Shell Implementation Board machine, why use a springboard machine

Organized from: http://blog.chinaunix.net/uid-22101889-id-3167454.html

Note: Please use it carefully, so far, I haven't found a way to change it back.

1. Questions

First, many large companies of the server are not allowed to log in directly, but through a springboard machine to log in the past. In a springboard, there are usually only a few commands (such as SSH) that can be executed, and other commands are not allowed, so how do you implement this function?

The second to first small companies, because the server is less, do not need any board, such as the statement, the company's development and operation of the personnel add up also so more than 10 20 people, usually we all know the root password, everyone is direct root login up, but sometimes someone due to mistakes, what services to hang up, At this point is certainly not able to catch people, because everyone knows the password, then how to know who has executed what command? Or simply let them execute a few permissible commands?

2. Solutions

These two requirements, seemingly different, in fact, the principle is the same, as long as the user and the shell to add a detection mechanism can be, you can go online to find some open source software, but if you suspect that the software is too complex, and can not fully meet your needs, then it can be like me, Use your shell to write a simple analog terminal.

In the analog terminal, what you need to do is to provide the user with a virtual terminal that looks like it is true but is not real. What you need to do is to read the user input commands and record them before executing them, thus realizing the recording function in the second requirement above. If you don't want users to execute any of the commands, just echo "Permission denied" can block the user out of the real shell door.

If the user is going to execute a command that you allow, then log a log before executing it. If you set this virtual terminal to execute SSH only, do not implement the function of the springboard in the first question.

so the above two needs, can be summed up as a requirement, that is: to intercept the user's input, between the user and the shell to add a door , and the function of the script is based on the user's different input to take different actions, the length of the script is related to the number of commands required, the more commands required, The more scripts need to judge, the longer the script, but actually do not need to write an action for each command, as long as each kind of write an action on the line, such as: The simplest case, without any parameters of the command, such as: PWD, etc., slightly more complex, such as touch, LS and other commands, At this time need to deal with parameters, and more complex, such as RM, MV and other commands, not only need to deal with parameters, but also to avoid the user mistakenly delete data, and all the above commands, you need to determine whether the user has permissions and so on, the complexity of the script, completely depends on your needs, the following virtual terminal, the implementation of the RM mv Download upload pwd passwd Wait a few commands, if you only implement SSH commands, that is the springboard machine.

3. Implementing the Script

Script Main techniques:

1.echo Color Rendering

2.trap processing Signal

3.stty,dd Turn off Echo and read one character

4. Read the password

5.<<eof in-line input

6. Command Usage logging

7. Pinning the user to a directory

8. Execute a fixed command

# ~/virtual Terminal # Place this file in the/etc/profile.d/directory and add executable permissions. # example:-rwxr-xr-x 1 root root 7340 Oct 18:12/etc/profile.d/vt.sh ############################################################################ # The code at the end of the file, used to implement the virtual terminal used by the user login # do not delete or change # If you have any questions, please contact the Maintenance Manager: xiaoxi227 (QQ451914397) ############################################################################ # The file holds user name and password file format for ==> username: password (one user per line) Passwd_file=/etc/user.password function Red () { # shown in red Echo-e "\033[31;40m$*\033[0m\n" } function Green () { # shown in green Echo-e "\033[32;40m$*\033[0m\n" } # Ignore all signals to prevent users from using CTRL + C or CTRL + Z to exit virtual Terminal (VT) For signal in ' SEQ 1 64 ' Do Trap: $signal &>/dev/null Done Clear function GetChar () # Turn off echo to enter a password { Stty Cbreak-echo DD If=/dev/tty Bs=1 count=1 2>/dev/null Stty-cbreak Echo } ############################################################################### Green "Login is successful. "# User Displays" login success "after UNIX Pam authentication, followed by authentication While: Do Read-p "Please enter user name:" username Echo-n "Please enter your password:" While: Do ret=$ (GetChar) If [x "$ret" = X ""];then Echo Break Fi passwd= "$PASSWD $ret" Echo-n ' * ' Done correct_passwd=$ (gawk-f: "/$username/{print \$2}" $passwd _file) If [-z] $username "-o-z" $passwd "];then Clear Red "User name or password cannot be empty" Continue Fi input_password=$ (echo $passwd | md5sum | gawk ' {print $} ') If [x ' $input _password "! = X" $correct _passwd "];then Clear Red "User name or password is wrong, please re-enter" Else Break Fi Done Title= " ################################################################################## ############################## Virtual Terminal ################################## ################################################################################## " Cat | More <<eof $title Instructions for use: Welcome to Virtual Terminal (Vsan Terminal, hereinafter referred to as VT). In this mode, the user can only execute a small number of commands that are allowed to execute, and the other commands will be denied execution. The commands and functions supported by this mode are as follows: CD <DIR> Enter <DIR> directory, provided that the user has permission to enter the directory. The LS function is the same as the LS command in the system, but only the files in the directory with Read permissions can be displayed. This command supports parameters that can be used by the LS command in the system in VT mode. MV <SRC> <DST> Move file <SRC> to <dst> If the path is the same, it means renaming. Users must have read and write access to both <SRC> and <DST>. RM <FILE> Remove <FILE> from the system. When <FILE> is a directory, it will recursively delete all subdirectories and files under subdirectories. The PWD displays the current working path. Download <FILELIST> Download <FILELIST> to this machine When you run this command, the terminal that the user uses must support the Zmodem protocol, such as SECURECRT. To download multiple files, separate each file with a space. If the downloaded file is a directory, the system will automatically pack it and download it. Upload upload files to the system, after running this command, the terminal will pop up a dialog box, press the prompt to select the file upload. Note: When you run this command, the terminal that the user uses must support the Zmodem protocol, such as SECURECRT. passwd to modify your login password For additional features, contact your administrator, VT Maintenance Manager: xiaoxi227 (qq:451914397) $title Eof ECHO-E "Currently logged on User: \033[32;40m$username\033[0m" Logfile=/var/log/vt.log function run () # This is used to execute commands for the user and log log { Local command= "[email protected]" { Echo-n-E "\033[32;40m$username\033[0m\033[7g--" Echo-n-E "\033[31;40m ' Date ' +%y-%m-%d%h:%m:%s '--\033[0m$command" Echo } | Sed ' s/sz/download/g;s/rz/upload/g ' >> $logfile $command } # usually developers need to deploy a program that is in the same directory, so specify the root directory for it, and limit the permissions to that directory only. ROOT_DIR=/USR # In this example using the/USR directory test CD $ROOT _dir # Enter the user's "root directory" While: # dead loop Read user input Do # The hostname is written as "localhost" and you can write $hostname, so the hostname will be displayed. READ-E-P "[${username}localhost ${pwd##*/}]$" REPLY # as the above statement simulates the creation of a shell prompt (actually fake) # Separating commands and parameters command=$ (echo $REPLY | gawk ' {print $} ') option=$ (echo $REPLY | sed-r "s/^ $COMMAND//g;s/^[[:space:]]+//g") # Determine what commands to execute, and set different actions based on different commands. Here are a few of the commands implemented in this example: Case $COMMAND in CD|LS) # when the CD command is executed and the parameter is empty, the default CD is to the root directory, and the behavior is consistent with the CD command in the system. If [x "$OPTION" = X ""-A X "$COMMAND" = x "CD"];then CD $ROOT _dir Continue Fi # determine if the first character of the parameter is not "/", if not, the description wants the CD or LS to be relative to the path. # This is the current directory of the file live directory, at this time the user is authorized. First_char=${option:0:1} If [x ' $first _char "! = X"/"];then Run $REPLY Else # if it is an absolute path, then determine if the path starts with $root_dir, or if the user is not prompted. echo $OPTION | grep-q ^ $ROOT _dir If [$?-eq 0];then Run $REPLY Else echo "$COMMAND: Permission denied." >&2 Fi Fi ;; # Other supported parameters: RM, MV, PWD, passwd and so on, do not write comments, understand it. RM|MV) If [x "$COMMAND" = X "rm"];then rm= '-rf '; else rm= '; fi Run= ' OK ' For _file in $OPTION Do echo $_file | Grep-q '-' [$?-eq 0] && { Red "This command does not support parameters in VT mode"; Continue } echo $_file | grep-q ^ $ROOT _dir Ret=$? First_char=${_file:0:1} If [x "$first _char" = x "/"];then If [$ret-ne 0];then run= ' Not OK ' Fi Fi Done If [x "$run" = x "OK"];then Run $COMMAND $RM $OPTION Else echo "$COMMAND: Permission denied." >&2 Fi ;; Pwd Run $REPLY ;; Upload Run RZ ;; Download For _file in $OPTION Do if [!-D $_file];then echo "Start download file: $_file" Run SZ $_file [$?-eq 0] && green "Download Complete" | | Red "Download Failed" Else echo "${_file} is a directory that is being packaged as a ${_file}.tar" TAR-CF ${_file}.tar $_file [$?-eq 0] && Green "package complete, start download ${_file}.tar" \ || {Red "package failed to download"; continue;} Run SZ ${_file}.tar [$?-eq 0] && { Green "Download Complete" echo "Deleting packaged Files" RM-RF ${_file}.tar [$?-eq 0] && Green "Delete succeeded" \ || Red "Delete Failed" } || Red "Download Failed" Fi Done ;; passwd READ-E-s-p "Please enter your old password:" old_passwd echo ' ****** ' old_passwd=$ (echo $old _passwd | md5sum | gawk ' {print $} ') If [x ' $old _passwd "! = X" $correct _passwd "];then Red "Password input error" Continue Else READ-E-s-p "Please enter a new password:" New_passwd1 echo ' ****** ' READ-E-s-p "Please repeat the new password:" New_passwd2 echo ' ****** ' If [x ' $new _passwd1 "! = X" $new _passwd2 "];then Red "Two input passwords are inconsistent" Continue Else new_passwd=$ (echo $new _passwd1 | md5sum | gawk ' {print $} ') Sed-i "/$username/s/.*/$username: $new _passwd/g" $passwd _file Fi Fi ;; "") Continue ;; *) echo "-bash: $COMMAND: COMMAND not Found" >&2 ;; Esac Done

Shell Implementation Board machine, why use a springboard machine