An ssh protocol-based intranet penetration login method and system
By using an intranet penetration login method based on the SSH protocol, the problems of cumbersome operation and insufficient security of traditional login tools are solved, realizing convenient, efficient and secure remote management and operation, and improving the quality and efficiency of enterprise network management and operation.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- PIO CLOUD COMPUTING (SHANGHAI) CO LTD
- Filing Date
- 2023-06-28
- Publication Date
- 2026-06-19
Smart Images

Figure CN116723023B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the technical field of intranet penetration login, and in particular to an intranet penetration login method and system based on the SSH protocol. Background Technology
[0002] Enterprise intranet management and remote maintenance refers to the processes and practices of managing and maintaining computer networks within an enterprise. It encompasses the following concepts:
[0003] Network device management: This includes the configuration, monitoring, troubleshooting, and performance management of various network devices (such as routers, switches, firewalls, etc.) within the enterprise network. Administrators are responsible for ensuring the proper functioning and configuration of these devices to support the enterprise's network communication needs.
[0004] Network topology planning involves designing and planning the topology of an enterprise network, including the location of network devices, interconnection methods, and subnetting. The goal of network topology planning is to provide efficient data flow and good network performance.
[0005] Network security management focuses on the security of the enterprise network, including setting up firewalls, intrusion detection systems, and access control policies to protect the network from potential security threats. Network administrators are responsible for monitoring and managing network security, ensuring the confidentiality, integrity, and availability of network devices and data.
[0006] User account and access control management includes creating and managing user accounts, assigning appropriate permissions and access levels to ensure that only authorized users can access corporate network resources. This can be achieved through mechanisms such as user authentication and access control lists.
[0007] Remote access and remote maintenance: Allows administrators to manage and maintain enterprise network devices from remote locations via remote connections. Remote access technology provides secure connections, enabling administrators to perform configuration, troubleshooting, and maintenance remotely when needed.
[0008] Network monitoring and troubleshooting: Use network monitoring tools to monitor and diagnose network performance, device status, and faults. These tools can provide real-time alerts and logging to help administrators quickly detect and resolve network problems, ensuring network availability and stability.
[0009] Regular maintenance and updates: Regularly maintain network equipment, application software, and security patches to ensure the proper functioning and security of network equipment. This includes software upgrades, equipment configuration reviews, and performance optimization.
[0010] In summary, enterprise network management and remote maintenance involve multiple aspects, including device management, topology planning, security management, remote access, monitoring, and troubleshooting, all aimed at ensuring the normal operation, security, and performance of the enterprise network. These practices help improve the network efficiency, reliability, and security of an enterprise.
[0011] For enterprise internal network management and remote maintenance, current technologies typically employ login tools, including traditional jump servers. However, existing login tools fail to meet users' needs for efficient and secure management and operation of target devices, specifically due to the following drawbacks:
[0012] (1) Traditional login methods such as spurious machines are cumbersome: Traditional login methods such as spurious machines require users to enter their username and password multiple times, and the operation is relatively cumbersome, which reduces work efficiency.
[0013] (2) Insufficient security: Traditional login tools use relatively simple encryption methods in the process of data transmission and authentication, which makes them vulnerable to hacker attacks or malicious software to steal information, posing a significant security risk.
[0014] (3) Functional limitations: Traditional login tools have relatively few functions and cannot meet users’ diverse needs for intranet penetration, remote command execution, and remote file transfer.
[0015] The above shortcomings prevent users from efficiently and securely managing and operating target devices when using traditional login tools, and also pose risks and challenges to enterprise network security. Summary of the Invention
[0016] To address the aforementioned issues, the present invention aims to provide an intranet penetration login method and system based on the SSH protocol. This method offers users a more convenient, efficient, secure, and reliable login experience, supporting diverse functions such as session auditing, account management, access control, remote command execution, and remote file transfer. By employing the secure SSH protocol for data encryption and authentication, this tool ensures user data security and compliance, while simultaneously improving device security and management efficiency.
[0017] This invention can also be widely applied to enterprise intranet management, remote maintenance, and other fields. For example, in IT service management, administrators can use the method of this invention to remotely manage and monitor the entire IT system; in cloud platform management, users can access hosts located in the cloud using the method of this invention; and in development and operations, developers can use the method of this invention to perform remote debugging and deployment operations. Therefore, this invention has significant practical value and broad application prospects.
[0018] The above-mentioned objective of this invention is achieved through the following technical solutions:
[0019] A method for intranet penetration login based on the SSH protocol includes the following steps:
[0020] S1: Establish an intranet penetration login structure including four modules: command line tools, gateway, proxy server, and proxy;
[0021] S2: Establish a common protocol for initiating SSH protocol requests. The user terminal uses the common protocol to initiate the SSH protocol request to the gateway to connect to the remote target device.
[0022] S3: After receiving the SSH protocol request initiated by the user, the gateway authenticates and authorizes the SSH protocol request information, and then opens a session to send requests downstream, and links the user's connection request with the currently opened session on the gateway.
[0023] S4: The proxy server receives a session from the upstream and establishes a downstream session for the proxy to report, while linking the upstream and downstream sessions together.
[0024] S5: When the proxy receives a session from the upstream of the proxy server, the proxy performs remote operations on the target device, including remote login, remote command execution, and scp, by acting as an SSHD or by connecting the target device in series.
[0025] Further, in step S1, the intranet penetration login structure is established, comprising four modules: the command-line tool, the gateway, the proxy server, and the proxy. Specifically:
[0026] At the beginning of the project corresponding to the intranet penetration login structure, the gateway actively carries the gateway role, gateway account and gateway password to dial up and connect with the proxy server to establish the first connection between the gateway and the proxy server. The gateway periodically checks the heartbeat of the first connection. If the first connection is interrupted, the gateway will redial.
[0027] Meanwhile, the agent located at the edge node actively carries the agent role, agent account and agent password to dial up and connect with the agent server to establish a second connection between the agent and the agent server. The agent periodically detects the heartbeat of the second connection and reports it to the agent server, and periodically reports the loggable devices on the edge node to the agent server based on the script issued by the agent server.
[0028] Furthermore, intranet penetration login methods based on the SSH protocol also include:
[0029] The gateway exposes two ports, including a first port and a second port.
[0030] The first port is used to connect to the user terminal and provide SSH service to the user terminal, providing functions including remote login, remote command execution, and remote file transfer.
[0031] The second port is used to connect to the command-line tool, which converts data, including user management and script management, into an HTTP protocol API interface and requests the gateway through the second port to complete functions including user management and script management.
[0032] Furthermore, intranet penetration login methods based on the SSH protocol also include:
[0033] A storage database is established, and the gateway stores the user management and script management created by the command-line tool into the storage database. The user management includes user information such as user account, user password, user role, several public keys, user whitelist and user blacklist, which is used to authenticate the user account corresponding to the user terminal when the user terminal initiates the SSH service request, and to authorize the target device that the user terminal can access. The script management includes script information such as script name, script version, script execution interval and script execution timeout.
[0034] The proxy server and the gateway share the same storage database. The gateway periodically pulls the script management from the storage database and distributes it to all the proxies. The proxies compare the script version in the script management to confirm whether to update the local script. At the same time, the proxies periodically execute the local script according to the script execution interval and the script execution timeout, save the execution result of the local script, and report the execution result to the proxy server.
[0035] Further, in step S2, the common protocol for initiating the SSH protocol request is defined, specifically as follows:
[0036] The general knowledge protocol stipulates that the client that initiates the SSH protocol request consists of the user account and the ID of the target device, and the SSH address of the general knowledge protocol is the domain name and port of the gateway.
[0037] Further, in step S3, after the gateway receives the SSH protocol request initiated by the user client and authenticates and authorizes the SSH protocol request information, the gateway opens a session to send requests downstream, and concatenates the user client's connection request with the currently opened session on the gateway, specifically as follows:
[0038] S31: After receiving the SSH protocol request initiated by the user terminal, the gateway parses out information including the user account of the user terminal, the private key or the user password carried by the user terminal initiating the SSH protocol request, and the target device to be connected.
[0039] S32: The gateway authenticates the login permissions of the user account and determines whether the user terminal has been authorized to access the target device based on the user whitelist and the user blacklist;
[0040] S33: After determining that the user account has been authenticated and authorized, the gateway uses the first connection to open a session through yamux. The first packet of the session carries information including the target device to be connected, the user account, and the user role.
[0041] S34: When the session returns a success packet, use the session to open an SSH client, concatenate the connection request from the user client with the currently opened SSH client session on the gateway, and pass the SSH data packets from the connection request from the user client into the SSH client;
[0042] S35: Audit and record the connection requests from the user terminal and the output from the target device on the gateway.
[0043] Further, in step S4, the proxy server receives the session from the upstream and establishes a downstream session for the proxy to report, while simultaneously linking the upstream and downstream sessions together, specifically:
[0044] S41: The proxy server receives a session from the gateway and names the received session as sessionUp, representing that the session comes from the upstream gateway. The ID of the target device is parsed from the first packet of sessionUp.
[0045] S42: Based on the device information reported by the agent after executing the local script, find the unique first connection from the connection pool, open a session using the first connection, name the opened session sessionDown, and send information including the ID of the target device to sessionDown;
[0046] S43: When sessionDown successfully returns the device information, a success packet is returned to sessionUp. The proxy server concatenates sessionUp and sessionDown together using io.Copy.
[0047] An SSH-based intranet penetration login system for executing the above-described SSH-based intranet penetration login method includes:
[0048] The login structure establishment module is used to establish an intranet penetration login structure that includes four modules: command-line tools, gateway, proxy server, and proxy.
[0049] The general protocol formulation module is used to formulate a general protocol for initiating SSH protocol requests. The user terminal initiates the SSH protocol request to the gateway through the general protocol to connect to the remote target device.
[0050] The SSH request sending module is used to provide the gateway with a method to receive the SSH protocol request initiated by the user, and after authenticating and authorizing the SSH protocol request information, the gateway opens a session to send requests downstream, and concatenates the user's connection request with the currently opened session on the gateway.
[0051] The session concatenation module is used to provide the proxy server with a session to receive from the upstream and to establish a downstream session to be reported to the proxy, while concatenating the upstream and downstream sessions together.
[0052] The proxy remote operation module is used to enable the proxy to perform remote operations on the target device, including remote login, remote command execution, and scp, when the proxy receives a session from the upstream of the proxy server, by acting as an SSHD or by connecting the target device in series.
[0053] A computer device includes a memory and one or more processors, the memory storing computer code that, when executed by the one or more processors, causes the one or more processors to perform the method described above.
[0054] A computer-readable storage medium storing computer code that, when executed, performs the method described above.
[0055] Compared with the prior art, the present invention has at least one of the following beneficial effects:
[0056] (1) An intranet penetration login structure is adopted, consisting of four modules: command-line tools, gateway, proxy server, and proxy, and login is initiated by sending SSH protocol requests. This login method is more portable, efficient, secure, and reliable. Furthermore, the SSH protocol login method supports custom usernames and passwords, as well as multiple authentication methods such as multiple public keys, ensuring user data security.
[0057] (2) By auditing and logging connection requests from the client and output from the target device at the gateway, user login and operation history can be monitored and recorded, improving device security and compliance.
[0058] (3) The intranet penetration login structure adopted in this invention can support a variety of operations such as intranet penetration, remote command execution, and remote file transfer. It also supports user management functions including account management and access control, which helps administrators better manage target devices and users and reduce related management costs.
[0059] (4) Compared with traditional login tools, this invention is faster and easier to operate, which can help users access and manage the host more quickly and improve work efficiency.
[0060] Through the above-mentioned beneficial effects, this invention can help users solve many problems existing in traditional login tools, and provide a more secure, reliable, feature-rich, easy-to-use and efficient intranet penetration login tool, thereby improving the quality and efficiency of enterprise network management and operation and maintenance. Attached Figure Description
[0061] Figure 1 This is an overall flowchart of the intranet penetration login method based on the SSH protocol of the present invention;
[0062] Figure 2 This is a schematic diagram of the intranet penetration login structure of the present invention;
[0063] Figure 3 This is a schematic diagram of the connection process of the intranet penetration login method based on the SSH protocol of the present invention;
[0064] Figure 4 This is an overall structural diagram of the intranet penetration login system based on the SSH protocol of this invention. Detailed Implementation
[0065] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0066] Those skilled in the art will understand that, unless specifically stated otherwise, the singular forms “a,” “an,” “the,” and “the” used herein may also include the plural forms. It should be further understood that the term “comprising” as used in this specification means the presence of the stated features, integers, steps, operations, elements, and / or components, but does not exclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and / or groups thereof.
[0067] This invention achieves the following technological breakthroughs:
[0068] (1) Intranet Penetration Technology: Intranet penetration technology allows edge-side node devices to actively connect to cloud components and expose services. Users can access hosts and target devices in the enterprise's internal network from the external network, enabling remote management and control.
[0069] (2) Connection Management and Reuse: This invention supports connection reuse, meaning that multiple clients can share an existing connection when connecting to the same host, and the same connection can support opening multiple sessions. This avoids repeatedly establishing new connections, improving resource utilization and performance.
[0070] (3) Authentication and authorization session management: This invention supports authentication, authorization and session auditing functions. During the user login process, the account and password / public key are verified, authorized access devices are authorized, and the entire operation process is recorded to improve the security and compliance of the device.
[0071] (4) User Management and Script Management: Administrators can add users and grant them permissions and access to devices via command-line tools. Script management provides a variety of scripts for detecting loggable devices. These scripts are ultimately distributed to edge nodes, which then report the loggable devices and their types. This allows for better management of target devices and users, reducing management costs.
[0072] (5) Diverse device support: This invention reports accessible devices and types by issuing scripts. The tool has an open interface for logging into various target devices (including containers, virtual machines, physical machines, etc.).
[0073] In summary, this invention has achieved technological breakthroughs in intranet penetration technology, connection management and reuse, authentication and authorization session management, user management and script management, and diversified device support, providing users with a more convenient, efficient, secure and reliable intranet penetration login tool.
[0074] The technical points of the present invention will be described in detail below through specific embodiments:
[0075] First Embodiment
[0076] like Figure 1 As shown, this embodiment provides a method for intranet penetration login based on the SSH protocol, including the following steps:
[0077] S1: Establish an intranet penetration login structure including four modules: command-line tools, gateway, proxy server, and proxy.
[0078] In this embodiment, the specific structural configuration of the intranet penetration login structure is as follows: Figure 2 As shown. The four modules of the intranet penetration login structure specifically include the following settings:
[0079] At the start of the project corresponding to the intranet penetration login structure, the gateway actively carries the gateway role, gateway account and gateway password to dial up and connect with the proxy server to establish the first connection between the gateway and the proxy server. The gateway periodically checks the heartbeat of the first connection. If the first connection is interrupted, the gateway will redial.
[0080] Simultaneously, the agent located at the edge node proactively dials in with its agent role, agent account, and agent password to establish a second connection with the proxy server. It's important to note that the agent may be located on an internal network. Since the agent proactively dials in to connect to the proxy server, the proxy server only needs to confirm the agent account, agent role, and agent password. The agent periodically checks the heartbeat of this second connection and reports it to the proxy server. Because the heartbeat of the second connection is maintained by the agent, the proxy server is unaware whether the agent is on an internal or public network. Furthermore, the agent periodically reports loggable devices on the edge node, such as the current host and containers running on the host, to the proxy server based on scripts issued by the proxy server.
[0081] The gateway exposes two ports, including a first port and a second port, for example, in Figure 2The first port number is 2022, and the second port number is 2023. The first port is used to connect to the user terminal, providing SSH service to the user terminal, including functions such as remote login, remote command execution, and remote file transfer. The second port is used to connect to the command-line tool, which converts data, including user management and script management data, into HTTP protocol API interfaces, and requests the gateway through the second port to complete functions including user management and script management.
[0082] SSH service refers to a service program running on a computer system that provides secure remote login and file transfer capabilities. The SSH (Secure Shell) protocol is an encrypted network protocol used for secure remote operations over insecure networks.
[0083] Using the SSH service, users can remotely connect to servers or remote computers using SSH clients and perform the following operations:
[0084] (1) Remote login: Users can connect to a remote computer via SSH and log in by entering their username and password. SSH uses encryption technology to protect the security of user login information and prevent passwords from being intercepted or stolen.
[0085] (2) Remote command execution: Once logged into a remote computer, users can execute commands and perform operations on a remote terminal. This allows users to remotely manage and control the server, performing file operations, program execution, configuration changes, and other operations.
[0086] (3) File transfer: SSH also supports secure file transfer. Users can use the SCP (Secure Copy) or SFTP (Secure File Transfer Protocol) commands to transfer files to or download files from a remote computer via an SSH connection.
[0087] (4) Port forwarding: SSH also supports port forwarding, allowing users to establish a secure communication channel between local and remote computers. This can be used to securely access services on a remote computer or forward remote services on the local host.
[0088] Furthermore, in the intranet penetration login structure, a storage database needs to be established as the storage module of the intranet penetration login structure to store user management and script management information. The gateway stores the user management and script management created by the command-line tool into the storage database. The user management includes user information such as user account, user password, user role, several public keys, user whitelist and user blacklist, which is used to authenticate the user account corresponding to the user terminal when the user terminal initiates the SSH service request, and to authorize the target device that the user terminal can access. The script management includes script information such as script name, script version, script execution interval, and script execution timeout. The proxy server and the gateway share the same storage database. The gateway periodically pulls the script management from the storage database and distributes it to all the proxies. The proxies will compare the script version in the script management to confirm whether to update the local script. At the same time, the proxies will periodically execute the local script according to the script execution interval and the script execution timeout, save the execution result of the local script, and report the execution result to the proxy server.
[0089] S2: Establish a common protocol for initiating SSH protocol requests. The client initiates the SSH protocol request to the gateway through the common protocol to connect to the remote target device.
[0090] Specifically, in this embodiment, the common knowledge protocol stipulates that the user terminal initiating the SSH protocol request consists of the user account and the ID of the target device, and the SSH address of the common knowledge protocol is the domain name and port of the gateway.
[0091] For example, for a user with the account "user", a target device "c1", and a gateway address of "ga.work" with an SSH port of 2022, to connect to the remote device, you would use the command `ssh -p 2022user_c1@ga.work`.
[0092] S3: After receiving the SSH protocol request initiated by the user, the gateway authenticates and authorizes the SSH protocol request information, and then opens a session to send requests downstream, and concatenates the user's connection request with the currently opened session on the gateway.
[0093] In this embodiment, step S3 specifically includes the following sub-steps:
[0094] S31: After receiving the SSH protocol request initiated by the user terminal, the gateway parses out information including the user account of the user terminal, the private key or the user password carried by the user terminal initiating the SSH protocol request, and the target device to be connected.
[0095] S32: The gateway authenticates the login permissions of the user account and determines whether the user terminal has been authorized to access the target device based on the user whitelist and the user blacklist.
[0096] S33: After determining that the user account has been authenticated and authorized, the gateway uses the first connection to open a session via yamux. The first packet of the session carries information including the target device to be connected, the user account, and the user role.
[0097] Brief explanation: yamux is an open-source Go programming language project with features including, but not limited to, the following:
[0098] 1. Multiplexing: The ability to transmit multiple data streams simultaneously over a single connection to improve network performance. The session mentioned here refers to a data stream opened by yamux using an existing connection.
[0099] 2. Reliability: Ensures the integrity and correctness of data transmission. This feature ensures that multiple sessions opened on the connection from the gateway to the proxy server are independent of each other, and that the data is complete and error-free.
[0100] 3. Low overhead: Supports a large number of logical flows using fewer resources. The logical flow here refers to the session; therefore, even with only one connection between the gateway and the proxy server, resource consumption remains low despite multiple sessions.
[0101] The aforementioned session will eventually be routed to the target device through the proxy server. Our ultimate goal is for the user's request to connect to the proxy server through the first connection, then reach the proxy through the proxy server, and finally reach the target device through the proxy.
[0102] S34: When the session returns a success packet, use the session to open an SSH client, concatenate the connection request from the client and the currently opened SSH client session on the gateway, and pass the SSH data packet from the connection request from the client into the SSH client.
[0103] Specifically, on the gateway side, it's also necessary to link the user's connection with the currently open session. Since the connection from the user carries SSH packets, the opened session also needs to transmit SSH packets; that is, an SSH client needs to be opened using the session. The SSH data from the user's connection needs to be passed to this client.
[0104] S35: Audit and log the connection requests from the user terminal and the output from the target device on the gateway. Since the connection from the user terminal to the target device must pass through the gateway, the auditing and logging function is set up on the gateway.
[0105] S4: The proxy server receives the session from the upstream and establishes a downstream session for the proxy to report, while linking the upstream and downstream sessions together.
[0106] In this embodiment, step S4 specifically includes the following sub-steps:
[0107] S41: The proxy server receives a session from the gateway and names the received session as sessionUp, indicating that the session comes from the upstream gateway. The ID of the target device is parsed from the first packet of sessionUp.
[0108] S42: Based on the device information reported after the agent executes the local script, find the unique first connection from the connection pool, open a session using the first connection, name the opened session sessionDown, and send information including the ID of the target device to sessionDown.
[0109] Specifically, based on the device information (device ID, the machine it is located on, etc.) reported by the proxy after executing the local script (issued by the proxy server), a unique first connection can be found from the connection pool. A session, which we call sessionDown, is opened using this first connection. Necessary information such as the target device ID is sent to this session. The proxy side will do some necessary work to connect the sessionDown to the target device, which I will talk about later.
[0110] S43: When sessionDown successfully returns the device information, a success packet is returned to sessionUp. The proxy server concatenates sessionUp and sessionDown together using io.Copy.
[0111] Specifically, during the proxy server phase, when sessionDown returns successfully, because sessionUp and sessionDown are the same type of connection, the proxy server needs to chain the connections from upstream and downstream together, i.e., using io.Copy. It's worth noting that two goroutines need to be started: one to copy the upstream connection request to the downstream, and the other to copy the downstream response to the upstream.
[0112] S5: When the proxy receives a session from the upstream of the proxy server, the proxy performs remote operations on the target device, including remote login, remote command execution, and scp, by acting as an SSHD or by connecting the target device in series.
[0113] Specifically, when the proxy receives a session from the proxy server, the first packet carries necessary information such as the target device ID. If the target device is the current machine, the proxy will act as an SSHD to execute SSH commands within the connection, including enabling remote login, remote command execution, and SCP (secure file transfer). If the target device is a container on the current machine, it only needs to connect the current session with the input and output of the command `docker exec containerId` (allowing the user to enter the container and execute the specified command within the container's context). In this process, the proxy acts as an SSHD or connects the target device.
[0114] sshd refers to the SSH server daemon, a program running on the server responsible for providing SSH services. sshd allows remote users to securely log in to the server and perform various operations via the SSH protocol. When the sshd daemon starts, it listens on a pre-defined SSH port (default 22), accepts connection requests from SSH clients, and authenticates them. Once a user is successfully authenticated, sshd establishes a secure communication channel, allowing the user to execute remote commands, access the file system, and perform other remote management tasks. sshd provides various authentication methods, including password authentication, public key authentication, and certificate-based authentication. With proper configuration, administrators can choose the authentication method that best suits their security needs and restrict access permissions. Configuring and managing sshd typically requires editing the sshd configuration file (usually located at / etc / ssh / sshd_config or a similar location), which contains various configuration options such as the listening port, authentication method, and access restrictions. Administrators can modify the configuration file as needed and reload the sshd service for the changes to take effect. sshd also logs login and operation activities, which can be used to monitor and audit remote access activities. Administrators can view these logs to track user activity, detect potential security issues, and troubleshoot problems.
[0115] like Figure 3 As shown, the core of the above process is how to connect a user connection and the first connection from the proxy server to the target device, that is, to connect the user's connection and the second connection at the two ends of the first connection respectively.
[0116] Second Embodiment
[0117] like Figure 4 As shown, this embodiment provides an SSH-based intranet penetration login system for executing the SSH-based intranet penetration login method as described in the first embodiment, comprising:
[0118] Module 1 for establishing the login structure is used to establish an intranet penetration login structure that includes four modules: command-line tools, gateway, proxy server, and proxy.
[0119] The general protocol formulation module 2 is used to formulate a general protocol for initiating SSH protocol requests. The user terminal initiates the SSH protocol request to the gateway through the general protocol to connect to the remote target device.
[0120] The SSH request sending module 3 is used to provide the gateway with a session to send requests downstream after receiving the SSH protocol request initiated by the user terminal, authenticating and authorizing the SSH protocol request information, and concatenating the connection request of the user terminal with the currently opened session on the gateway.
[0121] Session concatenation module 4 is used to provide the proxy server with a session to receive from the upstream and to establish a downstream session to be reported to the proxy, while concatenating the upstream and downstream sessions together.
[0122] The proxy remote operation module 5 is used to provide the proxy with the ability to perform remote operations on the target device, including remote login, remote command execution, and scp, when the proxy receives a session from the upstream of the proxy server, by acting as an SSHD or by connecting the target device in series.
[0123] A computer-readable storage medium stores computer code that, when executed, performs the methods described above. Those skilled in the art will understand that all or part of the steps in the various methods of the above embodiments can be implemented by a program instructing related hardware. This program can be stored in a computer-readable storage medium, which may include: read-only memory (ROM), random access memory (RAM), a magnetic disk, or an optical disk, etc.
[0124] The above description is merely a preferred embodiment of the present invention. The scope of protection of the present invention is not limited to the above embodiments. All technical solutions falling within the scope of the present invention's concept are within the scope of protection of the present invention. It should be noted that for those skilled in the art, any improvements and modifications made without departing from the principles of the present invention should also be considered within the scope of protection of the present invention.
[0125] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
[0126] It should be noted that the above embodiments can be freely combined as needed. The above description is only a preferred embodiment of the present invention. It should be pointed out that for those skilled in the art, several improvements and modifications can be made without departing from the principle of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.
Claims
1. A method for intranet penetration login based on the SSH protocol, characterized in that, Includes the following steps: S1: Establish an intranet penetration login structure including four modules: command line tools, gateway, proxy server, and proxy; A storage database is established, and the gateway stores the user management and script management created by the command-line tool into the storage database. The user management includes user information such as user account, user password, user role, several public keys, user whitelist and user blacklist, which is used to authenticate the user account corresponding to the user terminal when the user terminal initiates an SSH service request, and to authorize the target devices that the user terminal can access. The script management includes script information such as script name, script version, script execution interval and script execution timeout. The proxy server and the gateway share the same storage database. The gateway periodically pulls the script management from the storage database and distributes it to all the proxies. The proxies compare the script version in the script management to confirm whether to update the local script. At the same time, the proxies periodically execute the local script according to the script execution interval and the script execution timeout, save the execution result of the local script, and report the execution result to the proxy server. S2: Establish a common protocol for initiating SSH protocol requests. The user terminal uses the common protocol to initiate the SSH protocol request to the gateway to connect to the remote target device. S3: After receiving the SSH protocol request initiated by the user, the gateway authenticates and authorizes the SSH protocol request information, and then opens a session to send requests downstream, and links the user's connection request with the currently opened session on the gateway. S4: The proxy server receives a session from the upstream and establishes a downstream session for the proxy to report, while linking the upstream and downstream sessions together. S5: When the proxy receives a session from the upstream of the proxy server, the proxy performs remote operations on the target device, including remote login, remote command execution, and remote command transmission, by acting as an SSHD or by connecting the target device in series.
2. The intranet penetration login method based on the SSH protocol according to claim 1, characterized in that, In step S1, the intranet penetration login structure is established, comprising four modules: the command-line tool, the gateway, the proxy server, and the proxy. Specifically: At the beginning of the project corresponding to the intranet penetration login structure, the gateway actively carries the gateway role, gateway account and gateway password to dial up and connect with the proxy server to establish the first connection between the gateway and the proxy server. The gateway periodically checks the heartbeat of the first connection. If the first connection is interrupted, the gateway will redial. Meanwhile, the agent located at the edge node actively carries the agent role, agent account and agent password to dial up and connect with the agent server to establish a second connection between the agent and the agent server. The agent periodically detects the heartbeat of the second connection and reports it to the agent server, and periodically reports the loggable devices on the edge node to the agent server based on the script issued by the agent server.
3. The intranet penetration login method based on the SSH protocol according to claim 2, characterized in that, Also includes: The gateway exposes two ports, including a first port and a second port. The first port is used to connect to the user terminal and provide SSH service to the user terminal, providing functions including remote login, remote command execution, and remote file transfer. The second port is used to connect to the command-line tool, which converts data, including user management and script management, into an HTTP protocol API interface and requests the gateway through the second port to complete functions including user management and script management.
4. The intranet penetration login method based on the SSH protocol according to claim 3, characterized in that, In step S2, the common protocol for initiating the SSH protocol request is defined, specifically as follows: The general knowledge protocol stipulates that the client that initiates the SSH protocol request consists of the user account and the ID of the target device, and the SSH address of the general knowledge protocol is the domain name and port of the gateway.
5. The intranet penetration login method based on the SSH protocol according to claim 3, characterized in that, In step S3, after the gateway receives the SSH protocol request initiated by the user, authenticates and authorizes the SSH protocol request information, the gateway opens a session to send requests downstream, and concatenates the user's connection request with the currently opened session on the gateway, specifically: S31: After receiving the SSH protocol request initiated by the user terminal, the gateway parses out information including the user account of the user terminal, the private key or the user password carried by the user terminal initiating the SSH protocol request, and the target device to be connected. S32: The gateway authenticates the login permissions of the user account and determines whether the user terminal has been authorized to access the target device based on the user whitelist and the user blacklist; S33: After determining that the user account has been authenticated and authorized, the gateway uses the first connection to open a session through yamux. The first packet of the session carries information including the target device to be connected, the user account, and the user role. S34: When the session returns a success packet, use the session to open an SSH client, concatenate the connection request from the user client with the currently opened SSH client session on the gateway, and pass the SSH data packets from the connection request from the user client into the SSH client; S35: Audit and record the connection requests from the user terminal and the output from the target device on the gateway.
6. The intranet penetration login method based on the SSH protocol according to claim 5, characterized in that, In step S4, the proxy server receives the session from the upstream and establishes a downstream session for the proxy to report, while simultaneously linking the upstream and downstream sessions together, specifically: S41: The proxy server receives a session from the gateway and names the received session "sessionUp", representing that the session comes from the upstream gateway. The ID of the target device is parsed from the first packet of sessionUp. S42: Based on the device information reported by the agent after executing the local script, find the unique first connection from the connection pool, open a session using the first connection, name the opened session sessionDown, and send information including the ID of the target device to sessionDown; S43: When sessionDown successfully returns the device information, a success packet is returned to sessionUp. The proxy server concatenates sessionUp and sessionDown together using io.Copy.
7. An SSH-based intranet penetration login system for executing the intranet penetration login method based on the SSH protocol as described in any one of claims 1-6, characterized in that, include: The login structure establishment module is used to establish an intranet penetration login structure that includes four modules: command-line tools, gateway, proxy server, and proxy. The general protocol formulation module is used to formulate a general protocol for initiating SSH protocol requests. The user terminal initiates the SSH protocol request to the gateway through the general protocol to connect to the remote target device. The SSH request sending module is used to provide the gateway with a method to receive the SSH protocol request initiated by the user, and after authenticating and authorizing the SSH protocol request information, the gateway opens a session to send requests downstream, and concatenates the user's connection request with the currently opened session on the gateway. The session concatenation module is used to provide the proxy server with a session to receive from the upstream and to establish a downstream session to be reported to the proxy, while concatenating the upstream and downstream sessions together. The proxy remote operation module is used to enable the proxy to perform remote operations on the target device, including remote login, remote command execution, and scp, when the proxy receives a session from the upstream of the proxy server, by acting as an SSHD or by connecting the target device in series.
8. A computer device comprising a memory and one or more processors, the memory storing computer code that, when executed by the one or more processors, causes the one or more processors to perform the method as described in any one of claims 1 to 6.
9. A computer-readable storage medium storing computer code, wherein when the computer code is executed, the method of any one of claims 1 to 6 is performed.