Ho tloha khale, tumello ea sudo e ne e laoloa ke litaba tsa lifaele tse tsoang ho /etc/sudoers.d и visado, le tumello ea bohlokoa e ile ea etsoa ho sebelisoa ~/.ssh/authorized_keys. Leha ho le joalo, ha mekhoa ea motheo e ntse e hōla, ho na le takatso ea ho laola litokelo tsena bohareng. Kajeno ho ka ba le likhetho tse 'maloa tsa tharollo:
- Sistimi ea Tsamaiso ea Litlhophiso - hlooho, Pippet, Ea nahanang, letsoai
- Active Directory + ssd
- Liphetoho tse fapaneng ka mokhoa oa ho ngola le ho hlophisa lifaele ka letsoho
Ka maikutlo a ka a ikemetseng, khetho e ntle ka ho fetisisa bakeng sa tsamaiso e bohareng e ntse e le motsoako Active Directory + ssd. Melemo ea mokhoa ona ke:
- Ehlile ke buka e le 'ngoe ea basebelisi ba bohareng.
- Kabo ea litokelo sudo e theohela ho kenya mosebelisi ho sehlopha se itseng sa ts'ireletso.
- Tabeng ea litsamaiso tse fapaneng tsa Linux, hoa hlokahala ho hlahisa licheke tse eketsehileng ho fumana hore na OS ha o sebelisa litsamaiso tsa tlhophiso.
Suite ea kajeno e tla neheloa ka ho khetheha khokahanong Active Directory + ssd bakeng sa tsamaiso ea litokelo sudo le polokelo ssh linotlolo sebakeng se le seng sa polokelo.
Kahoo, holo e ile ea tsieleha ho khutsitse, motsamaisi oa liletsa a phahamisa molangoa oa hae, ’me sehlopha sa ’mino sa itokisa.
Tsamaea.
Fuoa:
- Sebaka sa Active Directory testopf.sebakeng ho Windows Server 2012 R2.
- Moamoheli oa Linux o tsamaisang Centos 7
- Tumello e hlophisitsoeng e sebelisoa ssd
Litharollo ka bobeli li etsa liphetoho ho schema Active Directory, kahoo re hlahloba ntho e 'ngoe le e' ngoe sebakeng sa teko ebe re etsa liphetoho ho lisebelisoa tsa ts'ebetso. Ke kopa ho hlokomela hore liphetoho tsohle li lebisitsoe 'me, ha e le hantle, li eketsa feela litšobotsi tse hlokahalang le lihlopha.
Ketso ea 1: taolo sudo likarolo ka Active Directory.
Ho atolosa potoloho Active Directory o hloka ho khoasolla tokollo ea morao-rao - 1.8.27 ho tloha kajeno. Hlakola le ho kopitsa faele schema.ActiveDirectory ho tloha ho ./doc directory ho ea ho domain controller. Ho tsoa molaong oa taelo o nang le litokelo tsa motsamaisi ho tsoa bukeng eo faele e kopilitsoeng ho eona, matha:
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(Se ke oa lebala ho fetola litekanyetso tsa hau)
Bula adsiedit.msc 'me u hokahane le moelelo oa kamehla:
Etsa karohano motso oa domain marikhoe. (Bourgeoisie ba bolela ka manganga hore ke setsing sena moo modemona ssd e batla ntho e itseng sudoRole dintho. Leha ho le joalo, ka mor'a ho bulela mokhoa o hlakileng oa ho lokisa liphoso le ho ithuta lifate, ho ile ha senoloa hore patlo e entsoe ho pholletsa le sefate sa directory.)
Re theha ntho ea pele ea sehlopha sa karohano sudoRole. Lebitso le ka khethoa ka mokhoa o ikhethileng, kaha le sebetsa feela bakeng sa boitsebiso bo bonolo.
Har'a litšoaneleho tse fumanehang ho tsoa katolosong ea schema, tse ka sehloohong ke tse latelang:
- sudoCommand - e etsa qeto ea hore na ke litaelo life tse lumelloang ho etsoa ho moamoheli.
- sudoHost - e khetha hore na karolo ena e sebetsa ho baamoheli bafe. E ka hlalosoa e le KAOFELA, le bakeng sa moamoheli ka mong ka lebitso. Hape hoa khoneha ho sebelisa mask.
- sudoUser - bontša hore na ke basebelisi bafe ba lumelletsoeng ho etsa sudo.
Haeba o bolela sehlopha sa tshireletso, eketsa letshwao la “%” qalong ya lebitso. Haeba ho na le libaka lebitsong la sehlopha, ha ho letho leo u ka tšoenyehang ka lona. Ho latela lipalo, mosebetsi oa ho baleha libaka o nkoa ke mochine ssd.
Setšoantšo sa 1. sudoRole lintho tse karohanong ea sudoers motso oa bukana
Setšoantšo sa 2. Litho tsa lihlopha tsa tšireletso tse boletsoeng ho sudoRole lintho.
Seta se latelang se etsoa ka lehlakoreng la Linux.
Ka faele /etc/nsswitch.conf eketsa mola qetellong ea faele:
sudoers: files sssKa faele /etc/sssd/sssd.conf karolong [ssd] eketsa litšebeletso sudo
cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo
Kamora ts'ebetso eohle, o hloka ho hlakola cache ea ssd daemon. Lintlafatso tsa othomathiki li etsahala lihora tse ling le tse ling tse 6, empa ke hobane'ng ha re lokela ho ema nako e telele hakaale ha re e batla hona joale?
sss_cache -EHangata ho etsahala hore ho hlakola cache ha ho thuse. Ebe re emisa ts'ebeletso, re hloekisa database, ebe re qala ts'ebeletso.
service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start
Re hokela joalo ka mosebelisi oa pele mme re sheba hore na o fumana eng tlasa sudo:
su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user1 may run the following commands on testsshad:
(root) /usr/bin/ls, /usr/bin/catRe etsa se tšoanang ka mosebelisi oa rona oa bobeli:
su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user2 may run the following commands on testsshad:
(root) ALL
Mokhoa ona o u lumella ho hlalosa bohareng ba mesebetsi ea sudo bakeng sa lihlopha tse fapaneng tsa basebelisi.
Ho boloka le ho sebelisa linotlolo tsa ssh ho Active Directory
Ka katoloso e nyane ea leano, hoa khonahala ho boloka linotlolo tsa ssh ho Active Directory mosebelisi le ho li sebelisa ha o fana ka tumello ho mabotho a Linux.
Tumello ka sssd e tlameha ho hlophisoa.
Kenya tšobotsi e hlokahalang u sebelisa mongolo oa PowerShell.
AddsshPublicKeyAttribute.ps1Ts'ebetso e Ncha-AttributeID {
$Prefix="1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid().ToString()
$Likarolo=@()
$Parts+=[UInt64]::Arola($guid.SubString(0,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Arola($guid.SubString(4,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Arola($guid.SubString(9,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Arola($guid.SubString(14,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Arola($guid.SubString(19,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Arola($guid.SubString(24,6),“AllowHexSpecifier”)
$Parts+=[UInt64]::Arola($guid.SubString(30,6),“AllowHexSpecifier”)
$oid=[String]::Format(«{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}»,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$oid
}
$schemaPath = (Get-ADRootDSE).schemaNamingContext
$ oid = New-AttributeID
$ litšobotsi = @{
lDAPDisplayName = 'sshPublicKey';
attributeId = $ oid;
oMSyntax = 22;
attributeSyntax = "2.5.5.5";
isSingleValued = $nete;
adminDescription = 'Senotlolo sa Sechaba sa Mosebelisi bakeng sa ho kena ha SSH';
}
Ncha-ADObject -Name sshPublicKey -Mofuta tšobotsiSchema -Path $schemapath -OtherAttributes $attributes
$userSchema = get-adobject -SearchBase $schemapath -Filter 'name -eq "user"'
$userSchema | Set-ADObject -Eketsa @{mayContain = 'sshPublicKey'}
Kamora ho eketsa tšobotsi, o tlameha ho qala hape Active Directory Domain Services.
Ha re feteleng ho basebelisi ba Active Directory. Re tla hlahisa para ea bohlokoa bakeng sa khokahano ea ssh re sebelisa mokhoa ofe kapa ofe o loketseng uena.
Re qala PuttyGen, tobetsa konopo ea "Hlahisa" 'me u tsamaise mouse ka har'a sebaka se se nang letho.
Ha ts'ebetso e phethetsoe, re ka boloka linotlolo tsa sechaba le tsa poraefete, ra kenya senotlolo sa sechaba ho tšobotsi ea mosebelisi ea Active Directory mme re natefeloe ke ts'ebetso ena. Leha ho le joalo, senotlolo sa sechaba se tlameha ho sebelisoa ho tsoa ho "Senotlolo sa sechaba sa ho manamisa faeleng ea OpenSSH authorized_keys:".
Kenya senotlolo ho tšobotsi ea mosebelisi.
Khetho ea 1 - GUI:
Khetho ea 2 - PowerShell:
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
Kahoo, hajoale re na le: mosebelisi ea nang le tšobotsi ea sshPublicKey e tlatsitsoeng, moreki ea hlophisitsoeng oa Putty bakeng sa tumello ea ho sebelisa linotlolo. Ho na le ntlha e le 'ngoe e nyane: mokhoa oa ho qobella sshd daemon ho ntša senotlolo sa sechaba seo re se hlokang ho litšobotsi tsa mosebelisi. Script e nyane e fumanehang ho Internet bourgeois e ka sebetsana ka katleho le sena.
cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'Re beha tumello ho eona ho 0500 bakeng sa motso.
chmod 0500 /usr/local/bin/fetchSSHKeysFromLDAP
Mohlaleng ona, ho sebelisoa ak'haonte ea motsamaisi ho tlamella bukeng. Maemong a ntoa ho tlameha ho ba le akhaonto e arohaneng e nang le bonyane ba litokelo.
Ke ne ke ferekanngoa haholo ke nako ea password ka mokhoa oa eona o hloekileng ka har'a script, ho sa tsotellehe litokelo tse behiloeng.
Tharollo khetho:
- Ke boloka phasewete faeleng e fapaneng:
echo -n Supersecretpassword > /usr/local/etc/secretpass - Ke beha tumello ea faele ho 0500 bakeng sa motso
chmod 0500 /usr/local/etc/secretpass - Ho fetola liparamente tsa ldapsearch: parameter -w superSecretPassword Ke e fetola ho -y /usr/local/etc/secretpass
Ntho ea ho qetela molemong oa kajeno ke ho hlophisa sshd_config
cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root
Ka lebaka leo, re fumana tatellano e latelang ka tumello ea senotlolo e hlophisitsoeng ho moreki oa ssh:
- Mosebelisi o hokela ho seva ka ho bonts'a ha a kena.
- Daemon ea sshd, ka sengoloa, e ntša boleng ba senotlolo sa sechaba ho tsoa ho mosebelisi ho Active Directory mme e fana ka tumello e sebelisa linotlolo.
- Daemon ea sssd e tiisa mosebelisi ho latela litho tsa sehlopha. Ela hloko! Haeba sena se sa lokisoa, mosebelisi ofe kapa ofe oa domain o tla ba le phihlello ho moamoheli.
- Ha o leka ho sudo, daemon ea sss e batla Active Directory bakeng sa mesebetsi. Haeba likarolo li le teng, litšoaneleho tsa mosebelisi le litho tsa sehlopha lia hlahlojoa (haeba sudoRoles e lokiselitsoe ho sebelisa lihlopha tsa basebelisi)
Phello.
Kahoo, linotlolo li bolokiloe ho Active Directory litšobotsi tsa mosebedisi, tumello ea sudo - ka mokhoa o ts'oanang, ho fihlella ho mabotho a Linux ka li-account tsa domain ho etsoa ka ho hlahloba litho tsa sehlopha sa Active Directory.
Leqhubu la ho qetela la molamu oa mokhanni - 'me holo e hoama ka khutso e nang le tlhompho.
Lisebelisoa tse sebelisitsoeng ho ngola:
Source: www.habr.com