SSH login user key information using Database unified management

SSH login user key information using Database unified management

Requirements are presented by a development department, who need to open root to all developers on their test servers, and to configure a password-free login for each developer, Because using the SSH default authentication file to store the public key is inconvenient to manage the personnel information (for example, a person after leaving the office is not convenient to find his key in a large number of keys, and need to be deleted on a large number of servers).

Based on the above requirements, we decided to keep all the people's keys and their corresponding fingerprint in the database, and each fingerprint a real user name, while the user logged in, although the root user login, but, It does not look for key in the Autherized_keys file when it logs in, but instead finds the corresponding public key in the database based on the fingerprint passed by the user.

In order to achieve the above requirements, we need the user to log in using SSH first to execute a public key script, and then based on the key retrieved by the script to verify the user. This requires two SSH configuration parameters Authorizedkeyscommand and Authorizedkeyscommanduser, the first parameter is used to specify the script file to execute at login, the second parameter is used to specify the user of this script, it is important to note that This script permission must be 700 and belongs to the group owner must be root. These two configuration parameters are not available in the lower version of OpenSSH, you need to upgrade the OpenSSH version first, and in the upgrade requires us to modify a portion of the OpenSSH source, this article upgraded to SSH 6.6P1 this version.

First, upgrade OpenSSH

Ready to upgrade the OpenSSH source package, find the 6.6 version of the source package on the official website and download:

[Email protected] ~]# wget http://ftp.jaist.ac.jp/pub/openbsd/openssh/portable/openssh-6.6p1.tar.gz[[email Protected] ~]# tar-zxf openssh-6.6p1.tar.gz-c/usr/src/[[email protected] ~]# CD/USR/SRC/OPENSSH-6.6P1

After unpacking, we need to change the source code, change the auth2-pubkey.c file under the extracted directory

512 Rows or so  struct passwd *pw;        struct stat  st;        int status, devnull, p[2], i;         pid_t pid;         //char *username, errmsg[512];     comment out this line code          char *username, *fp, errmsg[512];     Add this line of code          if  (options.authorized_keys_command == null | |             OPTIONS.AUTHORIZED_KEYS_COMMAND[0]  !=  '/')                  return 0;//552 Line         if  (pipe (p)  != 0)  {      &Nbsp;         error ("%s: pipe: %s",  __func__,  strerror (errno));                 goto out;        }//       debug3 ("running authorizedkeyscommand: \"%s %s\ " as \"%s\ "",      Comment out this line of//          options.authorized_keys_command,  user_pw->pw_name, pw->pw_name);   comment out this line          fp = key_fingerprint (Key, ssh_fp_md5, ssh_fp_hex);     Add this line          debug3 ("running authorizedkeyscommand: \"%s %s % S\ " as \"%s\ "",             Options.authorized_keys_command, user_Pw->pw_name, fp, pw->pw_name);        /*          * don ' t want to call this in the  child, where it can fatal ()  and          * run cleanup_exit ()  code.         */         restore_uid ();         switch   ((Pid = fork ()))  {        case -1: /*  error *///602 line around/* stdin is pointed to /dev/null at this  point */           if  (Dup2 (STDIN_FILENO,  stderr_fileno)  == -1)  {               &nbsP;     error ("%s: dup2: %s",  __func__, strerror (errno));                      _exit (1);            }             execl (options.authorized_keys_command,             //    options.authorized_keys_ Command, user_pw->pw_name, null);  comment off this line                      options.authorized_keys_command,  User_pw->pw_name, fp, null);  Add this line               error ("authorizedkeyscommand %s exec failed: %s",         &nbsP;        options.authorized_keys_command, strerror (errno));              _exit (127);         default: /* parent */                 break;        }         free (FP);     Add this line          temporarily_use_uid (PW);

After changing the above source code, we will change the source code into RPM package to upgrade:

[Email protected] ~]# cd/usr/src/openssh-6.6p1/contrib/redhat #本文系统为CentOS 6.5[[email protected] ~]# vim Openssh.spec #更改spec文档, close some parameters that are not available # do we want to disable building of X11-askpass? (1=yes 0=no)%define no_x11_askpass 1 #此处设置为1, do not build x11-askpass# do we want to disable building of Gnome-askpass? (1=yes 0=no)%define no_gnome_askpass 1 #此处设置为1, do not build Gnome-askpass

[[email protected] ~]# cd/usr/src/[[email protected] ~]# tar-zcf openssh-6.6p1.tar.gz openssh-6.6p1/Note: This must be in/usr/src/ directory, otherwise the RPM package will be error, and the file name must be as shown above [[email protected] ~]# Cd/usr/src/openssh-6.6p1/contrib/redhat[[email protected] ~]# RPMBUILD-BB Openssh.spec #开始制作rpm包注意: When making RPM packages, you may encounter a dependency on the package, common with Pam Pam-devel glibc glibc-devel tcp_wrappers-devel op enssl098e gcc and so on, here no longer one by one repeat.

After the package is complete, there is a good RPM package in the/usr/src/redhat/rpms/x86_64 directory. Upgrade the installation in RPM mode. I encountered a version conflict problem when I installed it and then forced the installation directly.

After the installation is complete, modify the/etc/ssh/sshd_config configuration file:

#AuthorizedKeysFile. Ssh/authorized_keys//Comment out this line #authorizedprincipalsfile noneauthorizedkeyscommand/bin/ ssh-zhy.sh//Add this line, specify the script to find Ssh-key Authorizedkeyscommanduser root//Add this line, specify the user running the script, must be root

Authorizedkeyscommand back to the Ssh-key script to pass two positional parameters, $ is the login user name, $ $ is logged in the user's fingerprint, in the script can be directly used to get fingerprint.

Prepare the script for Ssh-key, which can be a shell script or other script, as long as you can fetch the corresponding key from the database, here I am using shell script. Database to save the user's key and fingerprint, according to fingerprint to take the corresponding key value, so that all users, even if all use root login, can also be based on their fingerprint value to find the corresponding login to complete the personnel record.

Once the script is ready, put it in the configuration file where it is configured, and the script file is root and the script permission is 700, and these two steps must be set. When the configuration is complete, prepare the database to store the key and restart the sshd service. At this time when the landing will go to the database to find key information, if the database can not find the corresponding key, will still go to the Authorized_keys file to find.

Once configured, we only need to manage the database, it is easy to manage everyone's key. can also facilitate the development of post-management interface.

This article is from the "Artisan" blog, please be sure to keep this source http://8838848.blog.51cto.com/8828848/1697188

SSH login user key information using Database unified management