Many people think that the fortress machine is a springboard machine, which is not comprehensive. The springboard function is only one of the features that the fortress machine has. The fortress machine also has the following two critical functions:
There is no good open source project, because the underlying SSH is still implemented through the long-linked ssh of the Paramiko module. But this and the original SSH ratio is still not very stable, not very useful. Not suitable for production environments. To be useful or to change the native SSH, but we will not, we will only change Python. In short this chapter is to achieve a fortress machine function, really want to do a good thing to say later.
The more famous is probably this: jumpserver-open-source Springboard machine
Although the above said, with this module is not stable, but we have no way, after all, only this.
Paramiko had studied before, but it used to be a short connection. That is: Connect once, execute a command, return the result, disconnect. We're going to use a long connection here.
Long connected code in the Demos folder under the demo.py this file, in addition to the use of interactive.py this file. The Demos folder is not installed when installing the module, so we go down to GitHub:
Https://github.com/paramiko/paramiko/tree/master/demos
With the demo.py program, we can make long ssh connections. The following development is based on this program, on the basis of this program, modify the program's source code to record user input, and write to the database. So the audit management was realized.
Anyone can only log on to a device through a bastion machine, and a bastion machine may be linked to manage all devices:
You also need to make sure that users enter your program as soon as they log on to the fortress machine and cannot exit (exit the entire bastion machine at the exit), which can only be run under your shell and not into the native shell. Can be implemented by setting environment variables:
Environment variables are saved here: ~/.bashrc , modify the file at the end add this sentence: python3 /etc/myJunpServer.py run your program directly. If you want it to take effect immediately after the first setup is complete, you can execute this command: source .bashrc load the latest configuration.
Host table:
| ID | Host name | IP | Port number |
|---|---|---|---|
| Self-Increment ID | Comment Name | String type | numeric type, default 22 |
Host authentication table (and host table many-to-many associations):
| ID | name | User name | Password |
|---|---|---|---|
| Self-Increment ID | Comment Name | User name | A string of clear text |
Host group table (and host table + host authentication table Many-to-many association):
The previous combination tables are combined with 2 tables, which are combined with 3 tables.
Because different groups may contain the same machine, the permissions for the same machine in different groups may be different.
| ID | Group name | Notes |
|---|---|---|
| Self-Increment ID | Only | Notes Information |
Fortress Machine Account table (and host table many-to-many association, and host Group table many-to-many association):
| ID | User name | Password |
|---|---|---|
| Self-Increment ID | Unique constraint | Encrypted storage |
Audit Log Record table:
| ID | Time | User ID | Host ID | Action Messages |
|---|---|---|---|---|
| Self-Increment ID | Operating time | ID of the associated account table | ID of the associated host table | Action Content |
It's probably a table structure.
Python Automation Development Learning 12-Bastion Machine development
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
