GateOne配置API认证、SSH自动登录、用户免密登录及Web应用嵌入

GateOne的安装与远程连接SSH在上一篇博客中已经有详细过程，传送门：全新CentOS7上GateOne的安装。
今天记录的是GateOne在Web应用中逐步添加API认证、取消掉用户登录需要输入SSH目标地址、端口以及账号密码的过程，最后将记录如何将GateOne嵌入Web应用。

配置API认证

开启API认证

首先需要强调的是，GateOne配置文件位于两个位置：
使用service启动服务情况下默认使用/etc/gateone/conf.d/目录中的配置文件，
使用命令行启动服务跑的是GateOne/conf.d目录中的配置，
为了不会出现启动服务方式与配置文件不匹配的问题，建议同步配置两个路径下的配置文件。
修改20authentication.conf：

# 修改为api
"auth": "api",

为API创建key-secret对命令：

gateone --new_api_key

生成结果：

[root@bhgyy-gateone GateOne]# gateone --new_api_key
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 app_terminal:2806] dtach command not found.  dtach support has been disabled.
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[I 180913 09:45:12 server:4182] Gate One License: AGPLv3 (http://www.gnu.org/licenses/agpl-3.0.html)
[I 180913 09:45:12 server:4191] Imported applications: Terminal
[I 180913 09:45:12 server:4326] A new API key has been generated: NDEzNTkwMTRlMBIYihgjGiGlukYzdlMmU0OTYyNmUzOTM
[I 180913 09:45:12 server:4328] This key can now be used to embed Gate One into other applications.

此时/etc/gateone/conf.d/目录下会生成30api_keys.conf文件，记录有生成的key-secret对，每执行一次就会插入一条新纪录，该文件中的key-secret会在应用中使用：

// This file contains the key and secret pairs used by Gate One's API authentication method.
{
    "*": {
        "gateone": {
            "api_keys": {
                "YTMwNzExYWY3YjRmNDE4NDg3ODZmOGE3NDJlMzQ3NTZjO": "Y2M2OTMyMjU3YTA0NDE3NmFkYzhmMDUxNGQzNWQ1MDMwM",
                "ZWRlOWNlMGUzNjQ1NDE5Mzk0MTc2ZWJjOTM2MzRmMzU1Y": "ZWVhYTVkYTliYWZiNGFlNDgzYWVjYTFmOGVhNjllYzIwZ",
                "OGQ0YjczMGE3YWJhNDQ3OWFmNGY0ZmM4Y2IxYjdmNjIyY": "OGQ1YTQyNjg2YjUyNGUzYmJhOTAyNmQ1YmYwMmY2ZjI5Y",
                "MjgwMmI1MWNlZDdlNGM2YTkwZTFmOGJjOTc1Mzg3MTNlY": "MTU1OGViZjJiZTU5NDY4NWI2MTMyZDI5NWI1MDYzOWVkO",
                "NDEzNTkwMTRlMBIYihgjGiGlukYzdlMmU0OTYyNmUzOTM": "YWY3OGE2OGRiYjdmNDdkM2E5ZTJjODMxNTEyYWViNTExN",
                "YTExYjhlODUwMzllNGUwMjk1ZmFhZDI5ZjBkOTY4ZDdhN": "NzVlN2ViMDdhYjcwNDYzZDg3OTM0YTU3M2I5ZDZhNTE4N"
            }
        }
    }
}

开启认证后没有api_key的应用将不能再使用GateOne服务：

认证应用+简化登录流程

创建django项目，在urls.py中配置路由就不提了，在views.py中加入30api_keys.conf文件中的key-secret对，用hashlib.sha1算法加密，设定了跳板机IP和目标服务器IP，加入免密登录的用户名：（为保密，代码中密钥和SSH地址等关键信息做了改动处理，以下皆同）

# -*- coding: utf-8 -*-
from __future__ import unicode_literals

from django.shortcuts import render
import hmac,hashlib
import base64
import time
# Create your views here.
def index(request):
    api_key = "ZWRlOWNlMGUzNjQ1hFiLtdGKYc2ZWJjOTM2MzRmMzU1Y"
    api_secret = "ZWVhYTVkYTliYWZiNGFlNDgzYWVjYTFmOGVhNjllYzIwZ"
    gateone_owner = "Joe"

    timestamp = str(int(time.time()*1000))
    signature = create_signature(api_secret,api_key,gateone_owner,timestamp)

    login_user = "geletet1"

    gateone_url = "https://172.16.6.166:66"
    ssh_url = "ssh://%[email protected]" % login_user

    return render(request,"main/index.html",{
                                "api_key":api_key,
                                "timestamp":timestamp,
                                "signature":signature,
                                "gateone_url":gateone_url,
                                "ssh_url":ssh_url,
                                "upn":gateone_owner,
                        })
def create_signature(secret, *parts):
    hash = hmac.new(key=bytearray(secret,'utf-8'), digestmod=hashlib.sha1)
    for part in parts:
        hash.update(str(part))
    return hash.hexdigest()

上面代码中，已经配置了自动登陆的SSH地址，要做到免密码直接SSH登陆，需要用ssh-keygen来生成公私钥，将生成的id_rsa.pub上传到另外一台机器(192.166.1.66)：

ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.166.1.66

此时在当前机器应该可以直接访问这台机器。
但要在GateOne中免密登陆，还需要做以下配置：

1. 在目录/var/lib/gateone/users下有用户目录，上文django项目中写了gateone_owner = "Joe"，GateOne就会为其创建一个以“Joe”命名的用户目录。
2. 将id_rsa复制到用户的.ssh目录下

cd /var/lib/gateone/users/feng/.ssh

cp /home/feng/.ssh/id* .

echo id_rsa > ./.default_ids

配置参考

Web应用嵌入GateOne服务

在需要嵌入GateOne服务的HTML页面引入gateone.js，将认证数据传入页面：

<script src="https://172.16.6.166:66/static/gateone.js">script>
<div id="gateone_container" style="width: 60em; height: 30em;">
    <div id="testdiv">div>
div>
<script type="text/javascript">
window.onload = function() {
    // Initialize Gate One:
    var auth2 = {
        'api_key':'{{api_key}}',
        'timestamp':'{{timestamp}}',
        'api_version':'1.0',
        'upn':'{{upn}}',
        'signature':'{{signature}}',
        'signature_method':'HMAC-SHA1',
    }
    GateOne.init({
        auth: auth2,
        url: 'https://172.16.6.166:66',
        autoConnectURL:'{{ssh_url}}',
        goDiv:'#testdiv',
        showToolbar:true,
    });

    GateOne.Net.autoConnect();
}
script>

这样就顺利把实现了认证、自动登录的GateOne服务顺利嵌入了Web应用。

---

[1]. https://github.com/liftoff/GateOne/issues/239
[2]. https://www.jianshu.com/p/b8123a8178de