A two-step authentication audit method based on ssh Certificate and LDAP

Abstract

The invention discloses a two-step authentication and auditing method based on SSH Certificate and LDAP, which includes the following steps: Step (1): When creating a user on a domain (or LDAP) server, the domain administrator creates a corresponding ObjectClass attribute for the user to use Store sshpublickey and Role information, and fill in the corresponding user public key and the role corresponding to the user's permissions. Due to security considerations, the internal requirements can only enter the public key pair based on the ED25519 algorithm. The domain administrator is safe for the public key. Algorithms and roles are audited against permissions. The present invention greatly increases the instability of the login authentication service. After the internal authentication of the technical solution is completed, all subsequent authentications are through the digital signature mode, and no third-party system is involved in the authentication of the multinational network server. The availability of the overall service is guaranteed. After the authentication is completed in the VPN network of the OA, it can be freed from the restrictions of the VPN for a short period of time, and will not be affected by the failure of the OA system, providing greater flexibility.

Description

technical field [0001] The invention relates to the technical field of server security, in particular to a two-step authentication and auditing method based on SSH Certificate and LDAP. Background technique [0002] SSH is a remote management service for Unix / Linux servers. The commonly used login authentication methods are password and public / private key for user authentication. Among them, the password method has defects such as being easy to leak and spread, difficult to manage and control, and low security. [0003] The public key / key method has high security, but in large-scale servers, management is aimed at changing IT / operation and maintenance managers, and the cost of updating and replacing is relatively high, and systems such as the bastion host also have security loopholes and hidden dangers. The vulnerability itself leads to the disclosure of the private key, which will lead to the complete exposure of the server. [0004] At the same time, the company / organiza...

AI Technical Summary

Problems solved by technology

[0005] In addition, for different departments or groups in the same company / organization, it is hoped to isolate or differentiate the use of bastion hosts, and provide combined authentication capabilities for personnel across departments / groups. The original SSH system basically cannot meet the above highly customized requirements.

[0006] At the same time, the current hybrid cloud platform of public cloud / private cloud may involve the deployment of online business systems across countries or even across continents. The simple point-to-point authentication method cannot achieve stable security and availability guarantees in such a complex network situation and hybrid cloud environment.

Images