出会って10分で伝えるSTNSとLinuxの 認証基盤

Transcript

1. QZBNB
   
   (.0
   1&1"#0
   JOD
   ,*94
   7PM
   Πϯϑϥ-5ͷࡇయ ग़ձͬͯ෼Ͱ఻͑Δ 45/4ͱ-JOVYͷ
   ೝূج൫

2. IUUQTUFOTOBQPODPN γχΞɾΤϯδχΞ ࢁԼ
   ࿨඙!QZBNB ϗεςΟϯάࣄۀ෦ϜʔϜʔυϝΠϯνʔϜ

3. -JOVYೝূج൫ 1.

4. -JOVYೝূج൫ 44)ϩάΠϯ Ϣʔβʔ໊
   άϧʔϓ໊ʁ
   ύεϫʔυʁ
   ެ։伴ʁ

5. -JOVYೝূج൫ w FUDQBTTXE FUDHSPVQ FUDTIBEPX BVUIPSJ[FE@LFZT
   w -%"1
   w .Z42-

6. -JOVYೝূج൫ wFUDQBTTXE FUDHSPVQ FUDTIBEPX BVUIPSJ[FE@LFZT
   
   
   ˠ
   VTFSBEE HSPVQBEE
   w-%"1
   
   
   ˠ匠͕ඞཁ
   w.Z42-
   

   
   
   ˠ
   Ϣʔβʔ؅ཧʹ͸Ͱ͔͗͢Δ

7. -JOVYೝূج൫ ੢ͷঊ ౦ͷঊ ೆͷঊ ๺ͷঊ ๭ࣾͰ͸αʔϏε͝ͱʹཚཱ͞Εͨ
   -%"1ΛঊͷྗΛ૯݁ूͨ͠
   ಉظεΫϦϓτͰ
   -%"1ิ׬ܭըΛ਱ߦத -%"1͸ΞτϦϏϡʔτ͕௥Ճ͠΍͘͢൚༻ੑ͕ߴ͍ͷͰɺ
   

   ӡ༻͔ΒᷓΕɺཚཱ͞Εͯ͠·͍͕ͪ

8. ͲΕ΋͠ΜͲ͍͚Ͳ
   ΍Βͳ͖Ό͍͚ͳ͍

9. ଏͬΆ͍ͳ

10. IUUQTUOTKQ

11. 45/4 w (PMBOH
    w 5PNMܗࣜͷઃఆϑΝΠϧ
    w +40/ΠϯλʔϑΣʔεͷαʔόɾΫϥΠΞϯτ
    w 8SBQQFSΛࣗ༝ʹมߋͰ͖Δ ϓϥΨϒϧ

12. 45/4

13. ίϯηϓτ ໊લղܾɺެ։伴औಘɺΞΧ΢ϯτೝূͷΈΛఏڙ ͢Δɻଟ͘Λ΍Βͣɺγϯϓϧʹอͭ͜ͱͰ؅ཧɺ ૊Έ߹ΘͤΛ༰қʹɻ https://github.com/STNS/STNS

14. -JOVYϢʔβʔάϧʔϓͷ໊લղܾ % ls -ltr -rw-r--r-- 1 pyama wheel 0 May

    8 00:09 hatena_pepabo.txt % ls -ltr -rw-r--r-- 1 1000 1000 0 May 8 00:09 hatena_pepabo.txt id:1000 is pyama

15. w TVEPFST
    w TTIE@DPOpH "MMPX(SPVQT "MMPX6TFST
    w QBNೝূ
    -JOVYϢʔβʔάϧʔϓͷ໊લղܾ

16. ΞʔΩςΫνϟ STNS http(1104) ls libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama {

    name:pyama, id: 1000, dir:/home/pyama … } αʔόɾΫϥΠΞϯτؒ͸httpΛར༻ͨ͠ JSONܗࣜͷΠϯλʔϑΣʔε

17. ઃఆϑΝΠϧ
    
    αʔό QPSU
    
    
    JODMVEF
    
    FUDTUOTDPOGE 
    TBMU@FOBCMF
    
    USVF
    TUSFUDIJOH@OVNCFS
    
    
    VTFS
    
    lCBTJD@VTFS
    QBTTXPSE
    
    CBTJD@QBTTXPSE
    <VTFSTFYBNQMF>
    JE
    
    
    

    HSPVQ@JE
    
    
    LFZT
    
    <TTISTB
    99999ʜ>
    <HSPVQTFYBNQMF>
    JE
    
    
    VTFST
    
    <FYBNQMF>
    <TVEPFSTFYBNQMF>
    QBTTXPSE
    
    GEDEBGFBBDBEBCGGCCCDEEDCGB
    

18. ઃఆϑΝΠϧ
    
    ΫϥΠΞϯτ api_end_point = ["http://<server-master>:1104", "http://<server-slave>:1104"] user = "basic_user" password =

    "basic_password" wrapper_path = "/usr/local/bin/stns-query-wrapper" chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper" ssl_verify = true LDAPͱͷڞଘ΋Մೳ

19. XSBQQFSίϚϯυ $ stns-query-wrapper /user/name/pyama { "metadata": { "api_version": 2, "result":

    "success", "min_id": 2000 }, "items": { "pyama": { "id": 10301, "password": "", "hash_type": "", "group_id": 2000, "directory": "", "shell": "", "gecos": "", "keys": [ "ssh-rsa xxx" ], "link_users": null } }

20. ಋೖ w SQN EFCڞʹCJU CJU൛ͷఏڙ SFQPTUOTKQ
    
    DVSM
    GT4-
    IUUQTSFQPTUOTKQTDSJQUTZVNSFQPTI
    c
    TI
    
    ZVN
    JOTUBMM
    TUOT
    MJCOTTTUOT
    MJCQBNTUOT IUUQTHJUIVCDPN45/4TUOTDPPLCPPL

    IUUQTHJUIVCDPN45/4QVQQFUTUOT w $IFG 1VQQFUͷΫοΫϒοΫɺϚχϑΣετΛఏڙ
    
    
    1VQQFUϚχϑΣετ͸!IGN͕։ൃͯ͘͠Εͨ
    

21. ಋೖ Πϯετʔϧʙ44)ެ։伴ೝূ·Ͱ
    ෼ඵ

22. Ϣʔβʔ؅ཧ΋(JUIVC
    'MPX (JUIVC&OUFSQSJTF͔ΒϢʔβʔσʔλΛ࡞੒͠ɺ1VMM3FRVFTU
    ࣗಈςετɾਓͷ໨ʹΑΔϨϏϡʔ
    σϓϩΠ

23. ӡ༻Πϝʔδ nginx stns nginx stns /HJOYͰ44-Λऴ୺ͭͭ͠ɺ$BQJTUSBOPͳͲͷσϓϩΠπʔϧͰ
    TUOTDPOGΛσϓϩΠ

24. ӡ༻Πϝʔδ nginx stns nginx stns αʔόͷTUOTDPOGΛ௚઀ฤू͠ɺ4$1΍STZODͰಉظ

25. 45/4ϘΫ͕։ൃऀͩ͠࢖ͬͨ΄͏͕͍͍ w ൥ࡶԽͮ͠Β͍పఈͨ͠γϯϓϧ͞
    w γϯϓϧ͕ނʹ֦ுੑ͕ߴ͍
    w ಋೖͷख͕ؒগͳ͍
    w ೔ຊޠυΩϡϝϯτͷఏڙɺ։ൃऀ͕೔ຊ࣌ؒʹ͍Δ

26. 45/4ͰϢʔβʔ؅ཧΛ
    ࢝ΊΑ͏

27. 5IBOL
    ZPV