Introduction of Fortress Machine
Many people think that the fortress machine is a springboard machine, which is not comprehensive. The springboard function is only one of the features that the fortress machine has. The fortress machine also has the following two critical functions:
- Rights Management: Users log in to the Fortress machine system using the Fortress machine account. Do not need to know other host's account and password, are managed by the Fortress machine system. The hosts that users can log on to and the permissions they have on each host are also managed by the Bastion machine system.
- Audit Management: All operations of the user are performed on the bastion machine, so the records are saved. In fact, for the results of the operation (that is, the result of printing on the screen), if necessary, can be recorded and saved. But generally not, and the amount of data will be a bit large.
Open Source Fortress Machine Project
There is no good open source project, because the underlying SSH is still implemented through the long-linked ssh of the Paramiko module. But this and the original SSH ratio is still not very stable, not very useful. Not suitable for production environments. To be useful or to change the native SSH, but we will not, we will only change Python. In short this chapter is to achieve a fortress machine function, really want to do a good thing to say later.
The more famous is probably this: jumpserver-open-source Springboard machine
Long connection of the Paramiko module
Although the above said, with this module is not stable, but we have no way, after all, only this.
Paramiko had studied before, but it used to be a short connection. That is: Connect once, execute a command, return the result, disconnect. We're going to use a long connection here.
Long connected code in the Demos folder under the demo.py this file, in addition to the use of interactive.py this file. The Demos folder is not installed when installing the module, so we go down to GitHub:
Https://github.com/paramiko/paramiko/tree/master/demos
With the demo.py program, we can make long ssh connections. The following development is based on this program, on the basis of this program, modify the program's source code to record user input, and write to the database. So the audit management was realized.
Fortress Mechanism Frame
Anyone can only log on to a device through a bastion machine, and a bastion machine may be linked to manage all devices:
Configuring Environment variables
You also need to make sure that users enter your program as soon as they log on to the fortress machine and cannot exit (exit the entire bastion machine at the exit), which can only be run under your shell and not into the native shell. Can be implemented by setting environment variables:
Environment variables are saved here: ~/.bashrc
, modify the file at the end add this sentence: python3 /etc/myJunpServer.py
run your program directly. If you want it to take effect immediately after the first setup is complete, you can execute this command: source .bashrc
load the latest configuration.
Table structure Design
Host table:
ID |
Host name |
IP |
Port number |
Self-Increment ID |
Comment Name |
String type |
numeric type, default 22 |
Host authentication table (and host table many-to-many associations):
ID |
name |
User name |
Password |
Self-Increment ID |
Comment Name |
User name |
A string of clear text |
Host group table (and host table + host authentication table Many-to-many association):
The previous combination tables are combined with 2 tables, which are combined with 3 tables.
Because different groups may contain the same machine, the permissions for the same machine in different groups may be different.
ID |
Group name |
Notes |
Self-Increment ID |
Only |
Notes Information |
Fortress Machine Account table (and host table many-to-many association, and host Group table many-to-many association):
ID |
User name |
Password |
Self-Increment ID |
Unique constraint |
Encrypted storage |
Audit Log Record table:
ID |
Time |
User ID |
Host ID |
Action Messages |
Self-Increment ID |
Operating time |
ID of the associated account table |
ID of the associated host table |
Action Content |
It's probably a table structure.
Python Automation Development Learning 12-Bastion Machine development