对ansible主控节点做双因子认证安全加固--python实现
引言
当部署ansible的服务器为控制端时,大量的服务器可能已经做了免密,此时的服务器对被控端的服务器ssh权限过大,这时可能就需要对这个控制端的服务器做个一个安全加固进行防御。
实现
用户名+动态口令+密码方式
引用Google双因子实现
TOTP 是时间同步,基于客户端的动态口令和动态口令验证服务器的时间比对,一般每60秒产生一个新口令,要求客户端和服务器能够十分精确的保持正确的时钟,客户端和服务端基于时间计算的动态口令才能一致
代码和依赖包
#!/usr/bin/python
# -*- coding=utf-8 -*-
import pwd, syslog, time
import logging
import json
import pyotp
import threading
import os
LOCK = threading.Lock()
# 拒绝root用户, 默认调试模式,默认为False, 调试结束最好改为 True
NOT_ROOT = False
# 密钥
KEYS = "O5XSAYLLEB4WS3RANRUWC3Q="
# 设置白名单ip, * 表示所有主机都可以连接; ["10.10.0.1", "10.12.0.2"] 表示为只允许列表出现的主机连接
WHITELIST = ["*"]
# 设置重试等待时间 s
TIME_OUT = 30*60
# 设置最多允许错误次数
TRY_AGAIN = 3
# 用户白名单,可以忽略PIN验证
USER_LIST = [""]
# 管理员PIN
ADMIN_PIN = "louwenjun"
# 日志和登录历史的文件路径
PAM_FILE = "/tmp/.pam/"
if not os.path.exists(PAM_FILE):
os.system("mkdir -p {}".format(PAM_FILE))
LOGIN_HISTORY_FILE = "{}login_history.json".format(PAM_FILE)
logging.basicConfig(level=logging.DEBUG,
filename='{}pam_python_auth.log'.format(PAM_FILE),
filemode='a',
format='%(asctime)s - %(pathname)s[line:%(lineno)d] - %(levelname)s: %(message)s'
)
def auth_log(msg):
syslog.syslog("IPCPU-PAM-AUTH: " + msg)
syslog.closelog()
logging.info("PAM_PYTHON-AUTH: " + msg)
def PIN_verify(secret_key):
"""Extract user's phone number for pw entry"""
totp = pyotp.TOTP(KEYS)
return totp.verify(secret_key)
def update_login_history_file(user, host, data, is_del=None, is_error=None):
error_user_data = data
defult_data = {"num": 1, "time": -1}
if is_error is True:
if host in error_user_data and user in error_user_data[host]:
# 当用户登入错误次数超出上限则进行添加延时等待
if error_user_data[host][user]["num"] >= TRY_AGAIN and error_user_data[host][user]["time"] == -1:
error_user_data[host][user]["time"] = int(time.time())
error_user_data[host][user]["num"] += 1
elif host in error_user_data:
error_user_data[host][user] = defult_data
else:
error_user_data[host] = {user: defult_data}
if is_del is True and host in error_user_data and user in error_user_data[host]:
del error_user_data[host][user]
auth_log("==update_login_history_json:%s" % data)
with open(LOGIN_HISTORY_FILE, "w") as f:
f.write(json.dumps(data))
def get_login_history_file():
try:
with open(LOGIN_HISTORY_FILE, "r") as f:
history_json = json.loads(f.read())
except:
history_json = {}
auth_log("==login_history_json:%s" % history_json)
return history_json
def check_user_ip_is_true(user, host, data):
status, msg = -1, "Permission denied"
# 校验登入ip是否是白名单中
if "*" not in WHITELIST and WHITELIST and host not in WHITELIST:
return status, msg
# 校验用户是否被锁,如果被锁返回需要等待解锁时间,否则解除用户锁
if host in data and user in data[host]:
user_data = data[host][user]
if user_data["num"] <= TRY_AGAIN:
return 0, ""
time_left = int(time.time()) - user_data.get("time", 0)
if time_left <= TIME_OUT:
time_array = time.localtime(TIME_OUT - time_left)
reciprocal = time.strftime("%M:%S", time_array)
auth_log("==time_left:%s" % reciprocal)
time.sleep(3)
return status, msg + " Please try again in %s time Or Please contact the administrator" % reciprocal
else:
update_login_history_file(user, host, data, is_del=True)
return 0, ""
def pam_sm_authenticate(pamh, flags, argv):
try:
LOCK.acquire()
try:
user = pamh.get_user()
host = getattr(pamh, "rhost")
except pamh.exception as e:
return e.pam_result
auth_log("user: %s, host: %s" % (user, host))
if user in USER_LIST:
return pamh.PAM_SUCCESS
# 获取当前登入的用户名, 并且记录(用户名以及登入的ip)
login_history_json = get_login_history_file()
update_login_history_file(user, host, login_history_json, is_error=True)
status, error = check_user_ip_is_true(user, host, login_history_json)
if status == -1:
msg = pamh.Message(pamh.PAM_ERROR_MSG, error)
pamh.conversation(msg)
return pamh.PAM_AUTH_ERR
# 禁止root用户登入
if user == "root" and NOT_ROOT:
return pamh.PAM_AUTH_ERR
auth_log("=====start====")
msg = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Enter Your PIN: ")
resp = pamh.conversation(msg)
auth_log("=====resp: %s====" % resp.resp)
# PIN码校验成功, 清除登入主机用户错误次数
if PIN_verify(resp.resp):
update_login_history_file(user, host, login_history_json, is_del=True)
return pamh.PAM_SUCCESS
# PIN校验失败
return pamh.PAM_AUTH_ERR
except Exception as e:
auth_log("====Accident ERROR: %s====" % e)
msg = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Enter Administrator PIN: ")
resp = pamh.conversation(msg)
if resp.resp == ADMIN_PIN:
return pamh.PAM_SUCCESS
finally:
auth_log("====end====")
LOCK.release()
"""
#以下都是默认函数
"""
def pam_sm_setcred(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_acct_mgmt(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_open_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_close_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_chauthtok(pamh, flags, argv):
return pamh.PAM_SUCCESS
下面是实现的案例部署
PS:
在部署之前,请检查服务器系统时区是否和客户端同步,如果没有同步,请进行同步时区之后再进行部署
# 在部署包pam放到/root/,并进入pam目录,相关依赖包都在pam文件夹中
# 解压pam_install.tar.gz,并得到一个pam依赖包的repodata
tar xzvf pam_install.tar.gz
# 需要创建/etc/yum.repo.d/pam.repo 文件并配置一个yum源地址
[pam_install]
name=pam_install
baseurl=file:///root/pam/pam_install # rpm包路径
enabled=1
gpgcheck=0
#安装pam相关依赖
yum clean all
yum makecache
yum install pam pam-devel -y
# 安装pyotp模块
tar xzvf pyotp-2.3.0.tar.gz
cd pyotp-2.3.0
python setup.py install
cp -rf /usr/lib/python2.7/site-packages/pyotp-2.3.0-py2.7.egg/pyotp /usr/lib64/python2.7/
# 拷贝pam_python.so文件到/lib64/security/
cp pam_python.so /lib64/security/
#将auth.py脚本放入/lib/security/
mkdir /lib/security
chmod 600 /lib/security
cp auth.py /lib/security/
#修改/etc/pam.d/sshd,在最前面新增一行,如下
auth requisite pam_python.so auth.py
#修改 /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
# 重启ssh服务
systemctl restart sshd
# 查看ssh日志文件
tailf /var/log/secure
# 查看安全加固脚本日志
tailf /tmp/.pam/pam_python_auth.log
# 查看或修改所有访问连接错误的主机和用户的记录
cat /tmp/.pam/login_history.json
验证
下载Google Authenticator,配置用户和密钥,保存就会生成动态PIN
[root@IPCPU-11 ~]# ssh test@192.168.110.11
Enter Your PIN:
Password:
Last login: Mon Mar 21 00:04:37 2016 from 192.168.110.11
