利用paramiko模块实现堡垒机+审计功能

  paramiko模块是一个远程连接服务器,全真模拟ssh2协议的python模块,借助paramiko源码包中的demos目录下:demo.py和interactive.py两个模块实现简单的堡垒机+审计功能。编写的run_demo.py脚本,可以根据登陆堡垒机的用户信息在数据库查询该用户所有可以登陆的服务器列表,用户可以根据索引选择登陆。为防止用户退出脚本后不中断shell会话,导致不安全的因素,故在用户退出run_demo.py脚本时,会结束已经连接的shell会话,直接退出堡垒机。

一、修改paramiko源码模块的demo.py文件。

1.文件路径(具体情况具体~~,你懂得)

[root@CT7 demos]# pwd
/usr/share/doc/python-paramiko-1.15.1/demos

[root@CT7 demos]# cat demo.py

2.代码如下:

# Copyright (C) 2003-2007  Robey Pointer <robeypointer@gmail.com>
#
# This file is part of paramiko.
#
# Paramiko is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation; either version 2.1 of the License, or (at your option)
# any later version.
#
# Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more
# details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with Paramiko; if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.


import base64
from binascii import hexlify
import getpass
import os
import select
import socket
import sys
import time
import traceback
from paramiko.py3compat import input

import paramiko
try:
    import interactive
except ImportError:
    from . import interactive


def agent_auth(transport, username):
    """
    Attempt to authenticate to the given transport using any of the private
    keys available from an SSH agent.
    """

    agent = paramiko.Agent()
    agent_keys = agent.get_keys()
    if len(agent_keys) == 0:
        return

    for key in agent_keys:
        print('Trying ssh-agent key %s' % hexlify(key.get_fingerprint()))
        try:
            transport.auth_publickey(username, key)
            print('... success!')
            return
        except paramiko.SSHException:
            print('... nope.')

#--modified this part,add note.#
def manual_auth(username, hostname,pw):
    '''default_auth = 'p'
    auth = input('Auth by (p)assword, (r)sa key, or (d)ss key? [%s] ' % default_auth)
    if len(auth) == 0:
        auth = default_auth

    if auth == 'r':
        default_path = os.path.join(os.environ['HOME'], '.ssh', 'id_rsa')
        path = input('RSA key [%s]: ' % default_path)
        if len(path) == 0:
            path = default_path
        try:
            key = paramiko.RSAKey.from_private_key_file(path)
        except paramiko.PasswordRequiredException:
            password = getpass.getpass('RSA key password: ')
            key = paramiko.RSAKey.from_private_key_file(path, password)
        t.auth_publickey(username, key)
    elif auth == 'd':
        default_path = os.path.join(os.environ['HOME'], '.ssh', 'id_dsa')
        path = input('DSS key [%s]: ' % default_path)
        if len(path) == 0:
            path = default_path
        try:
            key = paramiko.DSSKey.from_private_key_file(path)
        except paramiko.PasswordRequiredException:
            password = getpass.getpass('DSS key password: ')
            key = paramiko.DSSKey.from_private_key_file(path, password)
        t.auth_publickey(username, key)
    else:
        pw = getpass.getpass('Password for %s@%s: ' % (username, hostname))
        t.auth_password(username, pw)'''
    t.auth_password(username,pw)


# setup logging
paramiko.util.log_to_file('demo.log')

username = ''
if len(sys.argv) > 1:
    hostname = sys.argv[1]
    if hostname.find('@') >= 0:
        username, hostname = hostname.split('@')
else:
    hostname = input('Hostname: ')
if len(hostname) == 0:
    print('*** Hostname required.')
    sys.exit(1)
port = 22
if hostname.find(':') >= 0:
    hostname, portstr = hostname.split(':')
    port = int(portstr)

# now connect
try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((hostname, port))
except Exception as e:
    print('*** Connect failed: ' + str(e))
    traceback.print_exc()
    sys.exit(1)

try:
    t = paramiko.Transport(sock)
    try:
        t.start_client()
    except paramiko.SSHException:
        print('*** SSH negotiation failed.')
        sys.exit(1)

    try:
        keys = paramiko.util.load_host_keys(os.path.expanduser('~/.ssh/known_hosts'))
    except IOError:
        try:
            keys = paramiko.util.load_host_keys(os.path.expanduser('~/ssh/known_hosts'))
        except IOError:
            print('*** Unable to open host keys file')
            keys = {}

    # check server's host key -- this is important.
    key = t.get_remote_server_key()
    if hostname not in keys:
        print('*** WARNING: Unknown host key!')
    elif key.get_name() not in keys[hostname]:
        print('*** WARNING: Unknown host key!')
    elif keys[hostname][key.get_name()] != key:
        print('*** WARNING: Host key has changed!!!')
        sys.exit(1)
    else:
        print('*** Host key OK.')

    # get username
    #--modified add note.
    '''if username == '':
        default_username = getpass.getuser()
        username = input('Username [%s]: ' % default_username)
        if len(username) == 0:
            username = default_username'''
    #--modified  by myself add 3 lines.
    username = sys.argv[2]
    password = sys.argv[3]
    ops_user = sys.argv[4]

    agent_auth(t, username)
    if not t.is_authenticated():
        manual_auth(username, hostname,password)
    if not t.is_authenticated():
        print('*** Authentication failed. :(')
        t.close()
        sys.exit(1)

    chan = t.open_session()
    chan.get_pty()
    chan.invoke_shell()
    print('*** Here we go!\n')
    #--modified below line.
    interactive.interactive_shell(chan,hostname,username,ops_user)
    chan.close()
    t.close()

except Exception as e:
    print('*** Caught exception: ' + str(e.__class__) + ': ' + str(e))
    traceback.print_exc()
    try:
        t.close()
    except:
        pass
    sys.exit(1)
View Code

 

二、修改paramiko源码模块的interactive.py文件。

1.文件路径(具体情况具体~~,你懂得)

[root@CT7 demos]# pwd
/usr/share/doc/python-paramiko-1.15.1/demos

[root@CT7 demos]# cat interactive.py

2.代码如下:

# Copyright (C) 2003-2007  Robey Pointer <robeypointer@gmail.com>
#
# This file is part of paramiko.
#
# Paramiko is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation; either version 2.1 of the License, or (at your option)
# any later version.
#
# Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more
# details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with Paramiko; if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.

import time
import socket
import sys
from paramiko.py3compat import u

# windows does not have termios...
try:
    import termios
    import tty
    has_termios = True
except ImportError:
    has_termios = False

#--modified this part,add hostname,username,ops_user.
def interactive_shell(chan,hostname,username,ops_user):
    if has_termios:
        posix_shell(chan,hostname,username,ops_user)
    else:
        windows_shell(chan)

#--modified this part,add **kargs
def posix_shell(chan,hostname,username,ops_user):
    date = time.strftime('%Y-%m-%d')
    f = file('/tmp/audit_%s_%s.log' % (ops_user,date),'a+')
    record = []
    import select
    oldtty = termios.tcgetattr(sys.stdin)
    try:
        tty.setraw(sys.stdin.fileno())
        tty.setcbreak(sys.stdin.fileno())
        chan.settimeout(0.0)
        while True:
            #--modified define datetime.
            date = time.strftime("%Y-%m-%d %H:%M:%S")
            r, w, e = select.select([chan, sys.stdin], [], [])
            if chan in r:
                try:
                    x = u(chan.recv(1024))
                    if len(x) == 0:
                        sys.stdout.write('\r\n*** EOF\r\n')
                        break
                    sys.stdout.write(x)
                    sys.stdout.flush()
                except socket.timeout:
                    pass
            if sys.stdin in r:
                x = sys.stdin.read(1)
                if len(x) == 0:
                    break
                record.append(x) #--modified 
                chan.send(x)
            if x == '\r':
                cmd = ''.join(record).split('\r')[-2]
                #log = "%s|%s|%s|%s\n" %(hostname,date,username,cmd)
                log = "%s |%s | %s | %s | %s\n" %(ops_user,hostname,username,date,cmd)
                f.write(log)
                f.flush()
        f.close()
    finally:
        termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)

    
# thanks to Mike Looijmans for this code
def windows_shell(chan):
    import threading

    sys.stdout.write("Line-buffered terminal emulation. Press F6 or ^Z to send EOF.\r\n\r\n")
        
    def writeall(sock):
        while True:
            data = sock.recv(256)
            if not data:
                sys.stdout.write('\r\n*** EOF ***\r\n\r\n')
                sys.stdout.flush()
                break
            sys.stdout.write(data)
            sys.stdout.flush()
        
    writer = threading.Thread(target=writeall, args=(chan,))
    writer.start()
        
    try:
        while True:
            d = sys.stdin.read(1)
            if not d:
                break
            chan.send(d)
    except EOFError:
        # user hit ^Z or F6
        pass
View Code

 

三、编写登陆脚本,用户登陆堡垒机之后,自动运行脚本。脚本会根据用户信息到数据库中查询该用户可以登陆的所有机器,并展现给用户,用户只需要选择要登陆机器的序号即可完成登陆。

1.安装数据库,省略。

2.创建audit数据库,建立2个表,一个是用户信息表,一个服务器信息表,使用外键关联。(当用户删除后,对应的服务器信息也将删除。)

create database audit;

a.用户信息表,结构和数据。

CREATE TABLE `user_info` (
  `employee_name` varchar(255) NOT NULL,
  `department` varchar(255) DEFAULT NULL,
  PRIMARY KEY (`employee_name`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1
View Code

b.服务器信息表,结构和数据。

CREATE TABLE `server_info` (
  `employee_name` varchar(255) NOT NULL,
  `ip_address` varchar(16) NOT NULL,
  `user_name` varchar(16) NOT NULL,
  `user_pass` varchar(32) NOT NULL,
  KEY `employee_name` (`employee_name`),
  CONSTRAINT `server_info_ibfk_1` FOREIGN KEY (`employee_name`) REFERENCES `user_info` (`employee_name`) ON DELETE CASCADE ON UPDATE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=latin1
View Code

3.编写登陆脚本run_demo.py,用户退出该脚本的时候也会退出该堡垒机(即脚本结束后,shell会话也会退出。)

代码如下:

#!/usr/bin/env python
import os,sys,MySQLdb

employee_name = 'opslover'
s_id = os.getppid()
try:
    conn = MySQLdb.connect(host='localhost',user='root',passwd='123456',db='audit',port=3306)
    cur = conn.cursor()
    cur.execute("select * from server_info where employee_name = '%s' " % employee_name)
    result = cur.fetchall()
    #print list(result) 
    #--change tuple to list
    list_record = []
    for record in result:
        list_record.append(list(record))
        #print  list_record.index(list_record[1]),list_record[1]
    while True:
        os.system('clear')
        print """
                \033[35;1mWelcome to login jumpserver!\033[0m
                Choose the Server to connect:"""
        #print list_record
        #--obtain ip's index ,choice index to login remote server
        for line in list_record:
            print list_record.index(line),line[1]
        #print list_record
        choice = raw_input("\033[32;1mPlease chose one you will login remote server:\033[0m").strip()
        if choice == 'quit':
           print type(s_id)
           cmd = 'kill -9 %d' % s_id
           os.system(cmd)
        #if len(choice) == 0:continue
        #if not choice.isdigit():continue
        choice = int(choice)
        if choice >= len(list_record):
            print "\033[31:1mYou have no access to login remote server!!!"
            continue
        #print list_record
        login_ops_user = list_record[choice][0]
        login_server = list_record[choice][1]
        login_user = list_record[choice][2]
        login_pass = list_record[choice][3]
        #print login_ops_user,login_server,login_user,login_pass
        cmd = 'python /usr/share/doc/python-paramiko-1.15.1/demos/demo.py %s %s %s %s' %(login_server,login_user,login_pass,login_ops_user)
        os.system(cmd)
    #print choice
    cur.close()
    conn.close()
except MySQLdb.Error,e:
    print 'MySQL Error Info:',e
View Code

4.添加用户环境变量,每次登陆堡垒机,自动执行该脚本。

[root@CT7 opslover]# grep python /home/opslover/.bashrc
python run_demo.py

四、模拟登陆演示。

1.使用opslover登陆堡垒机,显示此用户所有可以登陆的机器。

2.选择ip对应的索引即可完成登陆。(选择0)

3.执行exit退出远程服务器后,堡垒机会继续询问你要登陆哪台机器。选择1,继续。

4.执行exit退出远程服务器后,堡垒机会继续询问你要登陆哪台机器。此时用户可以退出,不再登陆远程服务器,执行quit即可,shell进程也会被退出。

五、审计结果查看。

模拟登陆过程中的所有操作都会被记录在/tmp/audit开头的文件,会以用户和日期分割文件。

这样就借用paramiko模块简单实现了堡垒机+审计的功能。有兴趣的可以根据自己的需要自行继续扩展修改。

posted @ 2016-05-04 11:33  xkops  阅读(1087)  评论(0编辑  收藏  举报