I believe that you are not unfamiliar with the Fortress Machine (Springboard machine), in order to ensure the security of the server, the front plus a fortress machine, all SSH connection through the fortress machine to complete, Fortress machine also need to have identity authentication, authorization, access control, audit and other functions, the author uses Python basic realization of the above functions.
Architecture:
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Bastion Machine Architecture " Border= "0" alt= "Fortress Machine Architecture" src= "Http://img1.51cto.com/attachment/201408/14/6013350_14080086633ZmA.png" height= "213"/ >
The main back-end technology is LDAP, configure the LDAP centralized authentication server, all server authentication is done by LDAP, my practice is that each user a password, the password encryption into the database, when the user input IP from the Springboard machine Landing server, the springboard machine system to take out the password, and decrypt, The password is sent to the past through the Pexpect module to complete the login.
Login interface and methods
The user logs in the springboard machine, uses the key authentication, logs in the springboard machine automatically executes the Springboard machine system
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Interface 1 " Border= "0" alt= "Interface 1" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008664p14A.png" height= "253"/ >
Enter the full IP or partial IP can complete the login, if the input part of IP matching IP is not unique, there will be a hint, do not have permission to prompt without permission
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "Title=" Interface 3 " Border= "0" alt= "Interface 3" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008664oSpH.png" height= "179"/ >
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "Title=" Interface 4 " Border= "0" alt= "Interface 4" src= "Http://img1.51cto.com/attachment/201408/14/6013350_14080086648O0J.png" height= "196"/ >
Enter p/p to see the server IP you have permissions for
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "Title=" Interface 5 " Border= "0" alt= "interface 5" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008664t0R0.png" height= "190"/ >
Input e/e can execute the same command on several servers, with IP directly separated by commas
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "Title=" Interface 6 " Border= "0" alt= "interface 6" src= "Http://img1.51cto.com/attachment/201408/14/6013350_140800866474MR.png" height= "311"/ >
Log records
Log records with the pexpect of the log records, the record of the log both save the command and save the output of the command, also accidentally send the password record (not satisfied), Pexpect module processing some difficult to do, my idea is to process the log every day, the password, such as remove, The log is saved under the Logs directory, the file name is Ip_ Date _ user name PS: With the Chinaren login, the prompt window is baidutest, this is due to my personal reasons.
http://laoguang.blog.51cto.com Free Linux, Share Linux
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Log 1 " Border= "0" alt= "Log 1" src= "http://img1.51cto.com/attachment/201408/14/6013350_1408008664JyF3.png" height= "/>"
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Log 2 " Border= "0" alt= "Log 2" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008665CenB.png" height= "176"/ >
Access Control and authorization
Access control and authorization are implemented by a set of web
Administrator interface
Home:
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; title= "Web1" Border= "0" alt= "web1" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008665mpcX.png" height= "192"/ >
View Users:
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; title= "WEB2" Border= "0" alt= "web2" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008665Eqyo.png" height= "151"/ >
Add Users:
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; title= "Web3" Border= "0" alt= "web3" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008665gt3Y.png" height= "326"/ >
Host list:
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Host 1 " Border= "0" alt= "Host 1" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008666SNFa.png" height= "180"/ >
To add a host:
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Host 2 " Border= "0" alt= "Host 2" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008666my0k.png" height= "169"/ >
Permissions List:
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Rights 1 " Border= "0" alt= "Rights 1" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008666zcXz.png" height= "121"/ >
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Rights 2 " Border= "0" alt= "Rights 2" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008667yV9j.png" height= "140"/ >
Add Permissions:
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Permission to add " Border= "0" alt= "Permissions Add" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008667wXyC.png" height= "131"/ >
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Add permission " Border= "0" alt= "add permission" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008667USeD.png" height= "311"/ >
The following PPTP and OpenVPN Additions are I add as needed, can be removed
User Login Interface:
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" User Interface " Border= "0" alt= "user Interface" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008667usrf.png" height= "203"/ >
To change your login password:
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Change Password " Border= "0" alt= "Change Password" src= "Http://img1.51cto.com/attachment/201408/14/6013350_1408008668lkdK.png" height= "129"/ >
To change the key password:
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" Modify Keypass "border=" 0 "alt=" Modify Keypass "src=" Http://img1.51cto.com/attachment/201408/14/6013350_1408008668ZsM4.png "height=" "/>
I put the code on GitHub, have the need of friends, can go to see, we can also improve together, have time to write the deployment document
Https://github.com/ibuler/jumpserver
This article is from the "Free Linux, Share linux" blog, so be sure to keep this source http://laoguang.blog.51cto.com/6013350/1540080
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
