Operational Fortress Machine (Springboard) system Python

Source: Internet
Author: User
Tags ldap

I believe that you are not unfamiliar with the Fortress Machine (Springboard machine), in order to ensure the security of the server, the front plus a fortress machine, all SSH connection through the fortress machine to complete, Fortress machine also need to have identity authentication, authorization, access control, audit and other functions, the author uses Python basic realization of the above functions.

Architecture:

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Bastion Machine Architecture " Border= "0" alt= "Fortress Machine Architecture" src= "Http://img1.51cto.com/attachment/201408/14/6013350_14080086633ZmA.png" height= "213"/ >

The main back-end technology is LDAP, configure the LDAP centralized authentication server, all server authentication is done by LDAP, my practice is that each user a password, the password encryption into the database, when the user input IP from the Springboard machine Landing server, the springboard machine system to take out the password, and decrypt, The password is sent to the past through the Pexpect module to complete the login.

Login interface and methods

The user logs in the springboard machine, uses the key authentication, logs in the springboard machine automatically executes the Springboard machine system

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Interface 1 " Border= "0" alt= "Interface 1" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008664p14A.png" height= "253"/ >

Enter the full IP or partial IP can complete the login, if the input part of IP matching IP is not unique, there will be a hint, do not have permission to prompt without permission

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "Title=" Interface 3 " Border= "0" alt= "Interface 3" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008664oSpH.png" height= "179"/ >

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "Title=" Interface 4 " Border= "0" alt= "Interface 4" src= "Http://img1.51cto.com/attachment/201408/14/6013350_14080086648O0J.png" height= "196"/ >

Enter p/p to see the server IP you have permissions for

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "Title=" Interface 5 " Border= "0" alt= "interface 5" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008664t0R0.png" height= "190"/ >

Input e/e can execute the same command on several servers, with IP directly separated by commas

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "Title=" Interface 6 " Border= "0" alt= "interface 6" src= "Http://img1.51cto.com/attachment/201408/14/6013350_140800866474MR.png" height= "311"/ >

Log records

Log records with the pexpect of the log records, the record of the log both save the command and save the output of the command, also accidentally send the password record (not satisfied), Pexpect module processing some difficult to do, my idea is to process the log every day, the password, such as remove, The log is saved under the Logs directory, the file name is Ip_ Date _ user name PS: With the Chinaren login, the prompt window is baidutest, this is due to my personal reasons.

http://laoguang.blog.51cto.com Free Linux, Share Linux

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Log 1 " Border= "0" alt= "Log 1" src= "http://img1.51cto.com/attachment/201408/14/6013350_1408008664JyF3.png" height= "/>"

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Log 2 " Border= "0" alt= "Log 2" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008665CenB.png" height= "176"/ >

Access Control and authorization

Access control and authorization are implemented by a set of web

Administrator interface

Home:

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; title= "Web1" Border= "0" alt= "web1" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008665mpcX.png" height= "192"/ >

View Users:

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; title= "WEB2" Border= "0" alt= "web2" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008665Eqyo.png" height= "151"/ >

Add Users:

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; title= "Web3" Border= "0" alt= "web3" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008665gt3Y.png" height= "326"/ >

Host list:

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Host 1 " Border= "0" alt= "Host 1" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008666SNFa.png" height= "180"/ >

To add a host:

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Host 2 " Border= "0" alt= "Host 2" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008666my0k.png" height= "169"/ >

Permissions List:

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Rights 1 " Border= "0" alt= "Rights 1" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008666zcXz.png" height= "121"/ >

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Rights 2 " Border= "0" alt= "Rights 2" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008667yV9j.png" height= "140"/ >

Add Permissions:

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Permission to add " Border= "0" alt= "Permissions Add" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008667wXyC.png" height= "131"/ >

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Add permission " Border= "0" alt= "add permission" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008667USeD.png" height= "311"/ >

The following PPTP and OpenVPN Additions are I add as needed, can be removed

User Login Interface:

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" User Interface " Border= "0" alt= "user Interface" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008667usrf.png" height= "203"/ >

To change your login password:

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Change Password " Border= "0" alt= "Change Password" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008668lkdK.png" height= "129"/ >

To change the key password:

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Modify Keypass "border=" 0 "alt=" Modify Keypass "src=" Http://img1.51cto.com/attachment/201408/14/6013350_1408008668ZsM4.png "height=" "/>

I put the code on GitHub, have the need of friends, can go to see, we can also improve together, have time to write the deployment document

Https://github.com/ibuler/jumpserver

This article is from the "Free Linux, Share linux" blog, so be sure to keep this source http://laoguang.blog.51cto.com/6013350/1540080

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.