GateOne配置API認證、SSH自動登錄、用戶免密登錄及Web應用嵌入

GateOne的安裝與遠程連接SSH在上一篇博客中已經有詳細過程，傳送門：全新CentOS7上GateOne的安裝。
今天記錄的是GateOne在Web應用中逐步添加API認證、取消掉用戶登錄需要輸入SSH目標地址、端口以及賬號密碼的過程，最後將記錄如何將GateOne嵌入Web應用。

配置API認證

開啓API認證

首先需要強調的是，GateOne配置文件位於兩個位置：
使用service啓動服務情況下默認使用/etc/gateone/conf.d/目錄中的配置文件，
使用命令行啓動服務跑的是GateOne/conf.d目錄中的配置，
爲了不會出現啓動服務方式與配置文件不匹配的問題，建議同步配置兩個路徑下的配置文件。
修改20authentication.conf：

# 修改爲api
"auth": "api",

爲API創建key-secret對命令：

gateone --new_api_key

生成結果：

[root@bhgyy-gateone GateOne]# gateone --new_api_key
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 app_terminal:2806] dtach command not found.  dtach support has been disabled.
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[I 180913 09:45:12 server:4182] Gate One License: AGPLv3 (http://www.gnu.org/licenses/agpl-3.0.html)
[I 180913 09:45:12 server:4191] Imported applications: Terminal
[I 180913 09:45:12 server:4326] A new API key has been generated: NDEzNTkwMTRlMBIYihgjGiGlukYzdlMmU0OTYyNmUzOTM
[I 180913 09:45:12 server:4328] This key can now be used to embed Gate One into other applications.

此時/etc/gateone/conf.d/目錄下會生成30api_keys.conf文件，記錄有生成的key-secret對，每執行一次就會插入一條新紀錄，該文件中的key-secret會在應用中使用：

// This file contains the key and secret pairs used by Gate One's API authentication method.
{
    "*": {
        "gateone": {
            "api_keys": {
                "YTMwNzExYWY3YjRmNDE4NDg3ODZmOGE3NDJlMzQ3NTZjO": "Y2M2OTMyMjU3YTA0NDE3NmFkYzhmMDUxNGQzNWQ1MDMwM",
                "ZWRlOWNlMGUzNjQ1NDE5Mzk0MTc2ZWJjOTM2MzRmMzU1Y": "ZWVhYTVkYTliYWZiNGFlNDgzYWVjYTFmOGVhNjllYzIwZ",
                "OGQ0YjczMGE3YWJhNDQ3OWFmNGY0ZmM4Y2IxYjdmNjIyY": "OGQ1YTQyNjg2YjUyNGUzYmJhOTAyNmQ1YmYwMmY2ZjI5Y",
                "MjgwMmI1MWNlZDdlNGM2YTkwZTFmOGJjOTc1Mzg3MTNlY": "MTU1OGViZjJiZTU5NDY4NWI2MTMyZDI5NWI1MDYzOWVkO",
                "NDEzNTkwMTRlMBIYihgjGiGlukYzdlMmU0OTYyNmUzOTM": "YWY3OGE2OGRiYjdmNDdkM2E5ZTJjODMxNTEyYWViNTExN",
                "YTExYjhlODUwMzllNGUwMjk1ZmFhZDI5ZjBkOTY4ZDdhN": "NzVlN2ViMDdhYjcwNDYzZDg3OTM0YTU3M2I5ZDZhNTE4N"
            }
        }
    }
}

開啓認證後沒有api_key的應用將不能再使用GateOne服務：

認證應用+簡化登錄流程

創建django項目，在urls.py中配置路由就不提了，在views.py中加入30api_keys.conf文件中的key-secret對，用hashlib.sha1算法加密，設定了跳板機IP和目標服務器IP，加入免密登錄的用戶名：（爲保密，代碼中密鑰和SSH地址等關鍵信息做了改動處理，以下皆同）

# -*- coding: utf-8 -*-
from __future__ import unicode_literals

from django.shortcuts import render
import hmac,hashlib
import base64
import time
# Create your views here.
def index(request):
    api_key = "ZWRlOWNlMGUzNjQ1hFiLtdGKYc2ZWJjOTM2MzRmMzU1Y"
    api_secret = "ZWVhYTVkYTliYWZiNGFlNDgzYWVjYTFmOGVhNjllYzIwZ"
    gateone_owner = "Joe"

    timestamp = str(int(time.time()*1000))
    signature = create_signature(api_secret,api_key,gateone_owner,timestamp)

    login_user = "geletet1"

    gateone_url = "https://172.16.6.166:66"
    ssh_url = "ssh://%[email protected]" % login_user

    return render(request,"main/index.html",{
                                "api_key":api_key,
                                "timestamp":timestamp,
                                "signature":signature,
                                "gateone_url":gateone_url,
                                "ssh_url":ssh_url,
                                "upn":gateone_owner,
                        })
def create_signature(secret, *parts):
    hash = hmac.new(key=bytearray(secret,'utf-8'), digestmod=hashlib.sha1)
    for part in parts:
        hash.update(str(part))
    return hash.hexdigest()

上面代碼中，已經配置了自動登陸的SSH地址，要做到免密碼直接SSH登陸，需要用ssh-keygen來生成公私鑰，將生成的id_rsa.pub上傳到另外一臺機器(192.166.1.66)：

ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.166.1.66

此時在當前機器應該可以直接訪問這臺機器。
但要在GateOne中免密登陸，還需要做以下配置：

1. 在目錄/var/lib/gateone/users下有用戶目錄，上文django項目中寫了gateone_owner = "Joe"，GateOne就會爲其創建一個以“Joe”命名的用戶目錄。
2. 將id_rsa複製到用戶的.ssh目錄下

cd /var/lib/gateone/users/feng/.ssh

cp /home/feng/.ssh/id* .

echo id_rsa > ./.default_ids

配置參考

Web應用嵌入GateOne服務

在需要嵌入GateOne服務的HTML頁面引入gateone.js，將認證數據傳入頁面：

<script src="https://172.16.6.166:66/static/gateone.js"></script>
<div id="gateone_container" style="width: 60em; height: 30em;">
    <div id="testdiv"></div>
</div>
<script type="text/javascript">
window.onload = function() {
    // Initialize Gate One:
    var auth2 = {
        'api_key':'{{api_key}}',
        'timestamp':'{{timestamp}}',
        'api_version':'1.0',
        'upn':'{{upn}}',
        'signature':'{{signature}}',
        'signature_method':'HMAC-SHA1',
    }
    GateOne.init({
        auth: auth2,
        url: 'https://172.16.6.166:66',
        autoConnectURL:'{{ssh_url}}',
        goDiv:'#testdiv',
        showToolbar:true,
    });

    GateOne.Net.autoConnect();
}
</script>

這樣就順利把實現了認證、自動登錄的GateOne服務順利嵌入了Web應用。

---

[1]. https://github.com/liftoff/GateOne/issues/239
[2]. https://www.jianshu.com/p/b8123a8178de