I-ProHoster > Блог > Ukuphatha > Abaphumelele emiqhudelwaneni yamazwe ngamazwe i-SSH ne-sudo basesiteji futhi. Iholwa Umdidiyeli Wohlu Lwemibhalo Ovelele

Abaphumelele emiqhudelwaneni yamazwe ngamazwe i-SSH ne-sudo basesiteji futhi. Iholwa Umdidiyeli Wohlu Lwemibhalo Ovelele

Ngokomlando, izimvume ze-sudo bezilawulwa okuqukethwe kwamafayela asuka /etc/sudoers.d и ngithanda, futhi ukugunyazwa okuyinhloko kwenziwa kusetshenziswa ~/.ssh/authorized_keys. Nokho, njengoba ingqalasizinda ikhula, kunesifiso sokuphatha la malungelo endaweni eyodwa. Namuhla kungase kube nezinketho eziningi zesixazululo:

  • Uhlelo Lokuphatha Ukucushwa - Umpheki, Ipipi, Ansible, Salt
  • I-Active Directory + ssd
  • Ukuhlanekezelwa okuhlukahlukene ngendlela yemibhalo nokuhlelwa kwefayela okwenziwa ngesandla

Ngokombono wami oqondile, inketho engcono kakhulu yokuphatha okumaphakathi kuseyinhlanganisela I-Active Directory + ssd. Izinzuzo zale ndlela yilezi:

  • Ngempela uhla lwemibhalo lomsebenzisi oluphakathi nendawo.
  • Ukusatshalaliswa kwamalungelo sudo yehlela ekungezeni umsebenzisi eqenjini elithile lokuvikela.
  • Endabeni yamasistimu ahlukahlukene e-Linux, kuba kudingekile ukwethula ukuhlola okwengeziwe ukuze kutholwe i-OS uma usebenzisa amasistimu okumisa.

I-suite yanamuhla izonikezelwa ngokuqondile ekuxhumekeni I-Active Directory + ssd zokuphatha amalungelo sudo kanye nesitoreji ssh okhiye endaweni eyodwa.
Ngakho, ihholo labanda kuthe cwaka, umbhidisi waphakamisa induku yakhe, futhi i-orchestra yazilungiselela.
Hambani.

Inikezwe:
— Active Directory domain testopf.local ku-Windows Server 2012 R2.
- Umsingathi weLinux osebenzisa i-Centos 7
- Ukugunyazwa okumisiwe kusetshenziswa ssd
Zombili izixazululo zenza izinguquko ku-schema I-Active Directory, ngakho sihlola yonke into endaweni yokuhlola bese senza izinguquko engqalasizinda yokusebenza. Ngingathanda ukuqaphela ukuthi zonke izinguquko ziqondiswe futhi, empeleni, zengeza kuphela izimfanelo ezidingekayo namakilasi.

Isenzo 1: lawula sudo izindima ngokusebenzisa I-Active Directory.

Ukwandisa isifunda I-Active Directory udinga ukulanda ukukhishwa kwakamuva sudo — 1.8.27 kusukela namuhla. Khipha futhi ukopishe ifayela i-schema.ActiveDirectory kusuka kuhla lwemibhalo lwe-./doc kuya kusilawuli sesizinda. Kusukela kulayini womyalo onamalungelo omlawuli kusuka kunkomba lapho ifayela likopishwe khona, sebenzisa:
ldifde -i -f schema.ActiveDirectory -c dc=X dc=testopf,dc=local
(Ungakhohlwa ukushintsha amanani akho)
Vula adsiedit.msc futhi uxhume kumongo wokuzenzakalelayo:
Dala ukuhlukana kumsuka wesizinda amajezi. (Onxiwankulu basho ngenkani ukuthi kukulesi sigaba lapho idemoni likhona ssd usesha into sudoRole izinto. Nokho, ngemva kokuvula ukulungisa okunemininingwane nokufunda izingodo, kwavezwa ukuthi ukusesha kwenziwa kuso sonke isihlahla somkhombandlela.)
Sakha into yokuqala engeyesigaba esigabeni sudoRole. Igama lingakhethwa ngokunganaki, njengoba lisebenzela kuphela ukuhlonza okulula.
Phakathi kwezibaluli ezitholakalayo ezivela ekwandisweni kwe-schema, eziyinhloko yilezi ezilandelayo:

  • sudoCommand - inquma ukuthi yimiphi imiyalo evunyelwe ukuthi isetshenziswe kumsingathi.
  • sudoHost - inquma ukuthi le ndima izosebenza kubaphi abasingathi. Ingacaciswa ngokuthi KONKE, kanye nosokhaya ngamunye ngegama. Kungenzeka futhi ukusebenzisa imaski.
  • sudoUser - khombisa ukuthi yibaphi abasebenzisi abavunyelwe ukuthi basebenzise sudo.
    Uma ucacisa iqembu lezokuphepha, engeza uphawu “%” ekuqaleni kwegama. Uma kunezikhala egameni leqembu, akukho okumele ukhathazeke ngakho. Uma ubheka izingodo, umsebenzi wokubalekela izikhala uthathwa ngomshini ssd.

Abaphumelele emiqhudelwaneni yamazwe ngamazwe i-SSH ne-sudo basesiteji futhi. Iholwa Umdidiyeli Wohlu Lwemibhalo Ovelele
Umdwebo 1. Izinto ze-sudoRole ekwahlukanisweni kwe-sudoers kumsuka wohla lwemibhalo

Abaphumelele emiqhudelwaneni yamazwe ngamazwe i-SSH ne-sudo basesiteji futhi. Iholwa Umdidiyeli Wohlu Lwemibhalo Ovelele
Umfanekiso 2. Ubulungu emaqenjini okuvikela acaciswe ezintweni ze-sudoRole.

Ukusetha okulandelayo kwenziwa ohlangothini lwe-Linux.
Kufayela /etc/nsswitch.conf engeza umugqa ekupheleni kwefayela:

sudoers: files sss

Kufayela /etc/sssd/sssd.conf esigabeni [ssd] engeza kumasevisi sudo

cat /etc/sssd/sssd.conf | grep services
services = nss, pam, sudo

Ngemuva kwayo yonke imisebenzi, udinga ukusula inqolobane ye-sssd daemon. Izibuyekezo ezizenzakalelayo zenzeka njalo emahoreni angu-6, kodwa kungani kufanele silinde isikhathi eside kangaka uma sikufuna manje?

sss_cache -E

Ngokuvamile kwenzeka ukuthi ukusula i-cache akusizi. Bese simisa isevisi, sihlanze i-database, futhi siqale isevisi.

service sssd stop
rm -rf /var/lib/sss/db/*
service sssd start

Sixhuma njengomsebenzisi wokuqala futhi sihlole ukuthi yini etholakala kuye ngaphansi kwe-sudo:

su user1
[user1@testsshad log]$ id
uid=1109801141(user1) gid=1109800513(domain users) groups=1109800513(domain users),1109801132(admins_)
[user1@testsshad log]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user1 may run the following commands on testsshad:
    (root) /usr/bin/ls, /usr/bin/cat

Senza okufanayo nakumsebenzisi wethu wesibili:

su user2
[user2@testsshad log]$ id
uid=1109801142(user2) gid=1109800513(domain users) groups=1109800513(domain users),1109801138(sudo_root)
[user2@testsshad log]$ sudo -l
Matching Defaults entries for user2 on testsshad:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin:/bin:/usr/sbin:/usr/bin

User user2 may run the following commands on testsshad:
    (root) ALL

Le ndlela ikuvumela ukuthi uchaze phakathi izindima ze-sudo zamaqembu ahlukene abasebenzisi.

Ukugcina nokusebenzisa okhiye be-ssh Kuhla Lwemibhalo Olusebenzayo

Ngokunwebeka kancane kohlelo, kuyenzeka ugcine okhiye be-ssh kuzibaluli zomsebenzisi woHlelo Olusebenzayo futhi uzisebenzise lapho ugunyaza kubasingathi be-Linux.

Ukugunyazwa nge-sssd kufanele kulungiselelwe.
Engeza isibaluli esidingekayo usebenzisa umbhalo we-PowerShell.
AddsshPublicKeyAttribute.ps1Umsebenzi we-New-AttributeID {
$Prefix="1.2.840.113556.1.8000.2554"
$GUID=[System.Guid]::NewGuid().ToString()
$Parts=@()
$Parts+=[UInt64]::Hlukanisa($guid.SubString(0,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Hlukanisa($guid.SubString(4,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Hlukanisa($guid.SubString(9,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Hlukanisa($guid.SubString(14,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Hlukanisa($guid.SubString(19,4),“AllowHexSpecifier”)
$Parts+=[UInt64]::Hlukanisa($guid.SubString(24,6),“AllowHexSpecifier”)
$Parts+=[UInt64]::Hlukanisa($guid.SubString(30,6),“AllowHexSpecifier”)
$oid=[String]::Format(«{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}»,$prefix,$Parts[0],
$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6])
$oid
}
$schemaPath = (Get-ADRootDSE).schemaNamingContext
$oid =I-New-AttributeID
$izimfanelo = @{
lDAPDisplayName = 'sshPublicKey';
attributeId = $oid;
oMSyntax = 22;
attributeSyntax = "2.5.5.5";
isSingleValued = $true;
adminDescription = 'Ukhiye Womsebenzisi Womphakathi wokungena nge-SSH';
}

I-New-ADObject -Igama elithi sshPublicKey -Thayipha isibaluliSchema -Indlela engu-$schemapath -EzinyeIzimfanelo $attributes
$userSchema = get-adobject -SearchBase $schemapath -Hlunga 'igama -eq "umsebenzisi"'
$userSchema | Setha-ADObject -Engeza @{mayContain = 'sshPublicKey'}

Ngemva kokungeza isibaluli, kufanele uqale kabusha Amasevisi Esizinda Sesizinda Semibhalo Esebenzayo.
Asidlulele kubasebenzisi bohlu lwemibhalo olusebenzayo. Sizokhiqiza ipheya yokhiye yokuxhumeka kwe-ssh sisebenzisa noma iyiphi indlela ekulungele wena.
Sethula i-PuttyGen, cindezela inkinobho ethi "Khiqiza" bese uhambisa igundane ngokukhululekile endaweni engenalutho.
Ngemva kokuqeda inqubo, singakwazi ukulondoloza okhiye basesidlangalaleni nabayimfihlo, silayishe ukhiye osesidlangalaleni kusibaluli somsebenzisi woHlelo Olusebenzayo futhi sijabulele inqubo. Nokho, ukhiye womphakathi kumele usetshenziswe ku-"Ukhiye osesidlangalaleni wokunamathisela kufayela le-OpenSSH authorized_keys:".
Abaphumelele emiqhudelwaneni yamazwe ngamazwe i-SSH ne-sudo basesiteji futhi. Iholwa Umdidiyeli Wohlu Lwemibhalo Ovelele
Engeza ukhiye kusibaluli somsebenzisi.
Inketho 1 - GUI:
Abaphumelele emiqhudelwaneni yamazwe ngamazwe i-SSH ne-sudo basesiteji futhi. Iholwa Umdidiyeli Wohlu Lwemibhalo Ovelele
Inketho 2 - PowerShell:
get-aduser user1 | set-aduser -add @{sshPublicKey = 'AAAAB...XAVnX9ZRJJ0p/Q=='}
Ngakho-ke, okwamanje sinalo: umsebenzisi onesibaluli se-sshPublicKey esigcwalisiwe, iklayenti le-Putty elimisiwe ukuze ligunyazwe kusetshenziswa okhiye. Kusele iphuzu elilodwa elincane: indlela yokuphoqa i-daemon ye-sshd ukuthi ikhiphe ukhiye womphakathi esiwudingayo kuzibaluli zomsebenzisi. Umbhalo omncane otholakala ku-inthanethi yonxiwankulu ungabhekana ngokuphumelelayo nalokhu.

cat /usr/local/bin/fetchSSHKeysFromLDAP
#!/bin/sh
ldapsearch -h testmdt.testopf.local -xb "dc=testopf,dc=local" '(sAMAccountName='"${1%@*}"')' -D [email protected] -w superSecretPassword 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/n *//g;s/sshPublicKey: //gp'

Setha izimvume kuso ukuze 0500 impande.

chmod 0500  /usr/local/bin/fetchSSHKeysFromLDAP

Kulesi sibonelo, i-akhawunti yomlawuli isetshenziselwa ukuhlanganisa uhla lwemibhalo. Ezimweni zokulwa kufanele kube ne-akhawunti ehlukile enesethi encane yamalungelo.
Mina ngokwami ​​ngidideke kakhulu ngesikhathi sephasiwedi esesimweni esihlanzekile esibhalweni, naphezu kwamalungelo asethiwe.
Isixazululo senketho:

  • Ngigcina iphasiwedi efayeleni elihlukile: 
    echo -n Supersecretpassword > /usr/local/etc/secretpass

  • Ngibeka izimvume zefayela ku-0500 ze-root 
    chmod 0500 /usr/local/etc/secretpass

  • Ukushintsha amapharamitha wokuqalisa we-ldapsearch: ipharamitha -w superSecretPassword Ngiyishintshela -y /usr/local/etc/secretpass

Ichord yokugcina ku-suite yanamuhla ukuhlela sshd_config

cat /etc/ssh/sshd_config | egrep -v -E "#|^$" | grep -E "AuthorizedKeysCommand|PubkeyAuthe"
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
AuthorizedKeysCommandUser root

Njengomphumela, sithola ukulandelana okulandelayo ngokugunyazwa kokhiye okulungiselelwe kuklayenti le-ssh:

  1. Umsebenzisi uxhuma kuseva ngokubonisa ukungena kwakhe ngemvume.
  2. I-daemon ye-sshd, ngombhalo, ikhipha inani lokhiye osesidlangalaleni kusichasiso somsebenzisi ku-Active Directory futhi yenze ukugunyaza isebenzisa okhiye.
  3. I-daemon ye-sssd iphinde iqinisekise umsebenzisi ngokusekelwe ebulungwini beqembu. Qaphela! Uma lokhu kungalungiselelwe, noma yimuphi umsebenzisi wesizinda uzokwazi ukufinyelela kumsingathi.
  4. Uma uzama ukwenza i-sudo, i-sssd daemon isesha I-Active Directory ngezindima. Uma izindima zikhona, izibaluli zomsebenzisi nobulungu beqembu buyahlolwa (uma i-sudoRoles ilungiselelwe ukusebenzisa amaqembu abasebenzisi)

Ingqikithi.

Ngakho, okhiye bagcinwa kuzibaluli zomsebenzisi we-Active Directory, izimvume ze-sudo - ngokufanayo, ukufinyelela kubasingathi be-Linux ngama-akhawunti wesizinda kwenziwa ngokubheka ubulungu eqenjini le-Active Directory.
Igagasi lokugcina lenduku yomqhubi - futhi ihholo liyabanda ngokuthula okunenhlonipho.

Izinsiza ezisetshenziswe ekubhaleni:

Sudo nge-Active Directory
Okhiye be-Ssh nge-Active Directory
Iskripthi se-Powershell, sengeza isibaluli ku-Active Directory Schema
ukukhululwa okuzinzile kwe-sudo

Source: www.habr.com

Engeza amazwana