Abaphumeleleyo kukhuphiswano lwamazwe ngamazwe lwe-SSH kunye ne-sudo baseqongeni kwakhona. Ikhokelwe nguMqhubi weeNkokheli eziBalulekileyo

Ngokwembali, iimvume ze-sudo zazilawulwa yimixholo yeefayile ukusuka /etc/sudoers.d и i-visudo, kwaye ugunyaziso oluphambili lwenziwa kusetyenziswa ~/.ssh/authorized_keys. Nangona kunjalo, njengoko iziseko zophuhliso zikhula, kukho umnqweno wokulawula la malungelo kwindawo esembindini. Namhlanje kunokubakho iindlela ezininzi zokusombulula:

• Inkqubo yoLawulo loLungiso - intloko, Ipopu, Efanelekileyo, ityuwa
• Active Directory + ssd
• Ugqweso olwahlukeneyo kwimo yeskripthi kunye nokuhlelwa kweefayile ngesandla

Ngokombono wam, eyona ndlela ilungileyo yolawulo oluphakathi iseyindibaniselwano Active Directory + ssd. Iinzuzo zale ndlela yile:

• Ngokwenene uvimba weefayili omnye womsebenzisi omnye.
• Ukusasazwa kwamalungelo sudo yehla ukongeza umsebenzisi kwiqela elithile lokhuseleko.
• Kwimeko yeendlela ezahlukeneyo zeLinux, kuba yimfuneko ukwazisa iitshekhi ezongezelelweyo ukumisela i-OS xa usebenzisa iinkqubo zoqwalaselo.

Isuite yanamhlanje iya kunikezelwa ngokukodwa kuqhagamshelo Active Directory + ssd kulawulo lwamalungelo sudo kunye nokugcinwa ssh izitshixo kwindawo yokugcina enye.
Ngoko, kwathi cwaka, iholo yaba ngumkhenkce, umbhexeshi waphakamisa intonga yakhe, yaye iokhestra yazilungiselela.
Yiya.

Nikiwe:
— Ummandla wolawulo osebenzayo testopf.local kwiWindows Server 2012 R2.
-Umgcini weLinux oqhuba iCentos 7
-Ugunyaziso olumiselweyo usebenzisa ssd
Zombini izisombululo zenza utshintsho kwischema Active Directory, ngoko sijonga yonke into kwindawo yokuvavanya kwaye emva koko senze utshintsho kwiziseko zokusebenza. Ndingathanda ukuqaphela ukuba zonke iinguqu zijoliswe kuzo kwaye, ngokwenene, zongeza kuphela iimpawu eziyimfuneko kunye neeklasi.

Isenzo 1: ulawulo sudo iindima nge Active Directory.

Ukwandisa isiphaluka Active Directory kufuneka ukhuphele ukhupho lwamva nje sudo — 1.8.27 ukusukela namhlanje. Khupha kwaye ukhuphele ifayile i-schema.Ulawulo olusebenzayo ukusuka kwi-./doc directory ukuya kumlawuli wendawo. Ukusuka kumgca womyalelo onamalungelo omlawuli ukusuka kulawulo apho ifayile ikotshwe khona, sebenzisa:
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(Ungalibali ukutshintsha ixabiso lakho)
Vula adsiedit.msc kwaye uqhagamshele kumxholo ongagqibekanga:
Yenza ulwahlulo kwingcambu yesizinda ukubila. (Oohlohlesakhe babanga ngenkani ukuba kukule yunithi idemoni ssd ikhangela into sudoRole izinto. Nangona kunjalo, emva kokuvula i-debugging eneenkcukacha kunye nokufunda iilog, kwatyhilwa ukuba ukhangelo lwenziwa kuwo wonke umthi wolawulo.)
Senza into yokuqala yeklasi kwicandelo sudoRole. Igama linokukhethwa ngokungenasizathu, njengoko lisebenza kuphela ukuchongwa okufanelekileyo.
Phakathi kweempawu ezifumanekayo ezivela kulwandiso lweschema, ezona ziphambili zezi zilandelayo:

• sudoCommand - imisela ukuba yeyiphi imiyalelo evumelekileyo ukuba yenziwe kumamkeli.
• sudoHost - imisela ukuba ngowuphi umamkeli le ndima esebenza kuye. Ingachazwa njenge BONKE, kunye nomkhosi ngamnye ngegama. Kwakhona kunokwenzeka ukusebenzisa imaski.
• sudoUmsebenzisi - bonisa ukuba ngabaphi abasebenzisi abavunyelwe ukuba basebenzise sudo.
  Ukuba ukhankanya iqela lokhuseleko, yongeza uphawu “%” ekuqaleni kwegama. Ukuba kukho izithuba kwigama leqela, akukho nto inokukhathazeka ngayo. Ukuqwalasela iingodo, umsebenzi wokubalekela izithuba uthathwa ngumatshini ssd.

Isazobe 1. sudoRole izinto kulwahlulo lwe-sudoers kwingcambu yolawulo

Umzobo 2. Ubulungu kumaqela okhuseleko achazwe kwizinto ze-sudoRole.

Olu cwangciso lulandelayo lwenziwa kwicala le Linux.
Kwifayile /etc/nsswitch.conf yongeza umgca ekupheleni kwefayile:

sudoers: files sss

Kwifayile /etc/sssd/sssd.conf kwicandelo [ssd] yongeza kwiinkonzo sudo

cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo

Emva kwayo yonke imisebenzi, kufuneka ucime i-ssd daemon cache. Uhlaziyo oluzenzekelayo lwenzeka rhoqo kwiiyure ezi-6, kodwa kutheni kufuneka silinde ixesha elide kangaka xa sifuna ngoku?

sss_cache -E

Ngokuqhelekileyo kwenzeka ukuba ukucima i-cache akuncedi. Emva koko simisa inkonzo, sicoce i-database, kwaye siqale inkonzo.

service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start

Sidibanisa njengomsebenzisi wokuqala kwaye sijonge into ekhoyo kuye phantsi kwe-sudo:

su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user1 may run the following commands on testsshad:
    (root) /usr/bin/ls, /usr/bin/cat

Senza okufanayo nakumsebenzisi wethu wesibini:

su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user2 may run the following commands on testsshad:
    (root) ALL

Le ndlela ikuvumela ukuba uchaze indima ye-sudo kumaqela ahlukeneyo abasebenzisi.

Ukugcina nokusebenzisa izitshixo ze-ssh kwi-Active Directory

Ngolwandiso oluncinci lweskim, kuyenzeka ukugcina izitshixo ze-ssh kwi-Active Directory iimpawu zomsebenzisi kwaye uzisebenzise xa ugunyazisa kwiinginginya ze-Linux.

Ugunyaziso nge sssd kufuneka luqwalaselwe.
Yongeza uphawu olufunekayo usebenzisa i-script yePowerShell.
AddsshPublicKeyAttribute.ps1Umsebenzi Omtsha-Uphawu lweID {
$Prefix = "1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid().ToString()
$Amacandelo=@()
$Parts+=[UInt64]::Chasa($guid.SubString(0,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Chasa($guid.SubString(4,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Chasa($guid.SubString(9,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Chasa($guid.SubString(14,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Chasa($guid.SubString(19,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Chasa($guid.SubString(24,6),“AllowHexSpecifier”)
$Parts+=[UInt64]::Chasa($guid.SubString(30,6),“AllowHexSpecifier”)
$oid=[String]::Format(«{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}»,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$ oid
}
$schemaPath = (Get-ADRootDSE).schemaNamingContext
I-$ oid = i-New-AttributeID
Iimpawu ze-$ = @{
lDAPDisplayName = 'sshPublicKey';
attributeId = $oid;
oMSyntax = 22;
attributeSyntax = "2.5.5.5";
isSingleValued = $ true;
adminDescription = 'Isitshixo soMsebenzisi sikaWonke-wonke sokungena kwi-SSH';
}

Into Entsha-ADO-Igama sshPublicKey -Uhlobo uphawu loyelelwanoSchema -Indlela $schemapath -OtherArttributes $ iimpawu
$userSchema = get-adobject -SearchBase $schemapath -Hlunga 'igama -eq "umsebenzisi"'
$userSchema | Seta-ADObject -Yongeza @{mayContain = 'sshPublicKey'}

Emva kokongeza uphawu, kufuneka uqalise kwakhona iiNkonzo zeDomain ye-Active Directory.
Masiqhubele phambili kubasebenzisi be-Active Directory. Siza kuvelisa isibini esiphambili soqhagamshelwano lwe-ssh sisebenzisa nayiphi na indlela ekulungeleyo.
Siphehlelela iPuttyGen, cofa iqhosha elithi "Yenza" kwaye ngokukhawuleza uhambise imawusi kwindawo engenanto.
Ekugqityweni kwenkqubo, sinokugcina izitshixo zikawonke-wonke kunye nezabucala, silayishe isitshixo sikawonke-wonke kwi-Active Directory yophawu lomsebenzisi kwaye ujabulele inkqubo. Nangona kunjalo, isitshixo sikawonke-wonke kufuneka sisetyenziswe kwi "Isitshixo sikawonke-wonke sokuncamathisela kwifayile ye-OpenSSH authorized_keys:«.

Yongeza isitshixo kuphawu lomsebenzisi.
Ukhetho loku-1 - GUI:

Ukhetho lwesi-2-PowerShell:
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
Ke, ngoku sinalo: umsebenzisi oneempawu ze-sshPublicKey ezizaliswe ngaphakathi, umxhasi wePutty oqwalaselweyo wogunyaziso usebenzisa izitshixo. Kusala inqaku elinye elincinci: indlela yokunyanzela i-sshd daemon ukuba ikhuphe isitshixo sikawonke-wonke esisidingayo kwiimpawu zomsebenzisi. Isikripthi esincinci esifunyenwe kwi-Intanethi ye-bourgeois sinokuhlangabezana ngempumelelo nale nto.

cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'

Sibeka iimvume kuyo 0500 ngenxa ingcambu.

chmod 0500  /usr/local/bin/fetchSSHKeysFromLDAP

Kulo mzekelo, iakhawunti yomlawuli isetyenziselwa ukubophelela kulawulo. Kwiimeko zokulwa kufuneka kubekho i-akhawunti eyahlukileyo kunye nenani elincinci lamalungelo.
Mna ngokwam ndabhideka kakhulu ngumzuzu wegama lokugqitha kwimo ecocekileyo kwiskripthi, nangona amalungelo abekiwe.
Isisombululo:

• Ndigcina igama lokugqitha kwifayile eyahlukileyo:

  echo -n Supersecretpassword > /usr/local/etc/secretpass

• Ndibeka iimvume zefayile ku 0500 kwingcambu

  chmod 0500 /usr/local/etc/secretpass

• Ukutshintsha iparameters yokuqalisa i-ldapsearch: ipharamitha -w superSecretPassword Ndiyayitshintsha ibe -y /usr/local/etc/secretpass

Ichord yokugqibela kwisuite yanamhlanje ihlela sshd_config

cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root

Ngenxa yoko, sifumana olu landelelwano lulandelayo kunye nesigunyaziso esingundoqo esilungiselelwe kumxumi we-ssh:

1. Umsebenzisi uqhagamshela kumncedisi ngokubonisa igama lakhe lokungena.
2. I-daemon ye-sshd, ngeskripthi, ikhupha ixabiso elingundoqo likawonke-wonke ukusuka kuphawu lomsebenzisi kwi-Active Directory kwaye yenza ugunyaziso usebenzisa izitshixo.
3. Idaemon yesssd iqinisekisa ngakumbi umsebenzisi ngokusekelwe kubulungu beqela. Ingqalelo! Ukuba oku akuqwalaselwanga, ngoko nawuphi na umsebenzisi wesizinda uya kuba nofikelelo kumamkeli.
4. Xa uzama ukwenza i-sudo, i-ssd daemon ikhangela i-Active Directory yeendima. Ukuba iindima zikhona, iimpawu zomsebenzisi kunye nobulungu beqela buyakhangelwa (ukuba i-sudoRoles iqwalaselwe ukusebenzisa amaqela abasebenzisi)

Iziphumo.

Ngaloo ndlela, izitshixo zigcinwa kwi-Active Directory iimpawu zomsebenzisi, iimvume ze-sudo - ngokufanayo, ukufikelela kwi-Linux hosts nge-akhawunti ye-domain kwenziwa ngokujonga ubulungu kwiqela le-Active Directory.
Iliza lokugqibela lenduku yomqhubi-kwaye iholo liyabanda ngokuzola ngokuzolileyo.

Izixhobo ezisetyenziswa ekubhaleni:

Sudo nge-Active Directory
Ssh izitshixo nge-Active Directory
Umbhalo we-Powershell, wongeza uphawu kwi-Active Directory Schema
ukukhululwa okuzinzile kwe-sudo

umthombo: www.habr.com