Ku guuleystayaasha tartamada caalamiga ah ee SSH iyo sudo ayaa mar kale soo taagan masraxa. Waxaa hogaaminaya agaasime hagaha firfircoon ee sharafta leh

Taariikh ahaan, oggolaanshaha sudo waxaa lagu maamuli jiray waxa ku jira faylalka / iwm/sudoers.d и visudo, iyo oggolaanshaha muhiimka ah ayaa la fuliyay iyadoo la isticmaalayo ~/.ssh/furaha_fasaxa. Si kastaba ha ahaatee, marka kaabayaashu ay koraan, waxaa jira rabitaan ah in lagu maareeyo xuquuqdan si dhexe. Maanta waxa jiri kara dhawr ikhtiyaar oo xal ah:

• Nidaamka Maareynta Habaynta - madaxa, Riwaayad, Caqli ahaan, Salt
• Tusaha Hawl-galka + ssd
• Qalloocyo kala duwan oo ah qaabka qoraallada iyo tafatirka faylka gacanta

Fikradayda shakhsi ahaaneed, ikhtiyaarka ugu fiican ee maaraynta dhexe ayaa weli ah isku-dhafka Tusaha Hawl-galka + ssd. Faa'iidooyinka habkan waa:

• Runtii hal hagaha isticmaale ee dhexe.
• Qaybinta xuquuqda sudo waxay hoos ugu dhacdaa inuu ku daro isticmaale koox gaar ah oo ammaan ah.
• Marka la eego nidaamyada kala duwan ee Linux, waxay noqotaa lagama maarmaan in la soo bandhigo jeegag dheeraad ah si loo go'aamiyo OS marka la isticmaalayo hababka qaabeynta.

Qolka maanta waxa si gaar ah loogu go'aamin doonaa xidhiidhka Tusaha Hawl-galka + ssd ee maamulka xuquuqda sudo iyo kaydinta ssh furayaasha hal kayd.
Haddaba, hoolkii baa aamusay oo aamusan, kirishbooyihii baa ushiisii ​​kor u qaaday, kooxihii orkestraa waa is diyaariyeen.
Aan tagno.

Siiyay:
- Active Directory domain testopf.maxali ah Windows Server 2012 R2.
- Linux waxay martigelisaa Centos 7
- Oggolaanshaha habaysan iyadoo la isticmaalayo ssd
Labada xalba waxay isbedel ku sameeyaan qorshaha Tusaha Hawl-galka, sidaas darteed waxaan hubineynaa wax kasta oo ku jira jawi tijaabo ah oo kaliya ka dib isbeddel ku samee kaabayaasha shaqada. Waxaan jeclaan lahaa in aan ogaado in dhammaan isbeddellada ay yihiin kuwo la beegsanayo oo, dhab ahaantii, ku dar kaliya sifooyinka lagama maarmaanka ah iyo fasallada.

Tallaabada 1: xakamaynta sudo doorarka loo marayo Tusaha Hawl-galka.

Si loo ballaariyo wareegga Tusaha Hawl-galka waxaad u baahan tahay inaad soo dejiso sii deynta ugu dambeysay sudo 1.8.27 ee maanta. Furo oo koobiyi faylka schema.Hagaha firfircoon laga bilaabo ./doc tusaha ilaa maamulaha domainka. Laga bilaabo xariiqda taliska ee leh xuquuqda maamulaha ee tusaha meesha faylka la naqilay, socodsii:
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(Ha iloobin inaad bedesho qiyamkaaga)
Furo adsiedit.msc kuna xidh macnaha guud:
Abuur qaybin xididka domainka sudoers. (Burgeoisie waxay si madax adeyg ah u sheeganayaan in ay ku jirto unuggaan jinnigu ssd wuxuu raadiyaa shay sudoRole walxaha. Si kastaba ha ahaatee, ka dib markii la shiday khaladaad faahfaahsan iyo daraasaynta logyada, waxaa la ogaaday in raadinta lagu sameeyay dhammaan geedka hagaha.)
Waxaan abuurnaa shayga ugu horreeya ee ka tirsan fasalka qaybta sudoRole. Magaca waxaa loo dooran karaa gabi ahaanba sabab la'aan, maadaama ay u adeegto kaliya aqoonsi ku habboon.
Waxaa ka mid ah sifooyinka suurtagalka ah ee la heli karo ee ka yimid kordhinta schema, kuwa ugu waaweyn waa kuwan:

• sudoCommand - go'aamiya amarada loo ogol yahay in lagu fuliyo martida loo yahay.
• sudoHost - ayaa go'aaminaya martigeliyayaasha doorkan khuseeya. Waxaa lagu tilmaami karaa sida ALL, iyo qof martigeliyaha ah oo magaciisa lagu sheegay. Waxa kale oo suurtogal ah in la isticmaalo maaskaro.
• sudoUser - muuji isticmaalayaasha loo oggol yahay inay fuliyaan sudo.
  Haddii aad sheegto koox ammaan ah, ku dar calaamad "%" bilawga magaca. Haddii ay jiraan meelo bannaan oo magaca kooxda ah, ma jirto wax laga walwalo. Marka la eego logyada, hawsha ka baxsanaanta meelaha waxaa la wareegaya habka ssd.

Jaantuska 1. walxaha sudoRole ee qaybta sudoers ee xididka hagaha

Jaantuska 2. Xubinnimada kooxaha amniga ee lagu qeexay walxaha sudoRole.

Habaynta soo socota ayaa lagu sameeyaa dhinaca Linux.
Faylka ku jira /etc/nsswitch.conf ku dar xariiqda dhamaadka faylka:

sudoers: files sss

Faylka ku jira /etc/sssd/sssd.conf qaybta [ssd] ku dar adeegyada sudo

cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo

Dhammaan hawlgallada ka dib, waxaad u baahan tahay inaad nadiifiso sssd daemon cache. Cusbooneysiinta tooska ah waxay dhacdaa 6dii saacadoodba mar, laakiin maxay tahay sababta aan u sugayno waqti dheer markaan rabno hadda?

sss_cache -E

Badanaa waxay dhacdaa in nadiifinta kaydka aysan ku caawinayn. Kadibna waanu joojinay adeega, nadiifinay kaydka xogta, oo aanu bilownay adeega.

service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start

Waxaan ku xireynaa isticmaaleha ugu horreeya oo aan hubinno waxa isaga ka heli kara sudo hoostiisa:

su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user1 may run the following commands on testsshad:
    (root) /usr/bin/ls, /usr/bin/cat

Waxaan isla sidaas ku sameynaa isticmaaleheyaga labaad:

su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user2 may run the following commands on testsshad:
    (root) ALL

Habkani wuxuu kuu ogolaanayaa inaad si dhexe u qeexdo doorarka sudo ee kooxaha isticmaala kala duwan.

Kaydinta iyo adeegsiga furayaasha ssh ee Hagaha Firfircoon

Waxoogaa balaadhinta nidaamka, waxa suurtagal ah in lagu kaydiyo furayaasha ssh sifooyinka isticmaale Hagaha Active oo la isticmaalo marka la fasaxayo martigeliyayaasha Linux.

Oggolaanshaha sssd waa in la habeeyaa.
Ku dar sifada loo baahan yahay adoo isticmaalaya qoraalka PowerShell
AddsshPublicKeyAttribute.ps1Shaqada ID sifada Cusub {
$Prefix="1.2.840.113556.1.8000.2554"
$GUID=[Nidaamka.Guid]::NewGuid().ToString()
$Qeybaha=@()
$Parts+=[UInt64]::Parse($guid.SubString(0,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(4,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(9,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(14,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(19,4),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(24,6),"AllowHexSpecifier")
$Parts+=[UInt64]::Parse($guid.SubString(30,6),"AllowHexSpecifier")
$oid=[String]::Format(«{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}»,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$iid
}
$schemaPath = (Get-ADRootDSE).schemaNamingContext
$oid = Sifada Cusub
$sifo = @{
lDAPDisplayName = 'sshPublicKey';
attributeId = $ oid;
oMSyntax = 22;
sifoSyntax = "2.5.5.5";
isSingleValued = $ run;
adminDescription = 'Furaha dadweynaha isticmaalaha ee gelitaanka SSH';
}

Cusub-ADObject -Magaca sshPublicKey -Nooca sifadaSchema -Path $schemapath -Sifooyin kale $ sifooyin
$userSchema = heli-adobject -SearchBase $schemapath -Filter 'name -eq "user"'
$userSchema | Set-ADObject -Add @{mayContain = 'sshPublicKey'}

Kadib markaad ku darto sifada, waa inaad dib u bilawdaa Adeegyada Domain Directory Directory.
Aan u gudubno isticmaalayaasha Hagaha Active Waxaan u soo saari doonaa lamaane fure u ah isku xirka ssh annagoo adeegsanayna qaab kasta oo adiga kugu habboon.
Waxaan soo saarnay PuttyGen, riix batoonka "Abuur" oo si waali ah ugu dhaqaaq mouse meel banaan ah.
Marka la dhammeeyo habka, waxaan badbaadin karnaa furayaasha dadweynaha iyo kuwa gaarka ah, soo rarno furaha dadweynaha sifada adeegsadaha Hagaha Active oo aan ku raaxaysanno habka. Si kastaba ha ahaatee, furaha dadweynaha waa in laga isticmaalo "Furaha dadweynaha ee ku dhejinta faylka la oggolaaday ee OpenSSH:«.

Ku dar furaha sifada isticmaalaha
Doorashada 1 - GUI:

Doorashada 2 - PowerShell:
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
Marka, waxaan hadda haysanaa: isticmaale leh sifada sshPublicKey oo la buuxiyay, macmiil Putty la habeeyey si loogu oggolaado adeegsiga furayaasha. Waxaa jira hal dhibic oo yar: sida loogu qasbo sshd daemon inuu soo saaro furaha dadweynaha ee aan uga baahanahay sifooyinka isticmaalaha. Qoraal yar oo laga helay internetka bourgeois ayaa si guul leh ula qabsan kara tan.

cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'

Waxaan u dhignay ogolaanshaha 0500 ee xididka.

chmod 0500  /usr/local/bin/fetchSSHKeysFromLDAP

Tusaalahan, koontada maamulka ayaa loo isticmaalaa in lagu xidho hagaha. Xaaladaha dagaalku waa inuu jiraa akoon gaar ah oo leh xuquuqaha ugu yar.
Anigu shakhsi ahaan aad ayaan ugu wareeray wakhtiga sirta ah ee qaabka saafiga ah ee qoraalka, inkastoo xuquuqaha la dhigay.
Xalka xulashada:

• Waxaan ku kaydiyaa erayga sirta ah fayl gaar ah:

  echo -n Supersecretpassword > /usr/local/etc/secretpass

• Waxaan dhigay ogolaanshaha faylka 0500 ee xididka

  chmod 0500 /usr/local/etc/secretpass

• Beddelidda cabbirrada bilaabista ldapsearch: parameter -w superSecretPassword Waxaan u bedelayaa -y /usr/local/etc/secretpass

Xubinta ugu dambeysa ee qolka maanta waa tafatirka sshd_config

cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root

Natiijo ahaan, waxaan helnaa taxanaha soo socda oo leh oggolaansho fure ah oo lagu habeeyay macmiilka ssh:

1. Isticmaaluhu wuxuu ku xiraa server-ka isagoo tilmaamaya gelitaankiisa.
2. Daemon-ka sshd, iyada oo loo marayo qoraal, ayaa ka soo saarta qiimaha muhiimka ah ee dadweynaha sifada isticmaale ee Hagaha Firfircoon oo fuliyaa oggolaanshaha isagoo isticmaalaya furayaasha.
3. Daemon-ka sssd wuxuu sii xaqiijiyaa isticmaalaha iyadoo lagu saleynayo xubinnimada kooxda. Fiiro gaar ah! Haddii tan aan la habeynin, markaa isticmaale kasta oo domain ah ayaa marin u yeelan doona martigeliyaha.
4. Markaad isku daydo inaad sudo, sssd daemon waxay raadisaa Tusaha Firfircoon ee doorarka. Haddii doorarku jiraan, sifooyinka isticmaalaha iyo xubinnimada kooxda waa la hubiyaa (haddii sudoRoles loo habeeyey inay isticmaasho kooxaha isticmaala)

Natiijada.

Haddaba, furayaasha waxa lagu kaydiyaa sifada adeegsadaha Hagaha Active, ogolaanshaha sudo - si la mid ah, gelitaanka Linux martida loo yahay ee akoonnada domainka waxa lagu fuliyaa iyada oo la hubinayo xubinnimada kooxda Hagaha Active.
Hirarka ugu dambeeya ee usha kirishbooyada - iyo hoolka ayaa ku qabowsaday aamusnaan ixtiraam leh.

Ilaha loo isticmaalo qoraal:

Sudo iyada oo loo marayo Hagaha Firfircoon
Furayaasha Ssh iyada oo loo marayo Hagaha Firfircoon
Qoraalka Powershell, ku darida sifo Qorshaha Hagaha Firfircoon
sudo xasiloon sii dayn

Source: www.habr.com