GateOne的安裝與遠程連接SSH在上一篇博客中已經有詳細過程,傳送門:全新CentOS7上GateOne的安裝。
今天記錄的是GateOne在Web應用中逐步添加API認證、取消掉用戶登錄需要輸入SSH目標地址、端口以及賬號密碼的過程,最後將記錄如何將GateOne嵌入Web應用。
配置API認證
開啓API認證
首先需要強調的是,GateOne配置文件位於兩個位置:
使用service啓動服務情況下默認使用/etc/gateone/conf.d/
目錄中的配置文件,
使用命令行啓動服務跑的是GateOne/conf.d
目錄中的配置,
爲了不會出現啓動服務方式與配置文件不匹配的問題,建議同步配置兩個路徑下的配置文件。
修改20authentication.conf
:
# 修改爲api
"auth": "api",
爲API創建key-secret對命令:
gateone --new_api_key
生成結果:
[root@bhgyy-gateone GateOne]# gateone --new_api_key
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 app_terminal:2806] dtach command not found. dtach support has been disabled.
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[W 180913 09:45:12 locale:61] No translation found for locale: zh_CN
[I 180913 09:45:12 server:4182] Gate One License: AGPLv3 (http://www.gnu.org/licenses/agpl-3.0.html)
[I 180913 09:45:12 server:4191] Imported applications: Terminal
[I 180913 09:45:12 server:4326] A new API key has been generated: NDEzNTkwMTRlMBIYihgjGiGlukYzdlMmU0OTYyNmUzOTM
[I 180913 09:45:12 server:4328] This key can now be used to embed Gate One into other applications.
此時/etc/gateone/conf.d/
目錄下會生成30api_keys.conf
文件,記錄有生成的key-secret對,每執行一次就會插入一條新紀錄,該文件中的key-secret會在應用中使用:
// This file contains the key and secret pairs used by Gate One's API authentication method.
{
"*": {
"gateone": {
"api_keys": {
"YTMwNzExYWY3YjRmNDE4NDg3ODZmOGE3NDJlMzQ3NTZjO": "Y2M2OTMyMjU3YTA0NDE3NmFkYzhmMDUxNGQzNWQ1MDMwM",
"ZWRlOWNlMGUzNjQ1NDE5Mzk0MTc2ZWJjOTM2MzRmMzU1Y": "ZWVhYTVkYTliYWZiNGFlNDgzYWVjYTFmOGVhNjllYzIwZ",
"OGQ0YjczMGE3YWJhNDQ3OWFmNGY0ZmM4Y2IxYjdmNjIyY": "OGQ1YTQyNjg2YjUyNGUzYmJhOTAyNmQ1YmYwMmY2ZjI5Y",
"MjgwMmI1MWNlZDdlNGM2YTkwZTFmOGJjOTc1Mzg3MTNlY": "MTU1OGViZjJiZTU5NDY4NWI2MTMyZDI5NWI1MDYzOWVkO",
"NDEzNTkwMTRlMBIYihgjGiGlukYzdlMmU0OTYyNmUzOTM": "YWY3OGE2OGRiYjdmNDdkM2E5ZTJjODMxNTEyYWViNTExN",
"YTExYjhlODUwMzllNGUwMjk1ZmFhZDI5ZjBkOTY4ZDdhN": "NzVlN2ViMDdhYjcwNDYzZDg3OTM0YTU3M2I5ZDZhNTE4N"
}
}
}
}
開啓認證後沒有api_key的應用將不能再使用GateOne服務:
認證應用+簡化登錄流程
創建django項目,在urls.py
中配置路由就不提了,在views.py
中加入30api_keys.conf
文件中的key-secret對,用hashlib.sha1算法加密,設定了跳板機IP和目標服務器IP,加入免密登錄的用戶名:(爲保密,代碼中密鑰和SSH地址等關鍵信息做了改動處理,以下皆同)
# -*- coding: utf-8 -*-
from __future__ import unicode_literals
from django.shortcuts import render
import hmac,hashlib
import base64
import time
# Create your views here.
def index(request):
api_key = "ZWRlOWNlMGUzNjQ1hFiLtdGKYc2ZWJjOTM2MzRmMzU1Y"
api_secret = "ZWVhYTVkYTliYWZiNGFlNDgzYWVjYTFmOGVhNjllYzIwZ"
gateone_owner = "Joe"
timestamp = str(int(time.time()*1000))
signature = create_signature(api_secret,api_key,gateone_owner,timestamp)
login_user = "geletet1"
gateone_url = "https://172.16.6.166:66"
ssh_url = "ssh://%[email protected]" % login_user
return render(request,"main/index.html",{
"api_key":api_key,
"timestamp":timestamp,
"signature":signature,
"gateone_url":gateone_url,
"ssh_url":ssh_url,
"upn":gateone_owner,
})
def create_signature(secret, *parts):
hash = hmac.new(key=bytearray(secret,'utf-8'), digestmod=hashlib.sha1)
for part in parts:
hash.update(str(part))
return hash.hexdigest()
上面代碼中,已經配置了自動登陸的SSH地址,要做到免密碼直接SSH登陸,需要用ssh-keygen來生成公私鑰,將生成的id_rsa.pub上傳到另外一臺機器(192.166.1.66):
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.166.1.66
此時在當前機器應該可以直接訪問這臺機器。
但要在GateOne中免密登陸,還需要做以下配置:
- 在目錄
/var/lib/gateone/users
下有用戶目錄,上文django項目中寫了gateone_owner = "Joe"
,GateOne就會爲其創建一個以“Joe”命名的用戶目錄。 - 將id_rsa複製到用戶的.ssh目錄下
cd /var/lib/gateone/users/feng/.ssh
cp /home/feng/.ssh/id* .
echo id_rsa > ./.default_ids
Web應用嵌入GateOne服務
在需要嵌入GateOne服務的HTML頁面引入gateone.js
,將認證數據傳入頁面:
<script src="https://172.16.6.166:66/static/gateone.js"></script>
<div id="gateone_container" style="width: 60em; height: 30em;">
<div id="testdiv"></div>
</div>
<script type="text/javascript">
window.onload = function() {
// Initialize Gate One:
var auth2 = {
'api_key':'{{api_key}}',
'timestamp':'{{timestamp}}',
'api_version':'1.0',
'upn':'{{upn}}',
'signature':'{{signature}}',
'signature_method':'HMAC-SHA1',
}
GateOne.init({
auth: auth2,
url: 'https://172.16.6.166:66',
autoConnectURL:'{{ssh_url}}',
goDiv:'#testdiv',
showToolbar:true,
});
GateOne.Net.autoConnect();
}
</script>
這樣就順利把實現了認證、自動登錄的GateOne服務順利嵌入了Web應用。
[1]. https://github.com/liftoff/GateOne/issues/239
[2]. https://www.jianshu.com/p/b8123a8178de