问题描述
我想知道对于通过ssh(OpenSSH)连接的服务器和客户端,是否有任何方法可以检索一些唯一的会话标识符(将其设为 USID ).
I wonder if there is any way to retrieve, for both a server and a client connected through ssh (OpenSSH), some unique session identifier (let this be USID).
这将用于限制特定(自定义)软件(使其为 a.exe )的执行,因此它只能通过特定的ssh会话执行. em>,即使其他用户(可能是root用户)也可以访问该可执行文件:
This would be used to restrict the execution of a specific (custom) software (let it be a.exe), so it can only be executed through a specific ssh session, even if other users (potentially root) have access to that executable:
- 从计算机 C (客户端)到计算机 S (服务器),计算机 C (知道 USID )将更新计算机 X (第三方服务器)上的一条记录,告知该 USID 是安全的". 机器 S 上的
- a.exe 将在调用时检查当前会话的 USID 是否为安全"(此信息将由 X 提供),并且如果收到否定答案,则会中止执行.
- after a ssh session is opened from machine C (client) to machine S (server), machine C (which knows the USID) will update a record on machine X (a third-party server), letting it know that this USID is "safe".
- a.exe on machine S will check, when invoked, if the USID of the current session is "safe" (this information will be provided by X) and will halt execution if negative answer received.
X 和 C , X 和 S 之间的通信通道是安全的,因此这里唯一的问题正在检索 USID 而无需,而不必编写我自己的ssh客户端和/或服务器.
The communication channels between X and C, X and S are secure, so the only issue here is retrieving that USID without having to write my own ssh client and/or server.
有什么想法吗?
推荐答案
在我看来,您正在尝试重新实现kerberos.在我看来,您想让GSSAPI保护客户端和服务器之间的传输;因此您的客户端需要向服务器进行身份验证.
seems to me in a round about way, you are trying to re-implement kerberos. Seems to me that you want to GSSAPI secure the transport between client and server; so your client needs to authenticate to the server.
典型的方法是使用密钥表"kinit"给主妇,然后将该证书传递给服务器. Kerberos确保它相当难以伪造.
Typical way of doing this would be to 'kinit' to a prinicpal using a keytab, and then passing this credential to the server. Kerberos ensures that it's reasonably hard to fake.
这可能会比您上面描述的方法脆弱一些.
that's probably going to be a little less brittle than the method that you describe above.
-王牌
这篇关于检索SSH唯一会话ID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!