当前位置:网站首页>Realization of a springboard machine

Realization of a springboard machine

2022-06-28 10:14:00 InfoQ

vivo  Internet operation and maintenance team - Yang Lei 
This paper introduces the realization of a springboard machine , The basic principle is expounded , And explained the characteristics and comparative advantages .

One 、  Introduction to the idea of springboard machine

The springboard machine described in this paper ( Hereinafter referred to as “jmp”) Support :
  • Linux The server
  • Windows The server
  • Other terminals (MySQL terminal 、Redis terminal 、 Network equipment terminal   wait )
It is different from the common jumpserver programme , The springboard machine built in this paper will not store any Linux Server account number 、 password 、 Key and other information , Eliminate the possibility of information disclosure . The biggest feature of this article is
With the help of Linux Of PAM Mechanism , By modifying the Linux Server system layer configuration , Partially taken over Linux The identity authentication capability of the system
, On this point , The following is a detailed description of .

Two 、 Background knowledge

2.1  Linux  Of  PAM  Mechanism

PAM(Pluggable Authentication Modules) Mechanism , Is a widely used in Contemporary Unix、Linux System level authentication framework for distribution . By providing a series of dynamic link libraries and two sets of programming interfaces (Service Programming Interface  and  Application Programming Interface), Separate the service provided by the system from the authentication mode of the service , Thus, different authentication methods can be flexibly configured for different services without changing the service program .
null

2.2 PAM  The core competencies of

null

2.3 PAM  Module type

  • auth
Used to identify the user's identity , Such as : Prompt user for password , Or judge whether the user is root etc. .
  • account
Check the properties of the account , Such as : Is login allowed , Whether the maximum number of users is reached , or root Whether users are allowed to log in at this terminal, etc .
  • session
This module is used to define the , And the operation to be performed after the user exits , Such as : Login connection information 、 Opening and closing of user data 、 Mount the file system, etc .
  • password
Use user information to update , Such as : Change user password .

2.4  common  PAM  modular

  • pam_unix.so modular
【auth】 Prompt user for password , And with /etc/shadow File comparison , Match return 0(PAM_SUCCESS).【account】 Check the user's account information ( Including whether it is overdue, etc ), When account number is available , return 0.【password】 Change the user's password , Password entered by the user , New password update as user shadow file .
  • pam_cracklib.so modular
This module can be inserted into the password stack of a program , Used to check the strength of the password .
  • pam_loginuid.so modular
Used to set the process that has passed the authentication uid, So that the program can pass the normal audit .
  • pam_securetty.so modular
If the user wants to root Login time , Log in tty Must be in /etc/securetty Before .
  • pam_rootok.so modular
pam_rootok The module is used to authenticate users id Is it 0, by 0 return PAM_SUCCESS.
  • pam_console.so modular
When the user logs in to the terminal , Change the permissions of the terminal file . After the user logs out , Then change them back .
  • pam_permit.so modular
The module returns success at any time .
  • pam_env.so modular
pam_env Allows setting environment variables ; By default, if no file is specified , Will be based on /etc/security/pam_env.conf Set environment variables
  • pam_xauth.so modular
pam_xauth Used to forward... Between users xauth-key.
  • pam_stack.so modular
pam_stack You can call another service ; That is, multiple services can be included in one setting , When you need to modify, just modify one file .
  • pam_warn.so modular
pam_warn Used to record services 、 End user 、 Information about remote users and remote hosts is sent to the system log , Modules always return PAM_IGNORE、 Does not wish to affect the authentication process .

3、 ... and 、 Springboard system architecture

3.1  Microservices and high availability design

3.1.1  Microservice design

The whole springboard machine system can be divided into 5 A service , and 1 A component .
① jmp-api  service
  • monitor 8080 port , Provide http Interface capabilities
  • Verify whether an account exists and is normal
  • Verify whether an account has login permission to a server
  • Verify whether an account has a connection to a server sudo jurisdiction
  • Data pulling : account number 、 host 、 Dangerous command library, etc
  • yes jmp The only access to the database

② jmp-ssh  service
  • monitor 2200 port , Provide ssh Agency ability
  • Direct access to Linux The server 、 Other terminals

③ jmp-socket  service
  • monitor 8080 port , Provide websocket/socket.io Connection ability
  • adopt ssh Protocol forwarding socket.io Flow to jmp-ssh
  • Support the connection and access of Web terminal

④ jmp-rdp  service
  • monitor 8080 port , Provide socket.io Connection ability
  • Realization rdp agent , For ease of operation Windows The server
  • Support web based Remote Desktop Services

⑤ jmp-sftp  service
  • Provide file upload and download capabilities , Support in jmp Pass through sftp command , Support any sftp Client connection
  • visit S3, To access files

⑥ jmp-agent  Components
  • Deployed on every Linux Server
  • jmp-agent Resident process
From time to time jmp-api Pull service and permission information , Cache to local files
Detect file changes as needed , Ensure that the configuration file is not maliciously modified
  • jmp special pam modular
Provide jmp.so Dynamic library , by pam modular
Install script release profile , modify /etc/pam.d/xxx file , take effect jmp Of pam modular
Take over identification and authority authentication , call jmp-api Interface to complete authentication

3.1.2  High availability design

jmp Any service in is stateless , Therefore, it supports the deployment of multi machine rooms in different places
http Agreed services (jmp-api、jmp-socket、jmp-rdp), adopt Nginx Configure the routing , And configure the automatic load balancing policy .
Not http Service for (jmp-ssh、jmp-sftp), adopt 4 Layer load balancing (lvs、vgw) High availability .

Auto downgrade policy
The ability to identify dangerous orders may take a long time , Therefore, when the interface identifying the dangerous command is found, it times out , Then the dangerous command identification is automatically ignored .
When the authentication interface times out , Then use jmp-agent Locally cached identity information , If the local cache cannot be obtained , The default policy of the configuration item is used ( Pass all or reject all ).

jmp-agent High availability of components
because jmp-agent Deployed on the business server , The environment may change at any time , Therefore, it must have strong adaptability ( Insufficient disk space 、inode full 、 Out of memory 、 Network instability 、 Domain name resolution exception, etc ).
For disk space or inode Insufficient ,jmp-agent You may not be able to use the local file cache , Therefore, select downgrade at this time , Ignore cache .
For network instability ,jmp-agent Select Add as jmp-api、jmp-ssh Communication timeout for , At the same time, the authentication can be degraded , Ensure that the operation is not affected .
For resolving exception problems ,jmp-agent Unable to interact with the service through the domain name , In this case, use the built-in fixing ip Interact with services .

3.2  Interaction diagram of each sub service of the springboard machine


null
As you can see from the diagram , As a core service jmp-ssh Carrying ssh Proxy forwarding of traffic , Will come from the user ssh client 、jmp-socket Service ssh Traffic is forwarded to the target server , And send the returned results from the target server back to ssh client 、jmp-socket service . therefore , Can be found in jmp-ssh Identify dangerous commands from users on the service , Give an alarm or intercept directly before it is delivered to the target server , Avoid malicious or misoperation that may affect the business .
In the picture jmp-api As a service that interacts directly with the database and cache , Assume the role of data interface and management end in the whole system , Accept from the full server jmp-agent User identity authentication and permission verification request of the component , It is the control center of the whole system .
jmp-api It also provides the ability to set permissions , Through docking with process system , It is convenient for personnel / The department applies for the machine / service / Login permission of the project or root jurisdiction , Besides ,jmp-api Also for login permissions and root The authority may be restricted by the applicant , For different projects / service , Limit the effective time of permission , Strictly control the permission granularity .
Because of the same project / Services are often maintained by people in the same group , therefore jmp-api Built in default permission policy , Allowed items / The person in charge of the service is responsible for the project / The service directly has login permission , Without having to apply ; Only corresponding items are supported / The operation and maintenance principal of the service owns by default root jurisdiction , If everyone else wants to get root jurisdiction , Must be applied for , It shall be approved by the operation and maintenance principal of the corresponding service .
In the picture jmp-agent It is deployed on every Linux On the server , By means of Linux Modify the /etc/pam.d/sshd、/etc/
pam.d/remote、/etc/pam.d/sudo Wait for the papers , Give Way  
jmp.so
 ( Belong to jmp-agent.rpm or jmp-agent.deb Part of ) To take over ssh service 、sudo Program and other key system programs 、 Permission authentication . So as not to increase /etc/passwd、/etc/shadow Under the premise of content, the ability to identify all personnel on any server is realized .
In the picture jmp-rdp Just for Windows Server's rdp Agency service , And provide based on web Remote desktop capabilities .
In the picture jmp-socket Based on web Of Linux Server operating terminal , So that users do not use ssh The client can also log in to the server easily .

Four 、 Core design ideas

4.1  Log on to the skip machine

  • The user to use ssh The client logs in to jmp-ssh service , And jmp-ssh Service interaction .
  • jmp-ssh Access to services ssh Account number during session establishment 、 Password after encryption 、 Secondary authentication information .
  • jmp-ssh Service access jmp-api service , Submit account number 、 Password after encryption 、 Secondary authentication information , In order to know whether the user is logged in jmp Authority .
null

4.2  Log in to the target server

  • Only if the user has logged in to jmp-ssh Or it has passed jmp-socket You can log in to the target server only after the front-end authentication of .
  • The user is in jmp-ssh Pseudo terminal input provided ssh xxxx(xxxx Is the host name of the target server or IP Address ).
  • jmp-ssh adopt ssh Connect to target server , Automatically carry user name information , Try to establish a session .
  • Due to... On the target server jmp-agent Took over sshd Identification and authority authentication , therefore jmp.so obtain ssh User name during session establishment , The user name and the local computer IP Address information encryption , call jmp-api Interface for authority authentication .
  • jmp-api According to the built-in policy , And query authorization table , Determine whether the user has login permission to the machine .
  • jmp-agent Get the authentication result , For those who have authority , be ssh Session successfully established , Otherwise, the session establishment fails .
  • jmp-ssh Get the result and reason of session establishment , Return to the user ssh terminal .
null

4.3  Command interaction

  • Only if the user has logged in to a machine , To command interaction .
  • When the user ssh Typing characters on the client , Pass on to jmp-ssh,jmp-ssh Determine whether the statement ends .
  • When statement ends , be jmp-ssh According to the dangerous order rules of the machine , Match statements entered by the user , Decide to alarm 、 Intercept 、 adopt .
  • jmp-ssh Pass the passed statement or the statement requiring alarm to the target server , The target server executes and returns the result .
null

4.4  Switching users  /  Privileged account

  • Only if the user has logged in to a machine , It is possible to trigger the behavior of switching users .
  • When the user ssh Client execution sudo xxxx、su、id And so on ,jmp-ssh Transparently transmit commands to the target server .
  • On the target server sshd Process execution sudo xxxx、su、id And so on command , Because the target server has been jmp-agent Took over identity failure and authority authentication , Therefore, from jmp.so Get login user name 、 Current user name 、 Local address information 、 Target user name information , transfer jmp-api Interface for sudo Permission authentication .
  • jmp-api Judge whether the user has the right to switch the machine to xx Account permissions ( If there is root jurisdiction ).
  • sudo、su、id Wait for the process to pass jmp.so The authentication result is obtained , Decide whether to switch users .
null

4.5  Use web interaction

  • Only if the user has completed login through the web page ( Such as sso) The situation of .
  • Users access through web pages jmp-socket service .
  • jmp-socket Service to get user name information 、 Website login sso Information , Submit to jmp-api, Generate a temporary login credential .
  • jmp-socket visit jmp-ssh, Submit temporary login credentials .
  • jmp-ssh Initiate secondary authentication for login , Wait for the user to complete the secondary authentication .
  • jmp-socket After the user completes the second authentication , To undertake the ssh Role of client , And jmp-ssh Interaction .

null

4.6  Dangerous command interception

  • jmp-ssh After the user has logged in to the target server , In this session , Load the dangerous command rules of the corresponding service of the target machine , Initialize regular matching logic .
  • jmp-ssh At the end of the user input statement , According to the dangerous order rules of the machine , Match statements entered by the user .
  • jmp-ssh Match the post strategy according to the dangerous command rules , Decide to do the following for this input : The alarm 、 Intercept 、 adopt .
  • For passing ,jmp-ssh Pass the command to the target server .
  • For alarm ,jmp-ssh Pass the command to the target server , But to the user 、 The immediate leader of the user 、jmp The system administrator sends a danger command alarm .
  • For intercepted ,jmp-ssh Refuse to pass command , At the same time, the user 、 The immediate leader of the user 、jmp The system administrator sends a danger command alarm .
null

4.7  Not Linux The springboard of the server

  • Windows The server
about Windows The server , Use jmp-rdp service , take rdp The protocol data is transferred from socket.io Hosted application data ( rely on Apache Guacamole), And pass web Page Canvas Display real-time images and accept keyboard and mouse events .
  • MySQL Terminals and Redis terminal
Deployment is only supported on Linux On the server MySQL and Redis.
On the server through mysql.sock, send jmp-agent Connect to local MySQL service ,jmp-agent Forward standard input and standard output to jmp-ssh.
On the server through redis.sock, send jmp-agent Connect to local Redis service ,jmp-agent Forward standard input and standard output jmp-ssh.
This method theoretically supports any passable unixsocket Connected services .
  • Network device management terminal
For network terminals , be jmp-ssh Read jmp-api Interface , Obtain the connection information of the corresponding network device ( Protocol type 、 Account information, etc ), Realize connection and operation .

5、 ... and 、 Permission rules and approval link design

5.1  Default permissions

No application is required , You can have permissions .
null

5.2  Approval link of permission application

  • If you don't have default permissions , But you need to log in to the machine , Or you need to use ROOT jurisdiction , You need to apply .
  • If you apply for permission for an organization , Then the organization ( department ) All members have the permission to apply for locks .
The approval link of the application process is defined here :
null

6、 ... and 、 The advantages of this realization idea

6.1  It is easy to operate , Better experience

The springboard machine system constructed by this idea , It's easy to operate , It supports ssh、 It's compatible again rdp, At the same time, it provides the web side operation portal , Better experience . meanwhile , Because of the microservice Architecture , The coupling between services is small , It is easier to achieve high availability , As a result, there are few catons 、 Delay and other phenomena , The overall stability is reliable , Experience is guaranteed .

6.2  Safe and reliable , Easy to audit

The biggest feature of this article is that it uses on the target server pam Mechanism , adopt jmp.so Take over the identification and authority authentication of multiple services , And so it did
Without modifying the standard commands , Unified takeover authority , Unified control .
And after logging in to the target machine , It can be further ssh To other servers , All interactions are recorded throughout the process , All operation commands will be recorded .
Because the springboard machine realized by this idea
Directly use the user name as the target server ssh Login name of the session
, Therefore, the user name in the log recorded in the system is also direct , Not like jumpserver The unified account number of the scheme , In this way , It is easier to locate the real executor of the operation track , Be clear at a glance .
Dangerous command interception function , It can avoid malicious operation or destructive misoperation to a great extent , Add a layer of guarantee for business stability .

6.3  The responsibilities of the service room are clear

Thanks to the microservice Architecture , Horizontal expansion of each service can be achieved , Thus, more machines can be controlled through capacity expansion services . The responsibilities of the service room are clear , Can be cut as needed jmp-rdp、jmp-socket、jmp-sftp, You can also add new services as needed , Good adaptability .

7、 ... and 、 Summary and prospect

With the expansion of server scale , How to manage these servers has become a more and more important problem . Login access to the server , This paper introduces a realization idea of springboard machine , The advantages and uniqueness of this idea are described . Through this idea, simple 、 Easy to use and highly available springboard machine , So as to solve the server login problem . If the reader is interested in this implementation idea , Or have any questions , Welcome to communicate with us . We are also very willing to study with you , Research technology .
原网站

版权声明
本文为[InfoQ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/179/202206280954535638.html

边栏推荐

猜你喜欢

随机推荐