http://liftoff.github.io/GateOne/Developer/embedding_api_auth.html
https://github.com/liftoff/GateOne/issues/239
接上篇GateOne Web SSH环境搭建,使用GateOne 1.2配置
配置API验证
修改20authentication.conf:
# 修改为api
"auth": "api",
创建API Key/Secret(官方文档是./gateone.py --new_api_key,死活找不到gateone.py,这个是1.1版本中的,如果你使用这里的rpm安装,应该是有的):
feng@ubuntu:~/Desktop$ sudo gateone --new_api_key
[sudo] password for feng:
[W 170427 20:34:57 app_terminal:2806] dtach command not found. dtach support has been disabled.
[I 170427 20:34:58 server:4179] Gate One License: AGPLv3 (http://www.gnu.org/licenses/agpl-3.0.html)
[I 170427 20:34:58 server:4188] Imported applications: Terminal
[I 170427 20:34:58 server:4323] A new API key has been generated: YTRjMzBkMzNjMTkxNGExMWFmYmRkZDI0Yjg1OWM3YWMyM
[I 170427 20:34:58 server:4325] This key can now be used to embed Gate One into other applications.
此时配置文件目录下,会生成**30api_keys.conf **文件,该文件中的key-secret会在应用中使用:
{
"*": {
"gateone": {
"api_keys": {
"YTRjMzBkMzNjMTkxNGExMWFmYmRkZDI0Yjg1OWM3YWMyM": "MTEzYjQ3MTM5NDk4NDkyNmEwMjc4NjAwODViNjNlN2E0N"
}
}
}
}
开启API验证后,不能再直接访问GateOne
创建应用,嵌入GateOne
应用嵌入GateOne,Controller代码(这里使用JFinal,使用SpringMVC的简单修改即可):
package com.demo.sso.controller;
import java.util.Calendar;
import org.apache.commons.codec.digest.HmacUtils;
import com.jfinal.core.Controller;
public class GateOneController extends Controller {
private static final String key = "YTRjMzBkMzNjMTkxNGExMWFmYmRkZDI0Yjg1OWM3YWMyM";
private static final String secret = "MTEzYjQ3MTM5NDk4NDkyNmEwMjc4NjAwODViNjNlN2E0N";
private static final String GATE_ONE_OWNER = "feng";
public void index() {
Calendar c = Calendar.getInstance();
String timestamp = c.getTimeInMillis() + "";
String signature = generate(key, GATE_ONE_OWNER, timestamp);
setAttr("timestamp", timestamp);
setAttr("signature", signature);
setAttr("api_key", key);
setAttr("upn", GATE_ONE_OWNER);
setAttr("gateoneUrl", "http://localhost");
setAttr("sshUrl", "ssh://[email protected]");
render("/WEB-INF/pages/sso.jsp");
}
private static String generate(String apiKey, String username, String timestamp) {
String body = apiKey + username + timestamp;
return HmacUtils.hmacSha1Hex(secret, body);
}
}
JSP页面:
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
SSO
hello gate one
自动登陆的配置
http://blog.chinaunix.net/uid-26284395-id-2949145.html
上面代码中,已经配置了自动登陆的SSH地址,要做到不输密码直接SSH登陆,需要用ssh-keygen来生成公私钥,将生成的id_rsa.pub上传到另外一台机(192.168.1.97)。
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
此时在终端ssh应该能够直接访问另外一台,无需输入密码:
ssh [email protected]
但是在要GateOne中免密码直接登陆,还需要做以下配置:
找到user目录,10server.conf配置文件中有
将id_rsa复制到用户的.ssh目录下(这里为什么是feng这个用户,是和上面JAVA代码中GATE_ONE_OWNER = "feng"; 相呼应的)
cd /var/lib/gateone/users/feng/.ssh
cp /home/feng/.ssh/id* .
echo id_rsa > ./.default_ids
这里的配置可以参考 issues#239
至此,当访问应用后,出现以下画面,点击图标,即可自动登陆
PS:
作者多次提到的以下两种方式自动登陆,我始终没有配置成功:
https://your-gateone-server/?ssh=ssh://user@somehost/
https://your-gateone-server/?terminal_cmd=somecmd
简单提一下terminal_cmd这种方式,修改50terminal.conf加入shell命令,这个shell的内容就是直接ssh登陆另外一台机。
然后访问http://localhost:80/?terminal_cmd=loginrt, 页面总是提示如下信息:
An SSL certificate must be accepted by your browser to continue. Please click here to be redirected.
应该是需要接受证书,具体如何用这种方式自动登陆,如果有人知道,烦请赐教。
