应用嵌入GateOne以及SSH自动登陆
http://liftoff.github.io/GateOne/Developer/embedding_api_auth.html
https://github.com/liftoff/GateOne/issues/239
接上篇GateOne Web SSH环境搭建,使用GateOne 1.2配置
配置API验证
修改20authentication.conf:
# 修改为api
"auth": "api",
创建API Key/Secret(官方文档是./gateone.py --new_api_key,死活找不到gateone.py,这个是1.1版本中的,如果你使用这里的rpm安装,应该是有的):
feng@ubuntu:~/Desktop$ sudo gateone --new_api_key
[sudo] password for feng:
[W 170427 20:34:57 app_terminal:2806] dtach command not found. dtach support has been disabled.
[I 170427 20:34:58 server:4179] Gate One License: AGPLv3 (http://www.gnu.org/licenses/agpl-3.0.html)
[I 170427 20:34:58 server:4188] Imported applications: Terminal
[I 170427 20:34:58 server:4323] A new API key has been generated: YTRjMzBkMzNjMTkxNGExMWFmYmRkZDI0Yjg1OWM3YWMyM
[I 170427 20:34:58 server:4325] This key can now be used to embed Gate One into other applications.
此时配置文件目录下,会生成**30api_keys.conf **文件,该文件中的key-secret会在应用中使用:
{
"*": {
"gateone": {
"api_keys": {
"YTRjMzBkMzNjMTkxNGExMWFmYmRkZDI0Yjg1OWM3YWMyM": "MTEzYjQ3MTM5NDk4NDkyNmEwMjc4NjAwODViNjNlN2E0N"
}
}
}
}
开启API验证后,不能再直接访问GateOne
创建应用,嵌入GateOne
应用嵌入GateOne,Controller代码(这里使用JFinal,使用SpringMVC的简单修改即可):
package com.demo.sso.controller;
import java.util.Calendar;
import org.apache.commons.codec.digest.HmacUtils;
import com.jfinal.core.Controller;
public class GateOneController extends Controller {
private static final String key = "YTRjMzBkMzNjMTkxNGExMWFmYmRkZDI0Yjg1OWM3YWMyM";
private static final String secret = "MTEzYjQ3MTM5NDk4NDkyNmEwMjc4NjAwODViNjNlN2E0N";
private static final String GATE_ONE_OWNER = "feng";
public void index() {
Calendar c = Calendar.getInstance();
String timestamp = c.getTimeInMillis() + "";
String signature = generate(key, GATE_ONE_OWNER, timestamp);
setAttr("timestamp", timestamp);
setAttr("signature", signature);
setAttr("api_key", key);
setAttr("upn", GATE_ONE_OWNER);
setAttr("gateoneUrl", "http://localhost");
setAttr("sshUrl", "ssh://root@192.168.1.97");
render("/WEB-INF/pages/sso.jsp");
}
private static String generate(String apiKey, String username, String timestamp) {
String body = apiKey + username + timestamp;
return HmacUtils.hmacSha1Hex(secret, body);
}
}
JSP页面:
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<script src="${gateoneUrl}/static/gateone.js" type="text/javascript"></script>
<title>SSO</title>
</head>
<body>
<h2>hello gate one</h2>
<div id="gateone_container" style="width: 60em; height: 30em;">
<div id="gateone"></div>
</div>
<!-- Call GateOne.init() at some point after the page is done loading -->
<script type="text/javascript">
window.onload = function() {
/**
* upn - username
* timestamp
* signature: A valid HMAC signature that is generated from the api_key, upn, and timestamp (in that order).
*/
var auth = {
'api_key': '${api_key}',
'upn': '${upn}',
'timestamp': '${timestamp}',
'signature': "${signature}",
'signature_method': 'HMAC-SHA1',
'api_version': '1.0'
};
// Initialize Gate One:
GateOne.init({
auth: auth,
url: 'http://localhost:80',
theme: 'solarized',
goDiv: '#gateone',
autoConnectURL:'${sshUrl}',
showToolbar: false
});
GateOne.Net.autoConnect();
}
</script>
</body>
</html>
自动登陆的配置
上面代码中,已经配置了自动登陆的SSH地址,要做到不输密码直接SSH登陆,需要用ssh-keygen来生成公私钥,将生成的id_rsa.pub上传到另外一台机(192.168.1.97)。
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.1.97
此时在终端ssh应该能够直接访问另外一台,无需输入密码:
ssh root@192.168.1.97
但是在要GateOne中免密码直接登陆,还需要做以下配置:
找到user目录,10server.conf配置文件中有
将id_rsa复制到用户的.ssh目录下(这里为什么是feng这个用户,是和上面JAVA代码中GATE_ONE_OWNER = "feng"; 相呼应的)
cd /var/lib/gateone/users/feng/.ssh
cp /home/feng/.ssh/id* .
echo id_rsa > ./.default_ids
这里的配置可以参考issues#239
至此,当访问应用后,出现以下画面,点击图标,即可自动登陆
PS:
作者多次提到的以下两种方式自动登陆,我始终没有配置成功:
https://your-gateone-server/?ssh=ssh://user@somehost/
https://your-gateone-server/?terminal_cmd=somecmd
简单提一下terminal_cmd这种方式,修改50terminal.conf加入shell命令,这个shell的内容就是直接ssh登陆另外一台机。
然后访问http://localhost:80/?terminal_cmd=loginrt, 页面总是提示如下信息:
An SSL certificate must be accepted by your browser to continue. Please click here to be redirected.
应该是需要接受证书,具体如何用这种方式自动登陆,如果有人知道,烦请赐教。
