ProHoster > Blog > Utongi > Vanokunda mumakwikwi epasi rose SSH uye sudo vari pachikuva zvakare. Inotungamirwa naDistinguished Active Directory Conductor

Vanokunda mumakwikwi epasi rose SSH uye sudo vari pachikuva zvakare. Inotungamirwa naDistinguished Active Directory Conductor

Nhoroondo, sudo mvumo yaitongwa nezviri mukati mafaera kubva /etc/sudoers.d и visado, uye mvumo yakakosha yakaitwa pachishandiswa ~/.ssh/authorized_keys. Zvisinei, sezvo zvivakwa zvinokura, pane chido chekutonga kodzero idzi pakati. Nhasi panogona kunge paine sarudzo dzinoverengeka dzemhinduro:

  • Configuration Management System - musoro, Puppet, Anable, munyu
  • Active Directory + ssd
  • Kutsveyamisa kwakasiyana-siyana muchimiro chezvinyorwa uye manyore ekugadzirisa faira

Mune yangu subjective maonero, yakanakisa sarudzo yepakati manejimendi ichiri musanganiswa Active Directory + ssd. Zvakanakira nzira iyi ndezvi:

  • Chokwadi imwe yepakati mushandisi dhairekitori.
  • Kugoverwa kwekodzero sudo inodzika pakuwedzera mushandisi kune rimwe boka rekuchengetedza.
  • Panyaya yeakasiyana maLinux masisitimu, zvinova zvakafanira kuunza mamwe macheki ekuona iyo OS kana uchishandisa masisitimu ekugadzirisa.

Yanhasi suite ichave yakatsaurirwa zvakananga kune yekubatanidza Active Directory + ssd yekutonga kwekodzero sudo uye kuchengetedza ssh makiyi mune imwe repository.
Saka, horo yacho yakamira murunyararo, kondakita akasimudza tsvimbo yake, uye vaimbi vakagadzirira.
Enda.

Zvapiwa:
- Active Directory domain testopf.local paWindows Server 2012 R2.
- Linux host inomhanya Centos 7
- Yakagadziriswa mvumo uchishandisa ssd
Mhinduro dzese dziri mbiri dzinoita shanduko kune schema Active Directory, saka tinotarisa zvinhu zvose munzvimbo yekuedza uye chete tobva taita shanduko kune zvivako zvekushanda. Ndinoda kuziva kuti shanduko dzese dzakanangwa uye, kutaura zvazviri, wedzera chete hunhu hunodiwa uye makirasi.

Chiito chekutanga: kutonga sudo mabasa kuburikidza Active Directory.

Kuwedzera dunhu Active Directory unofanira kudhawunirodha ichangoburwa sudo - 1.8.27 kubva nhasi. Bvisa uye kopa faira schema.ActiveDirectory kubva ku ./doc dhairekitori kuenda kune domain controller. Kubva pamutsetse wekuraira nekodzero dzemutungamiriri kubva pane dhairekitori rakakopwa faira, mhanya:
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(Usakanganwa kutsiva tsika dzako)
Vhura adsiedit.msc uye batanidza kune default mamiriro:
Gadzira kupatsanurwa pamudzi wedomasi majuzi. (Bourgeoisie vanoomesa musoro vachiti ndimo muchikamu ichi ndimo mune dhimoni ssd anotsvaga chinhu sudoRole zvinhu. Nekudaro, mushure mekuvhura zvakadzama debugging uye kudzidza matanda, zvakaratidzwa kuti kutsvaga kwakaitwa mukati mese dhairekitori muti.)
Isu tinogadzira chinhu chekutanga chekirasi muchikamu sudoRole. Iro zita rinogona kusarudzwa zvachose, sezvo rinoshanda chete pakuzivikanwa kuri nyore.
Pakati peanogona kuwanikwa hunhu kubva kune schema yekuwedzera, iwo makuru ndeaya anotevera:

  • sudoCommand - inotarisa kuti ndeipi mirairo inotenderwa kuitiswa pamugamuchiri.
  • sudoHost - inotarisa kuti basa iri rinoshanda kune vapi vanotambira. Inogona kutsanangurwa se ALL, uye kune mumwe muenzi nezita. Zvinokwanisika kushandisa mask.
  • sudoUser - ratidza kuti ndevapi vashandisi vanobvumidzwa kuita sudo.
    Kana ukatsanangura boka rekuchengetedza, wedzera chiratidzo che "%" pakutanga kwezita. Kana pane nzvimbo muzita reboka, hapana chekunetseka nezvazvo. Tichitarisa nematanda, basa rekupukunyuka nzvimbo rinotorwa nemuchina ssd.

Vanokunda mumakwikwi epasi rose SSH uye sudo vari pachikuva zvakare. Inotungamirwa naDistinguished Active Directory Conductor
Fig 1. sudoRole zvinhu mu sudoers subdivision mumudzi wedhairekitori

Vanokunda mumakwikwi epasi rose SSH uye sudo vari pachikuva zvakare. Inotungamirwa naDistinguished Active Directory Conductor
Mufananidzo 2. Nhengo mumapoka ekuchengetedza anotsanangurwa mu sudoRole zvinhu.

Iyo inotevera setup inoitwa padivi reLinux.
Mufaira /etc/nsswitch.conf wedzera mutsara kusvika kumagumo efaira:

sudoers: files sss

Mufaira /etc/sssd/sssd.conf muchikamu [ssd] wedzera kumasevhisi sudo

cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo

Mushure mekuita zvese, unofanirwa kudzima iyo sssd daemon cache. Otomatiki inogadziridza inoitika maawa matanhatu ega ega, asi nei tichifanira kumirira kwenguva yakareba kudaro kana tichida izvozvi?

sss_cache -E

Zvinowanzoitika kuti kubvisa cache hakubatsiri. Zvadaro tinomisa sevhisi, kuchenesa dhatabhesi, uye tanga sevhisi.

service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start

Isu tinobatana semushandisi wekutanga uye tarisa izvo zviripo kwaari pasi pe sudo:

su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user1 may run the following commands on testsshad:
    (root) /usr/bin/ls, /usr/bin/cat

Isu tinoita zvimwe chete nemushandisi wedu wechipiri:

su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user2 may run the following commands on testsshad:
    (root) ALL

Iyi nzira inobvumidza iwe kutsanangura nechepakati sudo mabasa emapoka evashandisi akasiyana.

Kuchengeta uye kushandisa ssh makiyi mu Active Directory

Nekuwedzera kudiki kwechirongwa, zvinokwanisika kuchengetedza ssh makiyi muActive Directory mushandisi maitiro uye woashandisa kana uchibvumidza paLinux mauto.

Mvumo kuburikidza ne sssd inofanira kugadzirwa.
Wedzera hunhu hunodiwa uchishandisa PowerShell script.
AddsshPublicKeyAttribute.ps1Basa Nyowani-AttributeID {
$Prefix="1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid().ToString()
$Zvikamu=@()
$Parts+=[UInt64]::Parse($guid.SubString(0,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(4,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(9,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(14,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(19,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(24,6),“AllowHexSpecifier”)
$Parts+=[UInt64]::Parse($guid.SubString(30,6),“AllowHexSpecifier”)
$oid=[String]::Format(«{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}»,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$oid
}
$schemaPath = (Get-ADRootDSE).schemaNamingContext
$oid = New-AttributeID
$ maitiro = @{
lDAPDisplayName = 'sshPublicKey';
attributeId = $oid;
oMSyntax = 22;
attributeSyntax = "2.5.5.5";
isSingleValued = $ true;
adminDescription = 'Mushandisi Weruzhinji kiyi yeSSH login';
}

New-ADObject -Zita sshPublicKey -Type attributeSchema -Path $schemapath -ZvimweMaitiro $attributes
$userSchema = get-adobject -SearchBase $schemapath -Sefa 'zita -eq "mushandisi"'
$userSchema | Set-ADObject -Wedzera @{mayContain = 'sshPublicKey'}

Mushure mekuwedzera hunhu, unofanirwa kutangazve Active Directory Domain Services.
Ngatienderei kune Active Directory vashandisi. Isu tichagadzira kiyi yekubatanidza ssh tichishandisa chero nzira yakakunakira iwe.
Isu tinotangisa PuttyGen, tinya bhatani re "Gadzira" uye neshungu fambisa mbeva mukati menzvimbo isina chinhu.
Kana wapedza maitiro, tinogona kuchengetedza makiyi eruzhinji neakavanzika, kurodha kiyi yeruzhinji kune Active Directory mushandisi hunhu uye unakirwe nemaitiro. Nekudaro, kiyi yeruzhinji inofanirwa kushandiswa kubva ku "Kiyi yeruzhinji yekunamira muOpenSSH authorized_keys faira:".
Vanokunda mumakwikwi epasi rose SSH uye sudo vari pachikuva zvakare. Inotungamirwa naDistinguished Active Directory Conductor
Wedzera kiyi kune hunhu hwemushandisi.
Sarudzo yekutanga - GUI:
Vanokunda mumakwikwi epasi rose SSH uye sudo vari pachikuva zvakare. Inotungamirwa naDistinguished Active Directory Conductor
Sarudzo 2 - PowerShell:
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
Saka, isu parizvino tine: mushandisi ane sshPublicKey hunhu hwakazadzwa mukati, yakagadziriswa Putty mutengi wemvumo uchishandisa makiyi. Pachine chinhu chimwe chidiki: nzira yekumanikidza iyo sshd daemon kubvisa kiyi yeruzhinji yatinoda kubva kuhunhu hwemushandisi. Chinyorwa chidiki chinowanikwa paInternet bourgeois chinogona kubudirira kurarama neizvi.

cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'

Isu tinoisa mvumo pairi ku0500 yemidzi.

chmod 0500  /usr/local/bin/fetchSSHKeysFromLDAP

Mumuenzaniso uyu, account administrator inoshandiswa kusunga kune dhairekitori. Mumamiriro ekurwa panofanirwa kuve neakaundi yakaparadzana ine diki seti yekodzero.
Ini pachangu ndakavhiringidzika zvikuru nenguva yepassword mune yayo yakachena fomu mune script, kunyangwe kodzero dzakaiswa.
Solution sarudzo:

  • Ini ndinochengeta password mune imwe faira: 
    echo -n Supersecretpassword > /usr/local/etc/secretpass

  • Ini ndinoseta mvumo yefaira ku0500 yemidzi 
    chmod 0500 /usr/local/etc/secretpass

  • Kuchinja ldapsearch kutanga parameters: parameter -w superSecretPassword Ndinochishandura kuita -y /usr/local/etc/secretpass

Iyo yekupedzisira chord mune yanhasi suite kugadzirisa sshd_config

cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root

Nekuda kweizvozvo, tinowana iyo inotevera kutevedzana nekiyi mvumo yakagadziriswa mune ssh mutengi:

  1. Mushandisi anobatana neserver nekuratidza kupinda kwake.
  2. Iyo sshd daemon, kuburikidza ne script, inobvisa kukosha kweruzhinji kubva kune mushandisi hunhu muActive Directory uye inoita mvumo uchishandisa makiyi.
  3. Iyo sssd daemon inosimbisa mushandisi zvichienderana nenhengo yeboka. Attention! Kana izvi zvisina kugadziridzwa, saka chero mushandisi wedomasi achawana mukana kune muenzi.
  4. Paunoyedza kuita sudo, iyo ssd daemon inotsvaga iyo Active Directory yemabasa. Kana mabasa aripo, hunhu hwemushandisi uye nhengo yeboka zvinotariswa (kana sudoRoles yakagadzirirwa kushandisa mapoka evashandisi)

Chinokosha.

Nekudaro, makiyi anochengetwa muActive Directory mushandisi hunhu, sudo mvumo - zvakafanana, kuwana kune Linux mauto nemaakaundi account kunoitwa nekutarisa nhengo muboka reActive Directory.
Mhepo yekupedzisira yebaton ye conductor - uye horo inotonhora mukunyarara kwekuremekedza.

Zvishandiso zvinoshandiswa pakunyora:

Sudo kuburikidza neActive Directory
Ssh makiyi kuburikidza neActive Directory
Powershell script, ichiwedzera hunhu kune Active Directory Schema
sudo yakagadzikana kusunungurwa

Source: www.habr.com

Voeg