Shell Implementation Board machine, why use a springboard machine

Source: Internet
Author: User
Tags log log

Organized from: http://blog.chinaunix.net/uid-22101889-id-3167454.html

Note: Please use it carefully, so far, I haven't found a way to change it back.

1. Questions

First, many large companies of the server are not allowed to log in directly, but through a springboard machine to log in the past. In a springboard, there are usually only a few commands (such as SSH) that can be executed, and other commands are not allowed, so how do you implement this function?

The second to first small companies, because the server is less, do not need any board, such as the statement, the company's development and operation of the personnel add up also so more than 10 20 people, usually we all know the root password, everyone is direct root login up, but sometimes someone due to mistakes, what services to hang up, At this point is certainly not able to catch people, because everyone knows the password, then how to know who has executed what command? Or simply let them execute a few permissible commands?

2. Solutions

These two requirements, seemingly different, in fact, the principle is the same, as long as the user and the shell to add a detection mechanism can be, you can go online to find some open source software, but if you suspect that the software is too complex, and can not fully meet your needs, then it can be like me, Use your shell to write a simple analog terminal.

In the analog terminal, what you need to do is to provide the user with a virtual terminal that looks like it is true but is not real. What you need to do is to read the user input commands and record them before executing them, thus realizing the recording function in the second requirement above. If you don't want users to execute any of the commands, just echo "Permission denied" can block the user out of the real shell door.

If the user is going to execute a command that you allow, then log a log before executing it. If you set this virtual terminal to execute SSH only, do not implement the function of the springboard in the first question.

so the above two needs, can be summed up as a requirement, that is: to intercept the user's input, between the user and the shell to add a door , and the function of the script is based on the user's different input to take different actions, the length of the script is related to the number of commands required, the more commands required, The more scripts need to judge, the longer the script, but actually do not need to write an action for each command, as long as each kind of write an action on the line, such as: The simplest case, without any parameters of the command, such as: PWD, etc., slightly more complex, such as touch, LS and other commands, At this time need to deal with parameters, and more complex, such as RM, MV and other commands, not only need to deal with parameters, but also to avoid the user mistakenly delete data, and all the above commands, you need to determine whether the user has permissions and so on, the complexity of the script, completely depends on your needs, the following virtual terminal, the implementation of the RM mv Download upload pwd passwd Wait a few commands, if you only implement SSH commands, that is the springboard machine.

3. Implementing the Script

Script Main techniques:

1.echo Color Rendering

2.trap processing Signal

3.stty,dd Turn off Echo and read one character

4. Read the password

5.<<eof in-line input

6. Command Usage logging

7. Pinning the user to a directory

8. Execute a fixed command

# ~/virtual Terminal

# Place this file in the/etc/profile.d/directory and add executable permissions.

# example:-rwxr-xr-x 1 root root 7340 Oct 18:12/etc/profile.d/vt.sh

############################################################################

# The code at the end of the file, used to implement the virtual terminal used by the user login

# do not delete or change

# If you have any questions, please contact the Maintenance Manager: xiaoxi227 (QQ451914397)

############################################################################

# The file holds user name and password file format for ==> username: password (one user per line)

Passwd_file=/etc/user.password

function Red ()

{

# shown in red

Echo-e "\033[31;40m$*\033[0m\n"

}

function Green ()

{

# shown in green

Echo-e "\033[32;40m$*\033[0m\n"

}

# Ignore all signals to prevent users from using CTRL + C or CTRL + Z to exit virtual Terminal (VT)

For signal in ' SEQ 1 64 '

Do

Trap: $signal &>/dev/null

Done

Clear

function GetChar () # Turn off echo to enter a password

{

Stty Cbreak-echo

DD If=/dev/tty Bs=1 count=1 2>/dev/null

Stty-cbreak Echo

}

###############################################################################

Green "Login is successful. "# User Displays" login success "after UNIX Pam authentication, followed by authentication

While:

Do

Read-p "Please enter user name:" username

Echo-n "Please enter your password:"

While:

Do

ret=$ (GetChar)

If [x "$ret" = X ""];then

Echo

Break

Fi

passwd= "$PASSWD $ret"

Echo-n ' * '

Done

correct_passwd=$ (gawk-f: "/$username/{print \$2}" $passwd _file)

If [-z] $username "-o-z" $passwd "];then

Clear

Red "User name or password cannot be empty"

Continue

Fi

input_password=$ (echo $passwd | md5sum | gawk ' {print $} ')

If [x ' $input _password "! = X" $correct _passwd "];then

Clear

Red "User name or password is wrong, please re-enter"

Else

Break

Fi

Done

Title= "

##################################################################################

############################## Virtual Terminal ##################################

##################################################################################

"

Cat | More <<eof

$title

Instructions for use:

Welcome to Virtual Terminal (Vsan Terminal, hereinafter referred to as VT).

In this mode, the user can only execute a small number of commands that are allowed to execute, and the other commands will be denied execution.

The commands and functions supported by this mode are as follows:

CD <DIR> Enter <DIR> directory, provided that the user has permission to enter the directory.

The LS function is the same as the LS command in the system, but only the files in the directory with Read permissions can be displayed.

This command supports parameters that can be used by the LS command in the system in VT mode.

MV <SRC> <DST> Move file <SRC> to <dst> If the path is the same, it means renaming.

Users must have read and write access to both <SRC> and <DST>.

RM <FILE> Remove <FILE> from the system.

When <FILE> is a directory, it will recursively delete all subdirectories and files under subdirectories.

The PWD displays the current working path.

Download <FILELIST>

Download <FILELIST> to this machine

When you run this command, the terminal that the user uses must support the Zmodem protocol, such as SECURECRT.

To download multiple files, separate each file with a space.

If the downloaded file is a directory, the system will automatically pack it and download it.

Upload upload files to the system, after running this command, the terminal will pop up a dialog box, press the prompt to select the file upload.

Note: When you run this command, the terminal that the user uses must support the Zmodem protocol, such as SECURECRT.

passwd to modify your login password

For additional features, contact your administrator, VT Maintenance Manager: xiaoxi227 (qq:451914397)

$title

Eof

ECHO-E "Currently logged on User: \033[32;40m$username\033[0m"

Logfile=/var/log/vt.log

function run () # This is used to execute commands for the user and log log

{

Local command= "[email protected]"

{

Echo-n-E "\033[32;40m$username\033[0m\033[7g--"

Echo-n-E "\033[31;40m ' Date ' +%y-%m-%d%h:%m:%s '--\033[0m$command"

Echo

} | Sed ' s/sz/download/g;s/rz/upload/g ' >> $logfile

$command

}

# usually developers need to deploy a program that is in the same directory, so specify the root directory for it, and limit the permissions to that directory only.

ROOT_DIR=/USR # In this example using the/USR directory test

CD $ROOT _dir # Enter the user's "root directory"

While: # dead loop Read user input

Do

# The hostname is written as "localhost" and you can write $hostname, so the hostname will be displayed.

READ-E-P "[${username}localhost ${pwd##*/}]$" REPLY

# as the above statement simulates the creation of a shell prompt (actually fake)

# Separating commands and parameters

command=$ (echo $REPLY | gawk ' {print $} ')

option=$ (echo $REPLY | sed-r "s/^ $COMMAND//g;s/^[[:space:]]+//g")

# Determine what commands to execute, and set different actions based on different commands. Here are a few of the commands implemented in this example:

Case $COMMAND in

CD|LS)

# when the CD command is executed and the parameter is empty, the default CD is to the root directory, and the behavior is consistent with the CD command in the system.

If [x "$OPTION" = X ""-A X "$COMMAND" = x "CD"];then

CD $ROOT _dir

Continue

Fi

# determine if the first character of the parameter is not "/", if not, the description wants the CD or LS to be relative to the path.

# This is the current directory of the file live directory, at this time the user is authorized.

First_char=${option:0:1}

If [x ' $first _char "! = X"/"];then

Run $REPLY

Else

# if it is an absolute path, then determine if the path starts with $root_dir, or if the user is not prompted.

echo $OPTION | grep-q ^ $ROOT _dir

If [$?-eq 0];then

Run $REPLY

Else

echo "$COMMAND: Permission denied." >&2

Fi

Fi

;;

# Other supported parameters: RM, MV, PWD, passwd and so on, do not write comments, understand it.

RM|MV)

If [x "$COMMAND" = X "rm"];then rm= '-rf '; else rm= '; fi

Run= ' OK '

For _file in $OPTION

Do

echo $_file | Grep-q '-'

[$?-eq 0] && {

Red "This command does not support parameters in VT mode";

Continue

}

echo $_file | grep-q ^ $ROOT _dir

Ret=$?

First_char=${_file:0:1}

If [x "$first _char" = x "/"];then

If [$ret-ne 0];then

run= ' Not OK '

Fi

Fi

Done

If [x "$run" = x "OK"];then

Run $COMMAND $RM $OPTION

Else

echo "$COMMAND: Permission denied." >&2

Fi

;;

Pwd

Run $REPLY

;;

Upload

Run RZ

;;

Download

For _file in $OPTION

Do

if [!-D $_file];then

echo "Start download file: $_file"

Run SZ $_file

[$?-eq 0] && green "Download Complete" | | Red "Download Failed"

Else

echo "${_file} is a directory that is being packaged as a ${_file}.tar"

TAR-CF ${_file}.tar $_file

[$?-eq 0] && Green "package complete, start download ${_file}.tar" \

|| {Red "package failed to download"; continue;}

Run SZ ${_file}.tar

[$?-eq 0] && {

Green "Download Complete"

echo "Deleting packaged Files"

RM-RF ${_file}.tar

[$?-eq 0] && Green "Delete succeeded" \

|| Red "Delete Failed"

} || Red "Download Failed"

Fi

Done

;;

passwd

READ-E-s-p "Please enter your old password:" old_passwd

echo ' ****** '

old_passwd=$ (echo $old _passwd | md5sum | gawk ' {print $} ')

If [x ' $old _passwd "! = X" $correct _passwd "];then

Red "Password input error"

Continue

Else

READ-E-s-p "Please enter a new password:" New_passwd1

echo ' ****** '

READ-E-s-p "Please repeat the new password:" New_passwd2

echo ' ****** '

If [x ' $new _passwd1 "! = X" $new _passwd2 "];then

Red "Two input passwords are inconsistent"

Continue

Else

new_passwd=$ (echo $new _passwd1 | md5sum | gawk ' {print $} ')

Sed-i "/$username/s/.*/$username: $new _passwd/g" $passwd _file

Fi

Fi

;;

"")

Continue

;;

*)

echo "-bash: $COMMAND: COMMAND not Found" >&2

;;

Esac

Done

Shell Implementation Board machine, why use a springboard machine

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.