Itan-akọọlẹ, awọn igbanilaaye sudo jẹ iṣakoso nipasẹ awọn akoonu ti awọn faili lati /etc/sudoers.d и visado, ati aṣẹ bọtini ni a ṣe ni lilo ~ / .ssh/aṣẹ_bọtini. Sibẹsibẹ, bi awọn amayederun ti ndagba, ifẹ wa lati ṣakoso awọn ẹtọ wọnyi ni aarin. Loni awọn aṣayan ojutu pupọ le wa:
- Eto Iṣakoso Iṣeto - ori, Puppet, O ṣee, iyọ
- Iroyin Iroyin + ssd
- Awọn ipadasẹhin oriṣiriṣi ni irisi awọn iwe afọwọkọ ati ṣiṣatunṣe faili afọwọṣe
Ninu ero ero-ara mi, aṣayan ti o dara julọ fun iṣakoso aarin tun jẹ apapo Iroyin Iroyin + ssd. Awọn anfani ti ọna yii ni:
- Lõtọ ni itọsọna olumulo aarin kan ṣoṣo.
- Pinpin awọn ẹtọ sudo wa si isalẹ lati ṣafikun olumulo kan si ẹgbẹ aabo kan pato.
- Ninu ọran ti ọpọlọpọ awọn ọna ṣiṣe Linux, o di dandan lati ṣafihan awọn sọwedowo afikun lati pinnu OS nigba lilo awọn eto iṣeto.
Oni suite yoo wa ni igbẹhin pataki si awọn asopọ Iroyin Iroyin + ssd fun isakoso ẹtọ sudo ati ibi ipamọ SSH awọn bọtini ni kan nikan ibi ipamọ.
Nítorí náà, gbọ̀ngàn náà rọ̀ ní ìdákẹ́jẹ́ẹ́ líle, olùdarí gbé ọ̀pá rẹ̀ sókè, ẹgbẹ́ akọrin náà sì múra sílẹ̀.
Lọ.
Fun:
- Active Directory ašẹ testopf.agbegbe lori Windows Server 2012 R2.
- Alejo Lainos nṣiṣẹ Centos 7
- Aṣẹ atunto nipa lilo ssd
Awọn ojutu mejeeji ṣe awọn ayipada si ero Iroyin Iroyin, nitorina a ṣayẹwo ohun gbogbo ni agbegbe idanwo ati lẹhinna ṣe awọn ayipada si awọn amayederun iṣẹ. Emi yoo fẹ lati ṣe akiyesi pe gbogbo awọn ayipada jẹ ifọkansi ati, ni otitọ, ṣafikun awọn abuda pataki ati awọn kilasi nikan.
Igbese 1: Iṣakoso sudo awọn ipa nipasẹ Iroyin Iroyin.
Lati faagun awọn Circuit Iroyin Iroyin o nilo lati ṣe igbasilẹ idasilẹ tuntun - 1.8.27 bi ti oni. Yọọ kuro ki o daakọ faili naa schema.ActiveDirectory lati itọsọna ./doc si oluṣakoso agbegbe. Lati laini aṣẹ pẹlu awọn ẹtọ alabojuto lati itọsọna nibiti faili ti daakọ, ṣiṣe:
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(Maṣe gbagbe lati paarọ awọn iye rẹ)
A ṣii adsiedit.msc ki o si sopọ si ipo aiyipada:
Ṣẹda pipin ni root ti ìkápá naa ibẹru. (Burgeoisie naa fi agidi beere pe o wa ninu ẹyọ yii ti ẹmi eṣu naa ssd awọrọojulówo fun ohun kan sudoRole ohun elo. Bibẹẹkọ, lẹhin titan ṣiṣatunṣe alaye ati kikọ awọn iwe-ipamọ, o han pe a ṣe wiwa naa jakejado gbogbo igi ilana.)
A ṣẹda ohun akọkọ ti o jẹ ti kilasi ni pipin sudoRole. Orukọ naa le yan lainidii lainidii, bi o ṣe n ṣiṣẹ nikan fun idanimọ irọrun.
Lara awọn abuda ti o ṣee ṣe lati itẹsiwaju ero, awọn akọkọ ni atẹle yii:
- sudoCommand - pinnu iru awọn aṣẹ ti o gba laaye lati ṣiṣẹ lori agbalejo naa.
- sudoHost - ipinnu eyi ti ogun ipa yi kan si. Le ti wa ni pato bi GBOGBO, ati fun ẹni kọọkan alejo nipa orukọ. O tun ṣee ṣe lati lo iboju-boju.
- sudoUser - tọkasi iru awọn olumulo ti o gba laaye lati ṣiṣẹ sudo.
Ti o ba pato ẹgbẹ aabo kan, ṣafikun ami “%” ni ibẹrẹ orukọ naa. Ti awọn aaye ba wa ni orukọ ẹgbẹ, ko si nkankan lati ṣe aniyan nipa. Ti o ṣe idajọ nipasẹ awọn akọọlẹ, iṣẹ-ṣiṣe ti salọ awọn aaye ni a gba nipasẹ ẹrọ naa ssd.
aworan 1. sudoRole ohun ni sudoers subdivision ninu awọn root ti awọn liana
Ṣe nọmba 2. Ọmọ ẹgbẹ ninu awọn ẹgbẹ aabo ti a sọ pato ninu awọn nkan sudoRole.
Eto atẹle yii ni a ṣe ni ẹgbẹ Linux.
Ninu faili /ati be be/nsswitch.conf fi ila si opin faili naa:
sudoers: files sssNinu faili /etc/sssd/sssd.conf ni apakan [ssd] fi si awọn iṣẹ sudo
cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo
Lẹhin gbogbo awọn iṣẹ ṣiṣe, o nilo lati ko kaṣe sssd daemon kuro. Awọn imudojuiwọn adaṣe waye ni gbogbo wakati 6, ṣugbọn kilode ti o yẹ ki a duro pẹ to nigba ti a ba fẹ ni bayi?
sss_cache -ENigbagbogbo o ṣẹlẹ pe imukuro kaṣe ko ṣe iranlọwọ. Lẹhinna a da iṣẹ naa duro, nu data data, ki o bẹrẹ iṣẹ naa.
service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start
A sopọ bi olumulo akọkọ ati ṣayẹwo ohun ti o wa fun u labẹ sudo:
su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user1 may run the following commands on testsshad:
(root) /usr/bin/ls, /usr/bin/catA ṣe kanna pẹlu olumulo keji wa:
su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User user2 may run the following commands on testsshad:
(root) ALL
Ọna yii gba ọ laaye lati ṣalaye awọn ipa sudo ni aarin fun awọn ẹgbẹ olumulo oriṣiriṣi.
Titoju ati lilo awọn bọtini ssh ni Itọsọna Active
Pẹlu imugboroja diẹ ti ero naa, o ṣee ṣe lati tọju awọn bọtini ssh ni awọn abuda olumulo Active Directory ati lo wọn nigbati o ba fun ni aṣẹ lori awọn ogun Linux.
Aṣẹ nipasẹ sssd gbọdọ wa ni tunto.
Ṣafikun abuda ti a beere nipa lilo iwe afọwọkọ PowerShell kan.
AddsshPublicKeyAttribute.ps1Iṣiṣẹ Titun-Iyapa-ID {
$ Prefix = "1.2.840.113556.1.8000.2554"
$GUID = [System.Guid] :: NewGuid () .ToString ()
$ Awọn ẹya = @ ()
$Parts+=[UInt64]:: Pari($guid.SubString(0,4),“AllowHexSpecifier”)
$Parts+=[UInt64]:: Pari($guid.SubString(4,4),“AllowHexSpecifier”)
$Parts+=[UInt64]:: Pari($guid.SubString(9,4),“AllowHexSpecifier”)
$Parts+=[UInt64]:: Pari($guid.SubString(14,4),“AllowHexSpecifier”)
$Parts+=[UInt64]:: Pari($guid.SubString(19,4),“AllowHexSpecifier”)
$Parts+=[UInt64]:: Pari($guid.SubString(24,6),“AllowHexSpecifier”)
$Parts+=[UInt64]:: Pari($guid.SubString(30,6),“AllowHexSpecifier”)
$oid=[String]::Format(«{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}»,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$oid
}
$schemaPath = (Gba-ADRootDSE) .schemaNamingContext
$oid = Tuntun-IyapaID
$ eroja = @{
lDAPDisplayName = 'sshPublicKey';
attributeId = $oid;
oMSyntax = 22;
attributeSyntax = "2.5.5.5";
isSingleValued = $ otitọ;
adminDescription = 'Kọtini gbangba olumulo fun wiwọle SSH';
}
Tuntun-ADObject -Orukọ sshPublicKey -Iru abudaSchema -Path $schemapath -Awọn abuda miiran $awọn abuda
$userSchema = gba-adobject -SearchBase $schemapath -Filter 'name -eq "olumulo"'
$ olumuloSchema | Ṣeto-ADObject -Fikun-un @{mayContain = 'sshPublicKey'}
Lẹhin fifi ẹya naa kun, o gbọdọ tun bẹrẹ Awọn iṣẹ-iṣẹ Aṣẹ Itọsọna Active.
Jẹ ki a lọ si awọn olumulo Active Directory. A yoo ṣe agbekalẹ bata bọtini kan fun asopọ ssh ni lilo eyikeyi ọna ti o rọrun fun ọ.
A ṣe ifilọlẹ PuttyGen, tẹ bọtini “Ipilẹṣẹ” ati fifẹ gbe Asin laarin agbegbe ti o ṣofo.
Ni ipari ilana naa, a le ṣafipamọ awọn bọtini ita gbangba ati ikọkọ, gbejade bọtini ti gbogbo eniyan si ẹya olumulo Active Directory ati gbadun ilana naa. Sibẹsibẹ, bọtini gbogbo eniyan gbọdọ jẹ lilo lati "Bọtini gbogbo eniyan fun titẹ si OpenSSH faili aṣẹ_keys:".
Ṣafikun bọtini si abuda olumulo.
Aṣayan 1 - GUI:
Aṣayan 2 - PowerShell:
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
Nitorinaa, a ni lọwọlọwọ: olumulo kan pẹlu abuda sshPublicKey ti o kun, alabara Putty ti tunto fun aṣẹ ni lilo awọn bọtini. Ojuami kekere kan wa: bii o ṣe le fi ipa mu sshd daemon lati jade bọtini gbogbo eniyan ti a nilo lati awọn abuda olumulo. Iwe afọwọkọ kekere ti a rii lori Intanẹẹti bourgeois le ṣaṣeyọri pẹlu eyi.
cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'A ṣeto awọn igbanilaaye lori rẹ si 0500 fun root.
chmod 0500 /usr/local/bin/fetchSSHKeysFromLDAP
Nínú àpẹrẹ yìí, a lo àkọọ́lẹ̀ alábòójútó kan láti so mọ́ ìtọ́nisọ́nà náà. Ni awọn ipo ija gbọdọ jẹ akọọlẹ lọtọ pẹlu eto ti o kere ju ti awọn ẹtọ.
Emi tikalararẹ ni idamu pupọ nipasẹ akoko ọrọ igbaniwọle ni fọọmu mimọ rẹ ninu iwe afọwọkọ, laibikita awọn eto ti ṣeto.
Aṣayan ojutu:
- Mo fi ọrọ igbaniwọle pamọ sinu faili ọtọtọ:
echo -n Supersecretpassword > /usr/local/etc/secretpass - Mo ṣeto awọn igbanilaaye faili si 0500 fun root
chmod 0500 /usr/local/etc/secretpass - Yiyipada ldapsearch ifilọlẹ sile: paramita -w superSecretPassword Mo yipada si -y /usr/local/etc/secretpass
Ipari ipari ni suite oni n ṣatunkọ sshd_config
cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root
Bi abajade, a gba ọkọọkan atẹle pẹlu atunto aṣẹ bọtini ni alabara ssh:
- Olumulo naa sopọ mọ olupin naa nipa fifihan wiwọle rẹ.
- Sshd daemon, nipasẹ iwe afọwọkọ kan, yọkuro iye bọtini ti gbogbo eniyan lati ẹya olumulo ni Itọsọna Active ati ṣiṣe aṣẹ ni lilo awọn bọtini.
- sssd daemon siwaju sii jẹri olumulo ti o da lori ẹgbẹ ẹgbẹ. Ifarabalẹ! Ti eyi ko ba tunto, lẹhinna eyikeyi olumulo agbegbe yoo ni iwọle si agbalejo naa.
- Nigbati o ba gbiyanju lati sudo, sssd daemon n wa Itọsọna Active fun awọn ipa. Ti awọn ipa ba wa, awọn abuda olumulo ati ẹgbẹ ẹgbẹ jẹ ayẹwo (ti o ba jẹ tunto sudoRoles lati lo awọn ẹgbẹ olumulo)
Abajade.
Nitorinaa, awọn bọtini ti wa ni ipamọ ni awọn abuda olumulo Active Directory, awọn igbanilaaye sudo - bakanna, iraye si awọn ogun Linux nipasẹ awọn akọọlẹ agbegbe ni a ṣe nipasẹ ṣiṣe ayẹwo awọn ọmọ ẹgbẹ ninu Ẹgbẹ Active Directory.
Igbi ikẹhin ti ọpa adaorin - ati gbongan naa didi ni ipalọlọ ọlọwọwọ.
Awọn orisun ti a lo ninu kikọ:
orisun: www.habr.com