The use of Springboard machine only to do SSH relay, in order to strictly control the data entry and exit of the Springboard, command management, special access to the springboard operation to restrict management. The script contains two interface styles, as described below.
Function Description:
* 屏蔽用户对跳板机系统进行任何未授权操作操作* 查询用户已授权主机,具备权限用户方可连接后台服务器* 授权命令集合(密钥生成、上传、copy,密码更改等),可根据实际需求自定义* 此脚本依赖于LDAP用户管理,如无LDAP服务,可自行定义用户和主机组对应关系即可
Interface One: The number of users authorized landing host not more than 20 units
- Login to the right side by selecting the left list number
- Select the executable command sequence, enter the command interface, command function, followed by instructions
Interface II: The number of users authorized to log in more than 20 units
- Select IP Address Login serial number, enter the input IP address interface
- Select the executable command sequence, enter the command interface, command function, followed by instructions
Command function description
- Ssh-keygen: Raw-cost machine SSH public key
- Ssh-copy-id: Copy the public key of the springboard machine to the remote server
- Upload-local-key: The local public key is uploaded to the springboard machine, which realizes the free connection of the springboard machine.
- passwd: Change Password
- Exit: The first layer closes the current session and the second level returns to the previous page
Note: In addition to "Upload-local-key" as a custom command, the other reference commands themselves use
Full code
#!/bin/bash# version:v1.5# Function: For entry control of Springboard Machine # author:sly chen# Create date:jun.13 2 018# put the script in the/etc/profile.d/directory and add executable permissions #set-x# import the system functions export Lang=en_us. UTF-8. /etc/init.d/functionsshell_name=$ (basename $BASH _source) shell_name_prefix=$ (echo $SHELL _name | sed ' s/.sh$//') SHELL _log= "/tmp/${shell_name_prefix}.log" # red () {ECHO-E "\033[31;40m$*\033[0m"}# Green () {ECHO-E "\033[32") 40m$*\033[0m "}# Write Logshell_log () {log_info=$1 echo" $ (date "+%y-%m-%d") $ (date "+%h:%m:%s") ${log_info} ">& Gt ${shell_log}}login_banner () {action "${login_user} Login Success"/bin/truecat << _eof_######################## ################################################################ Welcome use Jumpserver to Login # # Please contact the system Administrator or Send mail to [email protected] ####################################################################################### #_EOF_}get_ Hosts_info () {login_user= ' whoami ' [["$LOGIN _user" = = "root"]] && continue # Shielded CTRL + C trap ': ' INT Clear # define different user connections Springboard machine show different flags Login_banner # Enter the LDAP API encapsulation directory as a user login host query # LDAP API relies on Openldap-devel Python-devel ; The Get command relies on Perl-libwww-perl # yum-y install openldap-devel python-devel Perl-libwww-perl # Installing PYTHON-LDAP:HTT Ps://www.python-ldap.org/en/latest/installing.html#installing-from-source CD/DATA/SCRIPT/LDAP # Format host name, and remove any and no login host permissions array_objects= ($ (Python ldapadmin.py user hostinfo ${login_user} | sed "s/\[\|,\|\]\|" G /*\|\!/D ") # defines the command array array_commands= (" Ssh-keygen--authentication key generation, management and Co Nversion "" Ssh-copy-id--locally available keys to authorise logins on a remote machine "" Upload-loc Al-key--Upload the public key to the JUmpserver "" passwd--Update user ' s authentication tokens "" Exit----return ") Cmd_list_name= "$ (green" Execute Command ") on Jumpserver." Close_bash= "$ (green" Exit Shell ")" If [-Z "${#array_objects [@]}"]; Then red "No action object is found!" Continue # If the number of hosts more than 20, you can specify the IP address by self-login elif [${#array_objects [@]}-GT 20]; Then Ip_custom_name= "The Type $ (green ' IP ADDRESS ') to Login." Array_objects= ("${ip_custom_name}" "${cmd_list_name}") Else num_host=${#array_objects [@]} array_objects[( (num_host+1))] = "${cmd_list_name}" Fi}network_pint_test () {ping-c2 $LAN _ip &>/dev/null [$?-ne 0] && echo " $ (red "$LAN _ip"): Network is unreachable "&& continue ssh ${lan_ip}}invalid_ldap_host_del () {# This function is used as LDAP invalid Host entry Delete # If you get the intranet IP is empty, first determine the transport dimensional plane station API network status PING-C 2 ${bridge_url} &>/dev/null [$?-ne 0] && echo "$ (re D "$BRIDGE _url"): NetwoRK is unreachable "&& Continue # Delete LDAP Invalid host record ldap_host_del=$ (python ldapadmin.py user Hostdel ${login_user} ${object} | Egrep-io ' sucessfully ' | Tr ' A-Z ' A-Z ') # record Delete host log if ["${ldap_host_del}" = = "sucessfully"]; Then Shell_log "${login_user} LDAP Delete $ (green" $OBJECT ") sucessfully" Else Shell_log "${login_user} L DAP Delete $ (red "$OBJECT") Failure "Fi}main () {get_hosts_info # get IP array generate menu list ps3=$ (green" \naccept only Li St Numbers: ") # must be added while dead loop, otherwise can not shield Ctrl+d and other operations bridge_url= ' bridge.test.com ' while true; Do select VAR in "${array_objects[@]}" "${close_bash}"; Do [-z] $VAR "] && Red" Invalid number "&& continue if [[" $VAR "= = ${ip_custom_nam E}]]; Then Read-p "Type $ (green ' IP ADDRESS ') to Login:" Lan_ip network_pint_test E Lif [["$VAR" = = "${close_bash}"]; Then Exit elif ["$VAR"! = "${cmd_list_name}"]; Then # to determine the Operation object, IP plus execute SSH prefix execution, command directly execute object=$ (echo "${array_objects[@]}" | egrep-wo "${var}" | awk ' {print '} ') # operands contain numbers, and the command to select an ordinal corresponds to SSH + IP if [["$OBJECT" =~. test.com]]; then [x] $ (which GET &>/dev/null; echo $?) "! = X" 0 "] && { # GET dependent on Perl-libwww-perl packet echo "-bash: $ (red" GET "): Command not Found" Exit} lan_ip=$ (GET http://${bridge_url}/api/vm?hostname=${object} | grep -op ' "lan_ip[":]+\k[^ "]+") # IP null indicates that the host does not exist, the LDAP host entry is invalid if [-Z ' $LAN _ip "]; Then lan_ip=$ (GET http://${bridge_url}/api/phyhost?hostname=${object} | grep-op ' "lan_ip[":]+\k[^ "]+") if [-Z] $LAN _ip "]; Then # LDAP Invalid host entry permission Delete Invalid_ldap_host_del echo "$ (red" $OBJECT ") not found" continue elif [$ (Echo $ Lan_ip | Xargs-n 1 | WC-L)-gt 1]; Then echo "$ (red" ${object} ") Contains multiple IP: $ (echo ${lan_ip} | XARGS-N) "Continue else network_pint_test Fi # There are multiple intranet IPs exit execution Elif [$ (echo $LAN _ip | xargs-n 1 | WC- L)-gt 1]; Then echo "$ (red" ${object} ") Contains multiple IP: $ (echo ${lan_ip} | XARGS-N) "Continue fi network_pint_test el Se echo "$ (red" $VAR ") Hostname does not meet the" continue FI # judgment variable is a command set, then enter the command interface elif [["$VAR" = = "${cmd_list_name}"]; Then select Commadn_src in "${array_commands[@]}"; Do [-Z "${COMMADN_SRC}"] && red "Invalid command" && continue COMM And=$ (echo "${commadn_src}" | awk ' {print $} ') if ["$COMMAND" = = "Ssh-keygen"-o "$COMMAND" = = "PASSW D "]; Then # Execute command ${command} elif [["$COMMAND" = = "Ssh-copy-id " ]]; Then Read-p "Specify the IP:" IP # to determine IP legal, network communication # Execute Ssh-copy-id $IP ssh-copy-id $IP elif [["$COMMAND" = = "Exit"]; Then break elif [["$COMMAND" = = "Upload-local-key"]]; Then Read-p "$"/"green" Please enter the public key content: ")" key if [-Z "$KEY"]; Then echo, "The KEY is empty." Elif [-F "/home/${login_user}/.ssh/authorized_keys"]; Then [-N "$ (grep" $KEY "/home/${login_user}/.ssh/authorized_keys)"] && {echo "The KEY already exists." Continue} fi echo "$KEY" >>/home/${logi N_user}/.ssh/authorized_keys echo-e "\nupload to complete." Fi do fi done Done}main
Shell script implementation of enterprise-class simple Springboard machine case