma le teuina ssh ki i totonu o se fale e tasi.
O lea, na malo ai le faletele i le leai o se pisa, na sii i luga e le taitai lana laau, ma sauni le aufaaili.
Alu

Tuuina atu:
— vaega Active Directory testtopf.local i luga ole Windows Server 2012 R2.
- Linux talimalo faʻatautaia Centos 7
- Fa'atonu fa'atagaina fa'aaoga ssd
O fofo uma e lua e fai ai suiga i le fuafuaga Active Directory, o lea matou te siakiina mea uma i totonu o se siosiomaga faʻataʻitaʻiga ma naʻo le faia lea o suiga i le atinaʻe galue. Ou te fia maitauina o suiga uma e faʻatatau ma, o le mea moni, faʻaopoopo naʻo uiga talafeagai ma vasega.

Gaioiga 1: pulea sudo matafaioi e ala i Active Directory.

Ina ia faalautele le taamilosaga Active Directory e tatau ona e sii maia le faʻasalalauga lata mai sudo — 1.8.27 e pei o aso nei. Tatala ma kopi le faila schema.ActiveDirectory mai le ./doc directory i le domain controller. Mai le laina faʻatonuga ma aia tatau a le pule mai le lisi na kopiina ai le faila, tamoe:
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(Aua nei galo e suitulaga i ou tulaga faatauaina)
Tatala adsiedit.msc ma fa'afeso'ota'i i le tulaga fa'aletonu:
Fausia se vaeluaga ile a'a ole vaega afu afu. (O le au bourgeoisie e fai mai ma le loto maaa e faapea o totonu o lenei iunite o loo i ai le temoni ssd su'e se mea sudoRole mea faitino. Ae ui i lea, ina ua maeʻa ona faʻaogaina faʻamatalaga auiliili ma suʻesuʻeina ogalaau, na faʻaalia ai o le suʻesuʻega na faia i totonu o le laʻau faʻamaumauga atoa.)
Matou te fatuina le mea muamua e patino i le vasega i le vaevaega sudoRole. O le igoa e mafai ona filifilia faʻapitoa, aua e aoga mo naʻo le faʻamaonia faigofie.
Faatasi ai ma uiga e mafai ona maua mai le faʻaopoopoga o le polokalame, o mea autu o mea nei:

• sudoCommand - fuafua po'o fea poloaiga e fa'atagaina e fa'atino i le 'au.
• sudoHost - e fuafua po'o ai 'au e fa'atatau i lenei matafaioi. E mafai ona faʻamaonia e pei o UMA, ma mo se tagata talimalo i lona igoa. E mafai fo'i ona fa'aoga se matapulepule.
• sudoUser - fa'ailoa po'o ai tagata fa'aoga e fa'atagaina e fa'atino sudo.
  Afai e te faʻamaonia se vaega saogalemu, faʻaopoopo se faʻailoga "%" i le amataga o le igoa. Afai e iai avanoa ile igoa ole vaega, e leai se mea e popole ai. O le faʻamasinoina i ogalaau, o le galuega o le sola ese o avanoa e faʻaaogaina e le masini ssd.

Ata 1. sudoRole mea i totonu o le sudoers vaevaega i le aʻa o le lisi

Ata 2. O le avea ma sui auai i vaega saogalemu o loʻo faʻamaonia i mea sudoRole.

Ole seti lea e faia ile itu Linux.
I le faila /etc/nsswitch.conf faaopoopo le laina i le pito o le faila:

sudoers: files sss

I le faila /etc/sssd/sssd.conf i vaega [sssd] faaopoopo i auaunaga sudo

cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo

A maeʻa gaioiga uma, e tatau ona e faʻamama le sssd daemon cache. O fa'afouga otometi e tutupu i 6 itula uma, ae aisea e tatau ai ona tatou fa'atali umi pe a tatou manana'o i ai nei?

sss_cache -E

E masani ona tupu o le faʻamamaina o le cache e le fesoasoani. Ona matou taofi lea o le tautua, faʻamama le faʻamaumauga, ma amata le tautua.

service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start

Matou te faʻafesoʻotaʻi o le tagata muamua faʻaoga ma siaki mea o loʻo avanoa ia te ia i lalo o le sudo:

su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user1 may run the following commands on testsshad:
    (root) /usr/bin/ls, /usr/bin/cat

Matou te faia le mea lava e tasi i le matou tagata faʻaoga lona lua:

su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user2 may run the following commands on testsshad:
    (root) ALL

O lenei faiga e mafai ai e oe ona faʻauigaina le faʻauigaina o matafaioi sudo mo vaega faʻaoga eseese.

Teu ma fa'aoga ssh ki ile Active Directory

Faatasi ai ma sina faʻalauteleina o le polokalame, e mafai ona teuina ssh ki i uiga faʻaoga Active Directory ma faʻaaogaina pe a faʻatagaina i luga o Linux hosts.

E tatau ona fa'atulaga le fa'atagaga e ala i le sssd.
Fa'aopoopo le uiga mana'omia e fa'aaoga ai le PowerShell script.
AddsshPublicKeyAttribute.ps1Galuega Fou-AttributeID {
$Prefix="1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid().ToString()
$Vaega=@()
$Parts+=[UInt64]::Parse($guid.SubString(0,4), “AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(4,4), “AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(9,4), “AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(14,4), “AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(19,4), “AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(24,6), “AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(30,6), “AllowHexSpecifier”)
$oid=[String]::Format(«{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}»,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$oid
}
$schemaPath = (Get-ADRootDSE).schemaNamingContext
$oid = Fou-AttributeID
$uiga = @{
lDAPDisplayName = 'sshPublicKey';
attributeId = $oid;
oMSyntax = 22;
attributeSyntax = "2.5.5.5";
isSingleValued = $true;
adminDescription = 'User Public key mo SSH login';
}

New-ADObject -Igoa sshPublicKey -Type attributeSchema -Path $schemapath -OtherAttributes $uiga
$userSchema = get-adobject -SearchBase $schemapath -Filter 'igoa -eq "tagata fa'aoga"'
$userSchema | Set-ADObject -Add @{mayContain = 'sshPublicKey'}

A maeʻa ona faʻaopoopo le uiga, e tatau ona e toe amata Active Directory Domain Services.
Se'i o tatou aga'i atu i tagata fa'aoga Active Directory. O le a matou fatuina se paga autu mo le ssh fesoʻotaʻiga e faʻaaoga ai soʻo se auala talafeagai mo oe.
Matou te faʻalauiloa PuttyGen, faʻapipiʻi le "Generate" faʻamau ma faʻafefe le isumu i totonu o le nofoaga avanoa.
A mae'a le fa'agasologa, e mafai ona tatou fa'asaoina ki fa'alaua'itele ma fa'apitoa, tu'u le ki fa'alaua'itele i le uiga fa'aoga Active Directory ma fiafia i le faagasologa. Ae ui i lea, e tatau ona faʻaaoga le ki faʻasalalau mai le "Ki fa'alaua'itele mo le fa'apipi'i i totonu o le faila fa'atagaina_keys OpenSSH:".

Fa'aopoopo le ki ile uiga fa'aoga.
Filifiliga 1 - GUI:

Filifiliga 2 - PowerShell:
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
O lea la, o loʻo i ai i le taimi nei: o se tagata faʻaoga ma le uiga sshPublicKey ua faʻatumu i totonu, o se tagata faʻapipiʻi Putty mo le faʻatagaina e faʻaaoga ai ki. O loʻo tumau pea le tasi vaega itiiti: faʻafefea ona faʻamalosia le sshd daemon e aveese mai le ki lautele tatou te manaʻomia mai uiga o le tagata faʻaoga. O se tamai tusitusiga na maua i luga o le initaneti bourgeois e mafai ona faʻafetaui lelei lenei mea.

cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'

Matou te setiina faʻatagaga i luga i le 0500 mo aʻa.

chmod 0500  /usr/local/bin/fetchSSHKeysFromLDAP

I lenei faʻataʻitaʻiga, e faʻaaogaina se tala faʻatonu e fusifusia i le lisi. I tulaga tau taua e tatau ona i ai se teugatupe e ese ma se seti maualalo o aia tatau.
O aʻu lava ia na matua le mautonu i le taimi o le upu faʻamaonia i lona tulaga mama i totonu o le tusitusiga, e ui lava i aia tatau ua setiina.
Filifiliga fofo:

• Ou te faasaoina le upu faataga i se isi faila:

  echo -n Supersecretpassword > /usr/local/etc/secretpass

• Ou te setiina faʻatagaga faila i le 0500 mo aʻa

  chmod 0500 /usr/local/etc/secretpass

• Suia le ldapsearch fa'ailoga fa'alauiloa: parakalafa -w superSecretPassword Ou te suia i -y /usr/local/etc/secretpass

O le tali mulimuli i le seti o aso nei o le faʻasaʻoina sshd_config

cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root

O le iʻuga, matou te maua le faʻasologa o loʻo i lalo ma le faʻatagaina autu ua faʻatulagaina i le ssh client:

1. E fesoʻotaʻi le tagata faʻaoga i le server e ala i le faʻaalia o lana saini.
2. O le sshd daemon, e ala i se tusitusiga, e maua mai ai le taua lautele mai se uiga faʻaoga i Active Directory ma faʻatinoina le faʻatagaina e faʻaaoga ai ki.
3. O le sssd daemon e faʻamaonia atili le tagata faʻaoga e faʻavae i luga o le faʻalapotopotoga. Fa'alogo! Afai e le faʻatulagaina lenei mea, o le a maua e soʻo se tagata faʻaoga faʻaoga le avanoa i le talimalo.
4. A e taumafai e sudo, e suʻe e le sssd daemon le Active Directory mo matafaioi. Afai o loʻo i ai matafaioi, o uiga o le tagata faʻaoga ma le avea ma sui o kulupu e siaki (pe a faʻatulagaina sudoRoles e faʻaoga vaega faʻaoga)

Le iʻuga.

O le mea lea, o ki o loʻo teuina i uiga faʻaoga Active Directory, faʻatagaga sudo - faʻapea foʻi, avanoa i Linux hosts e ala i faʻamatalaga faʻapitoa e faia e ala i le siakiina o le avea ma sui auai i le vaega Active Directory.
O le galu mulimuli o le u'a'a a le ta'ita'i - ma ua malo le faletele i le filemu fa'aaloalo.

Punaoa fa'aaoga i tusitusiga:

Sudo e ala ile Active Directory
Ssh ki e ala ile Active Directory
Powershell script, fa'aopoopo se uiga ile Active Directory Schema
sudo stable tatala

puna: www.habr.com