GateOne的安装与远程连接SSH在上一篇博客中已经有详细过程,传送门:全新CentOS7上GateOne的安装。
今天记录的是GateOne在Web应用中逐步添加API认证、取消掉用户登录需要输入SSH目标地址、端口以及账号密码的过程,最后将记录如何将GateOne嵌入Web应用。
首先需要强调的是,GateOne配置文件位于两个位置:
使用service启动服务情况下默认使用/etc/gateone/conf.d/
目录中的配置文件,
使用命令行启动服务跑的是GateOne/conf.d
目录中的配置,
为了不会出现启动服务方式与配置文件不匹配的问题,建议同步配置两个路径下的配置文件。
修改20authentication.conf
:
# 修改为api
"auth": "api",
为API创建key-secret对命令:
gateone --new_api_key
生成结果:
[root@bhgyy-gateone GateOne]# gateone --new_api_key
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 app_terminal:2806] dtach command not found. dtach support has been disabled.
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[I 180913 09:45:12 server:4182] Gate One License: AGPLv3 (http://www.gnu.org/licenses/agpl-3.0.html)
[I 180913 09:45:12 server:4191] Imported applications: Terminal
[I 180913 09:45:12 server:4326] A new API key has been generated: NDEzNTkwMTRlMBIYihgjGiGlukYzdlMmU0OTYyNmUzOTM
[I 180913 09:45:12 server:4328] This key can now be used to embed Gate One into other applications.
此时/etc/gateone/conf.d/
目录下会生成30api_keys.conf
文件,记录有生成的key-secret对,每执行一次就会插入一条新纪录,该文件中的key-secret会在应用中使用:
// This file contains the key and secret pairs used by Gate One's API authentication method.
{
"*": {
"gateone": {
"api_keys": {
"YTMwNzExYWY3YjRmNDE4NDg3ODZmOGE3NDJlMzQ3NTZjO": "Y2M2OTMyMjU3YTA0NDE3NmFkYzhmMDUxNGQzNWQ1MDMwM",
"ZWRlOWNlMGUzNjQ1NDE5Mzk0MTc2ZWJjOTM2MzRmMzU1Y": "ZWVhYTVkYTliYWZiNGFlNDgzYWVjYTFmOGVhNjllYzIwZ",
"OGQ0YjczMGE3YWJhNDQ3OWFmNGY0ZmM4Y2IxYjdmNjIyY": "OGQ1YTQyNjg2YjUyNGUzYmJhOTAyNmQ1YmYwMmY2ZjI5Y",
"MjgwMmI1MWNlZDdlNGM2YTkwZTFmOGJjOTc1Mzg3MTNlY": "MTU1OGViZjJiZTU5NDY4NWI2MTMyZDI5NWI1MDYzOWVkO",
"NDEzNTkwMTRlMBIYihgjGiGlukYzdlMmU0OTYyNmUzOTM": "YWY3OGE2OGRiYjdmNDdkM2E5ZTJjODMxNTEyYWViNTExN",
"YTExYjhlODUwMzllNGUwMjk1ZmFhZDI5ZjBkOTY4ZDdhN": "NzVlN2ViMDdhYjcwNDYzZDg3OTM0YTU3M2I5ZDZhNTE4N"
}
}
}
}
开启认证后没有api_key的应用将不能再使用GateOne服务:
创建django项目,在urls.py
中配置路由就不提了,在views.py
中加入30api_keys.conf
文件中的key-secret对,用hashlib.sha1算法加密,设定了跳板机IP和目标服务器IP,加入免密登录的用户名:(为保密,代码中密钥和SSH地址等关键信息做了改动处理,以下皆同)
# -*- coding: utf-8 -*-
from __future__ import unicode_literals
from django.shortcuts import render
import hmac,hashlib
import base64
import time
# Create your views here.
def index(request):
api_key = "ZWRlOWNlMGUzNjQ1hFiLtdGKYc2ZWJjOTM2MzRmMzU1Y"
api_secret = "ZWVhYTVkYTliYWZiNGFlNDgzYWVjYTFmOGVhNjllYzIwZ"
gateone_owner = "Joe"
timestamp = str(int(time.time()*1000))
signature = create_signature(api_secret,api_key,gateone_owner,timestamp)
login_user = "geletet1"
gateone_url = "https://172.16.6.166:66"
ssh_url = "ssh://%[email protected]" % login_user
return render(request,"main/index.html",{
"api_key":api_key,
"timestamp":timestamp,
"signature":signature,
"gateone_url":gateone_url,
"ssh_url":ssh_url,
"upn":gateone_owner,
})
def create_signature(secret, *parts):
hash = hmac.new(key=bytearray(secret,'utf-8'), digestmod=hashlib.sha1)
for part in parts:
hash.update(str(part))
return hash.hexdigest()
上面代码中,已经配置了自动登陆的SSH地址,要做到免密码直接SSH登陆,需要用ssh-keygen来生成公私钥,将生成的id_rsa.pub上传到另外一台机器(192.166.1.66):
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.166.1.66
此时在当前机器应该可以直接访问这台机器。
但要在GateOne中免密登陆,还需要做以下配置:
/var/lib/gateone/users
下有用户目录,上文django项目中写了gateone_owner = "Joe"
,GateOne就会为其创建一个以“Joe”命名的用户目录。cd /var/lib/gateone/users/feng/.ssh
cp /home/feng/.ssh/id* .
echo id_rsa > ./.default_ids
配置参考
在需要嵌入GateOne服务的HTML页面引入gateone.js
,将认证数据传入页面:
<script src="https://172.16.6.166:66/static/gateone.js">script>
<div id="gateone_container" style="width: 60em; height: 30em;">
<div id="testdiv">div>
div>
<script type="text/javascript">
window.onload = function() {
// Initialize Gate One:
var auth2 = {
'api_key':'{{api_key}}',
'timestamp':'{{timestamp}}',
'api_version':'1.0',
'upn':'{{upn}}',
'signature':'{{signature}}',
'signature_method':'HMAC-SHA1',
}
GateOne.init({
auth: auth2,
url: 'https://172.16.6.166:66',
autoConnectURL:'{{ssh_url}}',
goDiv:'#testdiv',
showToolbar:true,
});
GateOne.Net.autoConnect();
}
script>
这样就顺利把实现了认证、自动登录的GateOne服务顺利嵌入了Web应用。
[1]. https://github.com/liftoff/GateOne/issues/239
[2]. https://www.jianshu.com/p/b8123a8178de