Operational Fortress Machine (Springboard) system Python

I believe that you are not unfamiliar with the Fortress Machine (Springboard machine), in order to ensure the security of the server, the front plus a fortress machine, all SSH connection through the fortress machine to complete, Fortress machine also need to have identity authentication, authorization, access control, audit and other functions, the author uses Python basic realization of the above functions.

AD:2014WOT Global Software Technology Summit Beijing Station course video release

November 21-22nd with WOT technology Conference Shenzhen now Rob Tickets

I believe that you are not unfamiliar with the Fortress Machine (Springboard machine), in order to ensure the security of the server, the front plus a fortress machine, all SSH connection through the fortress machine to complete, Fortress machine also need to have identity authentication, authorization, access control, audit and other functions, the author uses Python basic realization of the above functions.

Architecture:

The main back-end technology is LDAP, configure the LDAP centralized authentication server, all server authentication is done by LDAP, my practice is that each user a password, the password encryption into the database, when the user input IP from the Springboard machine Landing server, the springboard machine system to take out the password, and decrypt, The password is sent to the past through the Pexpect module to complete the login.

Login interface and methods

The user logs in the springboard machine, uses the key authentication, logs in the springboard machine automatically executes the Springboard machine system

Enter the full IP or partial IP can complete the login, if the input part of IP matching IP is not unique, there will be a hint, do not have permission to prompt without permission

Enter p/p to see the server IP you have permissions for

Input e/e can execute the same command on several servers, with IP directly separated by commas

Log records

Log records with the pexpect of the log records, the record of the log both save the command and save the output of the command, also accidentally send the password record (not satisfied), Pexpect module processing some difficult to do, my idea is to process the log every day, the password, such as remove, The log is saved under the Logs directory, the file name is Ip_ Date _ user name PS: With the Chinaren login, the prompt window is baidutest, this is due to my personal reasons.

http://laoguang.blog.51cto.com Free Linux, Share Linux

Access Control and authorization

Access control and authorization are implemented by a set of web

Administrator interface

Home:

View Users:

Add Users:

Host list:

To add a host:

Permissions List:

Add Permissions:

The following PPTP and OpenVPN Additions are I add as needed, can be removed

User Login Interface:

To change your login password:

To change the key password:

I put the code on GitHub, have the need of friends, can go to see, we can also improve together, have time to write the deployment document

Https://github.com/ibuler/jumpserver

Blog Link: http://laoguang.blog.51cto.com/6013350/1540080

Operational Fortress Machine (Springboard) system Python