WO2017080334A1 - Login method and login system based on open-source secure shell protocol - Google Patents

Login method and login system based on open-source secure shell protocol Download PDF

Info

Publication number
WO2017080334A1
WO2017080334A1 PCT/CN2016/101392 CN2016101392W WO2017080334A1 WO 2017080334 A1 WO2017080334 A1 WO 2017080334A1 CN 2016101392 W CN2016101392 W CN 2016101392W WO 2017080334 A1 WO2017080334 A1 WO 2017080334A1
Authority
WO
WIPO (PCT)
Prior art keywords
login
user information
application module
open source
secure shell
Prior art date
Application number
PCT/CN2016/101392
Other languages
French (fr)
Chinese (zh)
Inventor
李智荣
Original Assignee
上海斐讯数据通信技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海斐讯数据通信技术有限公司 filed Critical 上海斐讯数据通信技术有限公司
Publication of WO2017080334A1 publication Critical patent/WO2017080334A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a login method and a login system based on an open source secure shell protocol.
  • SSH Secure Shell
  • Telnet Telnet protocol
  • Network equipment systems such as switches have their own custom command-line interface (CLI) configuration interface.
  • CLI command-line interface
  • the present invention provides a login method based on an open source secure shell protocol, and the login method based on an open source secure shell protocol includes the following steps: sending system user information to an open source secure shell protocol application module; The kernel module verifies the system user information; after the Linux kernel verifies the system user information, the redirect application module is executed to implement login.
  • the step of executing the redirecting application module to implement the login comprises: establishing a redirected SSH connection between the redirected application module and the Linux kernel; and in the redirecting the application module and the prefabrication A TCP connection is established between the command line interfaces to implement login.
  • a long TCP connection is established between the redirected application module and the pre-made command line interface.
  • the login method based on the open source secure shell protocol further includes: adding system user information to the Linux kernel after logging in to the Linux system, where the system user information includes: a username and a password.
  • the step of adding system user information to the Linux kernel includes: the Linux kernel saving the system user information in the /etc/shadow and /etc/passwd folders.
  • the execution program of the system user information verification is specified in the /etc/passwd folder. Redirect application module.
  • the invention provides a login system based on an open source secure shell protocol, and the login system based on the open source secure shell protocol comprises: an open source secure shell protocol application module for receiving system user information; and a Linux kernel for the system user The information is verified; the application module is redirected, and after the Linux system verifies the user information of the system, the redirection application module is executed to implement login.
  • the redirecting application module includes: a first redirecting unit, configured to establish a redirected SSH connection between the redirected application module and a Linux system kernel; and a second redirecting unit, Used to establish a TCP connection between the redirected application module and the pre-made command line interface to implement login.
  • the second redirecting unit establishes a long TCP connection between the redirected application module and the pre-made command line interface.
  • the login system based on the open source secure shell protocol further includes: a user information adding module, configured to add system user information to the Linux kernel after logging in to the Linux system, where the system user information includes :user name and password.
  • the login method and login system based on the open source secure shell protocol of the present invention have the following beneficial effects:
  • the login method based on the open source secure shell protocol of the present invention after the Linux kernel verifies the system user information, By redirecting the application module to achieve login, there is no need to modify the source code of the open source software, thus greatly reducing the cost of subsequent upgrades or system maintenance.
  • FIG. 1 is a schematic flowchart showing an embodiment of a login method based on an open source secure shell protocol according to an embodiment of the present invention.
  • FIG. 2 is a schematic structural diagram of an embodiment of a login system based on an open source secure shell protocol according to the present invention.
  • the present invention provides a login method based on an open source secure shell protocol
  • the login method based on an open source secure shell protocol includes the following steps:
  • the Linux kernel module verifies the system user information.
  • the user requests an SSH connection with OpenSSH through an SSH client software (such as SecureCRT), and sends an SSH username and password to OpenSSH during this process.
  • SSH client software such as SecureCRT
  • OpenSSH executes the RdirectIO application (the application is a pre-developed redirect application module). OpenSSH redirects when RdirectIO is executed, thus enabling SSH user login.
  • RdirectIO is an application that needs to be implemented in this embodiment, and its function refers to the following description.
  • the step of executing the redirecting application module to implement the login includes: establishing a redirected SSH connection between the redirected application module and the Linux kernel; and the redirecting application module and the pre-made command line interface Establish a TCP connection to implement login. Specifically, a long TCP connection is established between the redirect application module and the pre-made command line interface.
  • OpenSSH creates a pipe when it executes RdirectIO. Through this pipeline, RdirectIO's standard IO will be redirected to the ssh connection. At the same time, RdirectIO establishes a tcp connection with the system customization CLI to redirect the standard IO of RdirectIO to this tcp connection.
  • RdirectIO is to redirect the input of the system custom CLI to the RdirectIO standard output; likewise, redirect the standard input of RdirectIO to the output of the system custom CLI, so that it can be established between the system customization CLI and RdirectIO. TCP long connection to achieve the IO redirection function here.
  • the implementation code of the RdirectIO is:
  • the data entered on the SSH client (such as SecureCRT) is redirected to the system CLI interface twice; otherwise, the system customizes the CLI input.
  • the data is also redirected to the SSH client twice.
  • the decrypted data is redirected twice to reach the system customization CLI.
  • the user directly enters the system customization CLI interface.
  • the user is directly logged into the system customization CLI interface.
  • the login method based on the open source secure shell protocol further includes: adding system user information to the Linux kernel after logging in to the Linux system, where the system user information includes: a user Name and password.
  • the step of adding system user information to the Linux kernel includes: the Linux kernel saving the system user information in the /etc/shadow and /etc/passwd folders.
  • the Linux kernel saves the system user information in the /etc/passwd folder
  • the execution program after the system user information verification is specified in the /etc/passwd folder is the redirect application module.
  • the open source OpenSSH user authentication is to verify the correctness of the username and password to the Linux kernel.
  • the user logs in to the system through the serial port and adds the same user name and password to the Linux kernel when adding an SSH user to the system.
  • the Linux system saves the system user and its password in two files "/etc/shadow" and "/etc/passwd”.
  • the user adds a user named admin to the switch.
  • the switch system adds the user to its own configuration file, it adds a system user named admin to the Linux kernel.
  • a record is added to each of the two files "/etc/shadow" and "/etc/passwd".
  • the content after the last ":" is the application that OpenSSH will execute after determining that the username and password are correct.
  • the RdirectIO application is filled in here.
  • the implementation code of the shadow file is:
  • the implementation code for the passwd file is:
  • OpenSSH creates a pipe between OpenSSH and RdirectIO when executing the RdirectIO application.
  • the data entered by the user on the SSH client (such as SecureCRT) is decrypted by OpenSSH and directly reaches RdirectIO through this pipe.
  • RdirectIO the standard output of RdirectIO is also encrypted by OpenSSH through this pipe and output to the SSH client.
  • the processing here is done by OpenSSH open source software, and there is no need to modify the OpenSSH source code.
  • the login method based on the open source secure shell protocol in this embodiment performs two redirections through the pre-made redirection application module, thereby implementing login of the SSH user, and does not require open source SSH source code, thereby greatly reducing subsequent upgrade or operation and maintenance. the cost of.
  • the present invention provides a login system based on an open source secure shell protocol.
  • the login system based on the open source secure shell protocol includes:
  • a Linux kernel configured to verify user information of the system
  • the redirecting application module 23 is configured to execute the redirecting application module to implement login after the Linux system verifies the system user information.
  • the redirection application module 23 includes: a first redirection unit and a second redirection unit (not shown), where the first redirection unit is used in the redirection application module A redirected SSH connection is established between the kernels of the Linux system; the second redirecting unit is configured to establish a TCP connection between the redirected application module and the pre-made command line interface to implement login. Specifically, the second redirecting unit establishes a long TCP connection between the redirected application module and the pre-made command line interface.
  • the login system based on the open source secure shell protocol further includes: a user information adding module, configured to add system user information to the Linux kernel after logging in to the Linux system, where the system user information includes: a username And password.
  • the login method and the login system based on the open source secure shell protocol of the present invention use the pre-made redirection module to implement two redirections, thereby implementing login of the SSH user, and does not need to modify the open source SSH source code, thereby greatly reducing The cost of subsequent upgrades and operational maintenance. Therefore, the present invention effectively overcomes various shortcomings in the prior art and has high industrial utilization value.

Abstract

Provided are a login method and login system based on an open-source secure shell protocol. The login method based on an open-source secure shell protocol comprises the following steps: sending system user information to an open-source secure shell protocol application module; a Linux kernel module verifying the system user information; and after the system user information passes the verification of a Linux kernel, executing a redirection application module to realize login. By means of the login method and login system of the present invention, redirection is performed twice by a redirection application module, and the login of an SSH user is realized without needing to modify an open-source SSH source code; therefore, costs for subsequent upgrade or operation and maintenance are greatly reduced.

Description

基于开源安全外壳协议的登录方法及登录系统Login method and login system based on open source secure shell protocol
本申请要求2015年11月13日提交的申请号为:201510778846.2、发明名称为“基于开源安全外壳协议的登录方法及登录系统”的中国专利申请的优先权,其全部内容合并在此。The present application claims the priority of the Chinese Patent Application No. 201510778846.
技术领域Technical field
本发明涉及通信技术领域,特别是涉及一种基于开源安全外壳协议的登录方法及登录系统。The present invention relates to the field of communications technologies, and in particular, to a login method and a login system based on an open source secure shell protocol.
背景技术Background technique
安全外壳协议(Secure Shell,SSH)是目前较可靠,专为远程登录会话和其他网络服务提供安全性的协议。利用SSH协议不仅可以有效防止远程管理过程中的信息泄露问题,还可以压缩传输的数据,加快传输的速度。SSH有很多功能,它既可以代替Telnet,又可以为FTP、PoP、甚至为PPP提供一个安全的“通道”。Secure Shell (SSH) is currently a reliable protocol that provides security for remote login sessions and other network services. The SSH protocol can not only effectively prevent information leakage during remote management, but also compress the transmitted data and speed up the transmission. SSH has many functions. It can replace Telnet and provide a secure "channel" for FTP, PoP, and even PPP.
诸如交换机等网络设备系统都有自己定制的命令行界面(command-line interface,CLI)配置界面。用户通过SSH登录时进入的是嵌入式设备系统定制的CLI配置界面,而不是linux系统的shell界面。Network equipment systems such as switches have their own custom command-line interface (CLI) configuration interface. When the user logs in through SSH, he enters the customized CLI configuration interface of the embedded device system, instead of the shell interface of the Linux system.
目前国内,除少数几家研发实力较强的公司会自己实现SSH协议外,大部分的网络设备研发厂商都是基于开源SSH软件(如OpenSSH),针对自身系统做适配修改开源软件的源码来实现SSH用户认证登陆功能。At present, in addition to a few companies with strong R&D capabilities, they will implement the SSH protocol themselves. Most of the network equipment R&D vendors are based on open source SSH software (such as OpenSSH), and adapt their own systems to modify the source code of open source software. Implement SSH user authentication login function.
然而,若公司自己实现SSH协议的开发,不使用开源软件,这个研发成功高,仅适合少数有一定研发实力的公司。而众多公司利用开源SSH软件(如OpenSSH),针对自身系统做适配修改开源软件的源码来实现SSH用户认证登陆功能。但是,目前因为要修改开源软件源码,需要对开源软件的源码进行学习,后续升级开源软件版本或者更换开源软件、系统维护人员的成本高。However, if the company realizes the development of the SSH protocol and does not use open source software, this research and development has been successful, and it is only suitable for a few companies with certain research and development capabilities. Many companies use open source SSH software (such as OpenSSH) to adapt their own systems to modify the source code of open source software to implement SSH user authentication login function. However, at present, because of the need to modify the open source software source code, it is necessary to learn the source code of the open source software, and the cost of upgrading the open source software version or replacing the open source software and system maintenance personnel is high.
因此,如何在不增加成本的基础上实现SSH用户的登录功能就成为本领域技术人员亟待解决的问题之一。Therefore, how to implement the login function of the SSH user on the basis of no increase in cost has become one of the problems to be solved by those skilled in the art.
发明内容Summary of the invention
鉴于以上所述现有技术的缺点,本发明的目的在于提供一种基于开源安全外壳协议的登 录方法及登录系统,用于解决现有技术中实现SSH用户登录功能成本较高的问题。In view of the above disadvantages of the prior art, it is an object of the present invention to provide a host based on an open source secure shell protocol. The recording method and the login system are used to solve the problem of high cost of implementing the SSH user login function in the prior art.
为实现上述目的及其他相关目的,本发明提供一种基于开源安全外壳协议的登录方法,所述基于开源安全外壳协议的登录方法包括以下步骤:向开源安全外壳协议应用模块发送系统用户信息;Linux内核模块对所述系统用户信息进行验证;当Linux内核对所述系统用户信息验证通过后,执行重定向应用模块以实现登录。To achieve the above and other related objects, the present invention provides a login method based on an open source secure shell protocol, and the login method based on an open source secure shell protocol includes the following steps: sending system user information to an open source secure shell protocol application module; The kernel module verifies the system user information; after the Linux kernel verifies the system user information, the redirect application module is executed to implement login.
于本发明的一实施例中,所述执行重定向应用模块以实现登录的步骤包括:在所述重定向应用模块与Linux内核之间建立重定向SSH连接;在所述重定向应用模块与预制命令行界面之间建立TCP连接以实现登录。In an embodiment of the invention, the step of executing the redirecting application module to implement the login comprises: establishing a redirected SSH connection between the redirected application module and the Linux kernel; and in the redirecting the application module and the prefabrication A TCP connection is established between the command line interfaces to implement login.
于本发明的一实施例中,在所述重定向应用模块与预制命令行界面之间建立长TCP连接。In an embodiment of the invention, a long TCP connection is established between the redirected application module and the pre-made command line interface.
于本发明的一实施例中,所述基于开源安全外壳协议的登录方法还包括:在登录Linux系统后,向Linux内核中添加系统用户信息,所述系统用户信息包括:用户名和密码。In an embodiment of the present invention, the login method based on the open source secure shell protocol further includes: adding system user information to the Linux kernel after logging in to the Linux system, where the system user information includes: a username and a password.
于本发明的一实施例中,所述向Linux内核中添加系统用户信息的步骤包括:Linux内核将所述系统用户信息保存在/etc/shadow和/etc/passwd文件夹中。In an embodiment of the invention, the step of adding system user information to the Linux kernel includes: the Linux kernel saving the system user information in the /etc/shadow and /etc/passwd folders.
于本发明的一实施例中,Linux内核将所述系统用户信息保存在/etc/passwd文件夹中时,在所述/etc/passwd文件夹中指定系统用户信息验证通过后的执行程序为所述重定向应用模块。In an embodiment of the present invention, when the Linux kernel saves the system user information in the /etc/passwd folder, the execution program of the system user information verification is specified in the /etc/passwd folder. Redirect application module.
本发明提供一种基于开源安全外壳协议的登录系统,所述基于开源安全外壳协议的登录系统包括:开源安全外壳协议应用模块,用于接收系统用户信息;Linux内核,用于对所述系统用户信息进行验证;重定向应用模块,用于当Linux系统对所述系统用户信息验证通过后,执行所述重定向应用模块以实现登录。The invention provides a login system based on an open source secure shell protocol, and the login system based on the open source secure shell protocol comprises: an open source secure shell protocol application module for receiving system user information; and a Linux kernel for the system user The information is verified; the application module is redirected, and after the Linux system verifies the user information of the system, the redirection application module is executed to implement login.
于本发明的一实施例中,所述重定向应用模块包括:第一重定向单元,用于在所述重定向应用模块与Linux系统内核之间建立重定向SSH连接;第二重定向单元,用于在所述重定向应用模块与预制命令行界面之间建立TCP连接以实现登录。In an embodiment of the present invention, the redirecting application module includes: a first redirecting unit, configured to establish a redirected SSH connection between the redirected application module and a Linux system kernel; and a second redirecting unit, Used to establish a TCP connection between the redirected application module and the pre-made command line interface to implement login.
于本发明的一实施例中,所述第二重定向单元在所述所述重定向应用模块与预制命令行界面之间建立长TCP连接。In an embodiment of the invention, the second redirecting unit establishes a long TCP connection between the redirected application module and the pre-made command line interface.
于本发明的一实施例中,所述基于开源安全外壳协议的登录系统还包括:用户信息添加模块,用于在登录Linux系统后,向Linux内核中添加系统用户信息,所述系统用户信息包括:用户名和密码。In an embodiment of the present invention, the login system based on the open source secure shell protocol further includes: a user information adding module, configured to add system user information to the Linux kernel after logging in to the Linux system, where the system user information includes :user name and password.
如上所述,本发明的基于开源安全外壳协议的登录方法及登录系统,具有以下有益效果:As described above, the login method and login system based on the open source secure shell protocol of the present invention have the following beneficial effects:
本发明的基于开源安全外壳协议的登录方法,在Linux内核对系统用户信息验证通过后, 通过重定向应用模块实现登录,不需要修改开源软件的源码,因此,大大降低了后续升级或者系统维护的成本。The login method based on the open source secure shell protocol of the present invention, after the Linux kernel verifies the system user information, By redirecting the application module to achieve login, there is no need to modify the source code of the open source software, thus greatly reducing the cost of subsequent upgrades or system maintenance.
附图说明DRAWINGS
图1显示为本发明基于开源安全外壳协议的登录方法的于一实施例中的流程示意图。FIG. 1 is a schematic flowchart showing an embodiment of a login method based on an open source secure shell protocol according to an embodiment of the present invention.
图2显示为本发明基于开源安全外壳协议的登录系统的于一实施例中的结构示意图。FIG. 2 is a schematic structural diagram of an embodiment of a login system based on an open source secure shell protocol according to the present invention.
元件标号说明Component label description
2         基于开源安全外壳协议的登录系统2 Login system based on open source secure shell protocol
21        开源安全外壳协议应用模块21 Open Source Secure Shell Protocol Application Module
22        Linux内核22 Linux kernel
23        重定向应用模块23 redirect application module
S11~S13  步骤S11~S13 steps
具体实施方式detailed description
以下通过特定的具体实例说明本发明的实施方式,本领域技术人员可由本说明书所揭露的内容轻易地了解本发明的其他优点与功效。本发明还可以通过另外不同的具体实施方式加以实施或应用,本说明书中的各项细节也可以基于不同观点与应用,在没有背离本发明的精神下进行各种修饰或改变。需说明的是,在不冲突的情况下,以下实施例及实施例中的特征可以相互组合。The embodiments of the present invention are described below by way of specific examples, and those skilled in the art can readily understand other advantages and effects of the present invention from the disclosure of the present disclosure. The present invention may be embodied or applied in various other specific embodiments, and various modifications and changes can be made without departing from the spirit and scope of the invention. It should be noted that the features in the following embodiments and embodiments may be combined with each other without conflict.
需要说明的是,以下实施例中所提供的图示仅以示意方式说明本发明的基本构想,遂图式中仅显示与本发明中有关的组件而非按照实际实施时的组件数目、形状及尺寸绘制,其实际实施时各组件的型态、数量及比例可为一种随意的改变,且其组件布局型态也可能更为复杂。It should be noted that the illustrations provided in the following embodiments merely illustrate the basic concept of the present invention in a schematic manner, and only the components related to the present invention are shown in the drawings, rather than the number and shape of components in actual implementation. Dimensional drawing, the actual type of implementation of each component's type, number and proportion can be a random change, and its component layout can be more complicated.
正如背景技术中所述的,目前通过SSH进行登录时,要么自己开发SSH协议,要么利用开源SSH软件来实现,但是无论哪种方式,开发的成本都很高,应用的范围非常受限。As described in the background art, when logging in via SSH, either the SSH protocol is developed by itself or the open source SSH software is used, but in either case, the development cost is high and the scope of the application is very limited.
请参阅图1,本发明提供一种基于开源安全外壳协议的登录方法,所述基于开源安全外壳协议的登录方法包括以下步骤:Referring to FIG. 1, the present invention provides a login method based on an open source secure shell protocol, and the login method based on an open source secure shell protocol includes the following steps:
S11,向开源安全外壳协议应用模块发送系统用户信息;S11, sending system user information to an open source secure shell protocol application module;
S12,Linux内核模块对所述系统用户信息进行验证;S12. The Linux kernel module verifies the system user information.
S13,当Linux内核对所述系统用户信息验证通过后,执行重定向应用模块以实现登录。 S13. After the Linux kernel verifies the user information of the system, the redirect application module is executed to implement login.
具体地,用户通过SSH客户端软件(如SecureCRT)请求与OpenSSH建立SSH连接,在此过程中向OpenSSH发送SSH用户名和密码。Specifically, the user requests an SSH connection with OpenSSH through an SSH client software (such as SecureCRT), and sends an SSH username and password to OpenSSH during this process.
OpenSSH向linux查询用户名是否存在及用户名的密码是否正确,如果不正确,拒绝用户的连接请求,否则进行下一步处理。具体地,linux系统内核(linux kernel)对用户名及密码进行验证。OpenSSH queries Linux for the existence of the username and the correct password for the username. If it is incorrect, the user's connection request is rejected. Otherwise, the next step is processed. Specifically, the Linux kernel (linux kernel) verifies the username and password.
OpenSSH在得知用户认证通过后,执行RdirectIO应用程序(该应用程序为预开发的重定向应用模块)。OpenSSH在执行RdirectIO时进行重定向,从而实现SSH用户的登录。RdirectIO是本实施例中需要实现的一个应用程序,其功能参考后面的描述。After learning that the user authentication has passed, OpenSSH executes the RdirectIO application (the application is a pre-developed redirect application module). OpenSSH redirects when RdirectIO is executed, thus enabling SSH user login. RdirectIO is an application that needs to be implemented in this embodiment, and its function refers to the following description.
在本实施例中,所述执行重定向应用模块以实现登录的步骤包括:在所述重定向应用模块与Linux内核之间建立重定向SSH连接;在所述重定向应用模块与预制命令行界面之间建立TCP连接以实现登录。具体地,在所述重定向应用模块与预制命令行界面之间建立长TCP连接。In this embodiment, the step of executing the redirecting application module to implement the login includes: establishing a redirected SSH connection between the redirected application module and the Linux kernel; and the redirecting application module and the pre-made command line interface Establish a TCP connection to implement login. Specifically, a long TCP connection is established between the redirect application module and the pre-made command line interface.
在实际应用中,OpenSSH在执行RdirectIO时,创建一个管道(pipe)。通过这个管道,RdirectIO的标准IO会重定向到ssh连接。同时,RdirectIO与系统定制CLI建立一条tcp连接,把RdirectIO的标准IO重定向到这条tcp连接。In practice, OpenSSH creates a pipe when it executes RdirectIO. Through this pipeline, RdirectIO's standard IO will be redirected to the ssh connection. At the same time, RdirectIO establishes a tcp connection with the system customization CLI to redirect the standard IO of RdirectIO to this tcp connection.
也就是说,RdirectIO的功能是将系统定制CLI的输入重定向到RdirectIO标准输出;同样,将RdirectIO的标准输入重定向到系统定制CLI的输出,这样就可以通过在系统定制CLI与RdirectIO之间建立TCP长连接来实现这里的IO重定向功能。That is, the function of RdirectIO is to redirect the input of the system custom CLI to the RdirectIO standard output; likewise, redirect the standard input of RdirectIO to the output of the system custom CLI, so that it can be established between the system customization CLI and RdirectIO. TCP long connection to achieve the IO redirection function here.
具体地,所述RdirectIO的实现代码为:Specifically, the implementation code of the RdirectIO is:
Figure PCTCN2016101392-appb-000001
Figure PCTCN2016101392-appb-000001
Figure PCTCN2016101392-appb-000002
Figure PCTCN2016101392-appb-000002
经过上述两步IO重定向(Input&Output)处理,SSH用户通过SSH认证登录系统后,在SSH客户端(如SecureCRT)上输入的数据经过两次重定向到达系统CLI界面;反之,系统定制CLI输入的数据也经过两次重定向到达SSH客户端。After the SSH user logs in to the system through SSH authentication, the data entered on the SSH client (such as SecureCRT) is redirected to the system CLI interface twice; otherwise, the system customizes the CLI input. The data is also redirected to the SSH client twice.
虽然实际上用户在SSH连接上输入的数据是先经过OpenSSH解密,解密后的数据经过两次重定向才到达系统定制CLI。但是,在系统使用用户的感知上,用户是直接进入了系统定制CLI界面。在系统使用者的感知上,用户是直接登录到了系统定制CLI界面。Although the data entered by the user on the SSH connection is first decrypted by OpenSSH, the decrypted data is redirected twice to reach the system customization CLI. However, in the system's perception of the user, the user directly enters the system customization CLI interface. In the perception of the system user, the user is directly logged into the system customization CLI interface.
为了实现系统用户信息的验证,在本实施例中,所述基于开源安全外壳协议的登录方法还包括:在登录Linux系统后,向Linux内核中添加系统用户信息,所述系统用户信息包括:用户名和密码。In the embodiment, the login method based on the open source secure shell protocol further includes: adding system user information to the Linux kernel after logging in to the Linux system, where the system user information includes: a user Name and password.
具体地,所述向Linux内核中添加系统用户信息的步骤包括:Linux内核将所述系统用户信息保存在/etc/shadow和/etc/passwd文件夹中。同时,Linux内核将所述系统用户信息保存在/etc/passwd文件夹中时,在所述/etc/passwd文件夹中指定系统用户信息验证通过后的执行程序为所述重定向应用模块。Specifically, the step of adding system user information to the Linux kernel includes: the Linux kernel saving the system user information in the /etc/shadow and /etc/passwd folders. At the same time, when the Linux kernel saves the system user information in the /etc/passwd folder, the execution program after the system user information verification is specified in the /etc/passwd folder is the redirect application module.
在实际应用中,开源OpenSSH的用户认证是向linux kernel(Linux内核)校验用户名及其密码的正确性。用户通过串口登录系统,在向系统添加SSH用户时同时向linux kernel添加相同用户名及密码的系统用户。Linux系统将系统用户及其密码保存在“/etc/shadow”和“/etc/passwd”两个文件中。In practical applications, the open source OpenSSH user authentication is to verify the correctness of the username and password to the Linux kernel. The user logs in to the system through the serial port and adds the same user name and password to the Linux kernel when adding an SSH user to the system. The Linux system saves the system user and its password in two files "/etc/shadow" and "/etc/passwd".
例如,用户为交换机增加了名为admin的用户,交换机系统在将用户添加到自身的配置文件中时,向linux kernel增加一个名为admin的系统用户。系统用户增加成功后在“/etc/shadow”和“/etc/passwd”两个文件中各增加了一条记录。在往“/etc/passwd”文件添加admin用户的记录时,最后一个“:”后面填写的内容是OpenSSH在确定用户名及密码都正确后要执行的应用程序,这里填写的是RdirectIO应用程序。 For example, the user adds a user named admin to the switch. When the switch system adds the user to its own configuration file, it adds a system user named admin to the Linux kernel. After the system user increases successfully, a record is added to each of the two files "/etc/shadow" and "/etc/passwd". When adding the admin user's record to the "/etc/passwd" file, the content after the last ":" is the application that OpenSSH will execute after determining that the username and password are correct. The RdirectIO application is filled in here.
具体的,shadow文件的实现代码为:Specifically, the implementation code of the shadow file is:
#cat/etc/shadow#cat/etc/shadow
Root:5Gg.mRfhg Iz4g:10925:0:99999:7:::Root: 5Gg.mRfhg Iz4g: 10925:0:99999:7:::
Sshd:kVsqISda3pms.:0:0:99999:7:::Sshd:kVsqISda3pms.:0:0:99999:7:::
Admin:IjU5ugwlS2HnY:15357:0:99999:7:::Admin:IjU5ugwlS2HnY:15357:0:99999:7:::
##
passwd文件的实现代码为:The implementation code for the passwd file is:
#cat/etc/passwd#cat/etc/passwd
Root:x:0:0:root:/root?/bin/shRoot:x:0:0:root:/root? /bin/sh
Sshd:x:1000:1000:sshd privsep:/var/empty:/bin/sshSshd:x:1000:1000:sshd privsep:/var/empty:/bin/ssh
Admin:x:1001:1001:Linux User,,,:/home:/mnt/app/RdirectIOAdmin:x:1001:1001:Linux User,,,:/home:/mnt/app/RdirectIO
##
OpenSSH在执行RdirectIO应用程序时会在OpenSSH与RdirectIO之间创建一条管道(pipe)。用户在SSH客户端(如SecureCRT)上输入的数据经过OpenSSH解密后通过这条管道直接到达RdirectIO。反过来,RdirectIO的标准输出也通过这条管道经OpenSSH加密后输出到SSH客户端。这里的处理由OpenSSH开源软件完成,不需要修改OpenSSH源码。OpenSSH creates a pipe between OpenSSH and RdirectIO when executing the RdirectIO application. The data entered by the user on the SSH client (such as SecureCRT) is decrypted by OpenSSH and directly reaches RdirectIO through this pipe. In turn, the standard output of RdirectIO is also encrypted by OpenSSH through this pipe and output to the SSH client. The processing here is done by OpenSSH open source software, and there is no need to modify the OpenSSH source code.
本实施例的基于开源安全外壳协议的登录方法,通过预制的重定向应用模块完成两次重定向,从而实现SSH用户的登录,并且不需要开源SSH源码,因此,大大降低了后续升级或者运营维护的成本。The login method based on the open source secure shell protocol in this embodiment performs two redirections through the pre-made redirection application module, thereby implementing login of the SSH user, and does not require open source SSH source code, thereby greatly reducing subsequent upgrade or operation and maintenance. the cost of.
本发明提供一种基于开源安全外壳协议的登录系统,参考图2,所述基于开源安全外壳协议的登录系统包括:The present invention provides a login system based on an open source secure shell protocol. Referring to FIG. 2, the login system based on the open source secure shell protocol includes:
开源安全外壳协议应用模块21,用于接收系统用户信息;An open source secure shell protocol application module 21 for receiving system user information;
Linux内核22,用于对所述系统用户信息进行验证;a Linux kernel 22, configured to verify user information of the system;
重定向应用模块23,用于当Linux系统对所述系统用户信息验证通过后,执行所述重定向应用模块以实现登录。The redirecting application module 23 is configured to execute the redirecting application module to implement login after the Linux system verifies the system user information.
本实施例中,所述重定向应用模块23包括:第一重定向单元和第二重定向单元(图中未示出),所述第一重定向单元用于在所述重定向应用模块与Linux系统内核之间建立重定向SSH连接;所述第二重定向单元用于在所述重定向应用模块与预制命令行界面之间建立TCP连接以实现登录。具体地,所述第二重定向单元在所述所述重定向应用模块与预制命令行界面之间建立长TCP连接。In this embodiment, the redirection application module 23 includes: a first redirection unit and a second redirection unit (not shown), where the first redirection unit is used in the redirection application module A redirected SSH connection is established between the kernels of the Linux system; the second redirecting unit is configured to establish a TCP connection between the redirected application module and the pre-made command line interface to implement login. Specifically, the second redirecting unit establishes a long TCP connection between the redirected application module and the pre-made command line interface.
本实施例中,所述基于开源安全外壳协议的登录系统还包括:用户信息添加模块,用于在登录Linux系统后,向Linux内核中添加系统用户信息,所述系统用户信息包括:用户名 和密码。In this embodiment, the login system based on the open source secure shell protocol further includes: a user information adding module, configured to add system user information to the Linux kernel after logging in to the Linux system, where the system user information includes: a username And password.
本实施例的基于开源安全外壳协议的登录系统的具体实现过程可参考前述关于基于开源安全外壳协议的登录方法的详细描述,在此不再赘述。For a specific implementation process of the login system based on the open source security shell protocol in this embodiment, refer to the foregoing detailed description of the login method based on the open source secure shell protocol, and details are not described herein again.
综上所述,本发明的基于开源安全外壳协议的登录方法及登录系统,利用预制的重定向模块实现两次重定向,从而实现SSH用户的登录,并且不需要修改开源SSH源码,从而大大降低了后续的升级及运营维护的成本。所以,本发明有效克服了现有技术中的种种缺点而具高度产业利用价值。In summary, the login method and the login system based on the open source secure shell protocol of the present invention use the pre-made redirection module to implement two redirections, thereby implementing login of the SSH user, and does not need to modify the open source SSH source code, thereby greatly reducing The cost of subsequent upgrades and operational maintenance. Therefore, the present invention effectively overcomes various shortcomings in the prior art and has high industrial utilization value.
上述实施例仅例示性说明本发明的原理及其功效,而非用于限制本发明。任何熟悉此技术的人士皆可在不违背本发明的精神及范畴下,对上述实施例进行修饰或改变。因此,举凡所属技术领域中具有通常知识者在未脱离本发明所揭示的精神与技术思想下所完成的一切等效修饰或改变,仍应由本发明的权利要求所涵盖。 The above-described embodiments are merely illustrative of the principles of the invention and its effects, and are not intended to limit the invention. Modifications or variations of the above-described embodiments may be made by those skilled in the art without departing from the spirit and scope of the invention. Therefore, all equivalent modifications or changes made by those skilled in the art without departing from the spirit and scope of the invention will be covered by the appended claims.

Claims (10)

  1. 一种基于开源安全外壳协议的登录方法,其特征在于,所述基于开源安全外壳协议的登录方法包括以下步骤:A login method based on an open source secure shell protocol, characterized in that the login method based on the open source secure shell protocol comprises the following steps:
    向开源安全外壳协议应用模块发送系统用户信息;Send system user information to the open source secure shell protocol application module;
    Linux内核模块对所述系统用户信息进行验证;The Linux kernel module verifies the system user information;
    当Linux内核对所述系统用户信息验证通过后,执行重定向应用模块以实现登录。After the Linux kernel verifies the user information of the system, the redirect application module is executed to implement the login.
  2. 根据权利要求1所述的基于开源安全外壳协议的登录方法,其特征在于,所述执行重定向应用模块以实现登录的步骤包括:The method for logging in based on the open source secure shell protocol according to claim 1, wherein the step of executing the redirecting application module to implement the login comprises:
    在所述重定向应用模块与Linux内核之间建立重定向SSH连接;Establishing a redirected SSH connection between the redirected application module and the Linux kernel;
    在所述重定向应用模块与预制命令行界面之间建立TCP连接以实现登录。A TCP connection is established between the redirected application module and the pre-made command line interface to implement login.
  3. 根据权利要求2所述的基于开源安全外壳协议的登录方法,其特征在于:在所述重定向应用模块与预制命令行界面之间建立长TCP连接。The login method based on the open source secure shell protocol of claim 2, wherein a long TCP connection is established between the redirected application module and the pre-made command line interface.
  4. 根据权利要求1所述的基于开源安全外壳协议的登录方法,其特征在于,还包括:在登录Linux系统后,向Linux内核中添加系统用户信息,所述系统用户信息包括:用户名和密码。The method for logging in based on the open source secure shell protocol according to claim 1, further comprising: adding system user information to the Linux kernel after logging in to the Linux system, the system user information comprising: a username and a password.
  5. 根据权利要求4所述的基于开源安全外壳协议的登录方法,其特征在于,所述向Linux内核中添加系统用户信息的步骤包括:Linux内核将所述系统用户信息保存在/etc/shadow和/etc/passwd文件夹中。The login method based on the open source secure shell protocol according to claim 4, wherein the step of adding system user information to the Linux kernel comprises: the Linux kernel saving the system user information in /etc/shadow and / In the etc/passwd folder.
  6. 根据权利要求5所述的基于开源安全外壳协议的登录方法,其特征在于,Linux内核将所述系统用户信息保存在/etc/passwd文件夹中时,在所述/etc/passwd文件夹中指定系统用户信息验证通过后的执行程序为所述重定向应用模块。The login method based on the open source secure shell protocol according to claim 5, wherein the Linux kernel specifies the system user information in the /etc/passwd folder, and specifies in the /etc/passwd folder. The execution program after the system user information is verified is the redirect application module.
  7. 一种基于开源安全外壳协议的登录系统,其特征在于,所述基于开源安全外壳协议的登录系统包括:A login system based on an open source secure shell protocol, characterized in that the login system based on the open source secure shell protocol comprises:
    开源安全外壳协议应用模块,用于接收系统用户信息;An open source secure shell protocol application module for receiving system user information;
    Linux内核,用于对所述系统用户信息进行验证;a Linux kernel for verifying user information of the system;
    重定向应用模块,用于当Linux系统对所述系统用户信息验证通过后,执行所述重定向应用模块以实现登录。 The redirecting application module is configured to execute the redirecting application module to implement login after the Linux system verifies the user information of the system.
  8. 根据权利要求7所述的基于开源安全外壳协议的登录系统,其特征在于,所述重定向应用模块包括:The login system based on the open source secure shell protocol of claim 7, wherein the redirecting application module comprises:
    第一重定向单元,用于在所述重定向应用模块与Linux系统内核之间建立重定向SSH连接;a first redirecting unit, configured to establish a redirected SSH connection between the redirected application module and a Linux system kernel;
    第二重定向单元,用于在所述重定向应用模块与预制命令行界面之间建立TCP连接以实现登录。And a second redirecting unit, configured to establish a TCP connection between the redirected application module and the pre-made command line interface to implement login.
  9. 根据权利要求8所述的基于开源安全外壳协议的登录系统,其特征在于,所述第二重定向单元在所述所述重定向应用模块与预制命令行界面之间建立长TCP连接。The login system based on the open source secure shell protocol of claim 8, wherein the second redirecting unit establishes a long TCP connection between the redirected application module and the pre-made command line interface.
  10. 根据权利要求7所述的基于开源安全外壳协议的登录系统,其特征在于,还包括:用户信息添加模块,用于在登录Linux系统后,向Linux内核中添加系统用户信息,所述系统用户信息包括:用户名和密码。 The login system based on the open source secure shell protocol of claim 7, further comprising: a user information adding module, configured to add system user information to the Linux kernel after logging in to the Linux system, the system user information Includes: username and password.
PCT/CN2016/101392 2015-11-13 2016-09-30 Login method and login system based on open-source secure shell protocol WO2017080334A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510778846.2A CN105282175B (en) 2015-11-13 2015-11-13 Login method and login system based on safety shell protocol of increasing income
CN201510778846.2 2015-11-13

Publications (1)

Publication Number Publication Date
WO2017080334A1 true WO2017080334A1 (en) 2017-05-18

Family

ID=55150501

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/101392 WO2017080334A1 (en) 2015-11-13 2016-09-30 Login method and login system based on open-source secure shell protocol

Country Status (2)

Country Link
CN (1) CN105282175B (en)
WO (1) WO2017080334A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105282175B (en) * 2015-11-13 2018-05-18 上海斐讯数据通信技术有限公司 Login method and login system based on safety shell protocol of increasing income
CN106060066A (en) * 2016-06-28 2016-10-26 积成电子股份有限公司 Embedded linux-based method for realizing terminal maintenance and information release

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6598167B2 (en) * 1997-09-26 2003-07-22 Worldcom, Inc. Secure customer interface for web based data management
CN102857520A (en) * 2012-10-11 2013-01-02 德讯科技股份有限公司 Telnet protocol security access system and method for character terminal
CN105282175A (en) * 2015-11-13 2016-01-27 上海斐讯数据通信技术有限公司 Login method based on open source secure shell and login system thereof

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101370009B (en) * 2008-03-12 2011-08-24 武汉理工大学 Construction method for virtual network block frame based on Linux kernel network subsystem
CN103685242A (en) * 2013-11-27 2014-03-26 国家电网公司 Electric power operation and maintenance security defending system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6598167B2 (en) * 1997-09-26 2003-07-22 Worldcom, Inc. Secure customer interface for web based data management
CN102857520A (en) * 2012-10-11 2013-01-02 德讯科技股份有限公司 Telnet protocol security access system and method for character terminal
CN105282175A (en) * 2015-11-13 2016-01-27 上海斐讯数据通信技术有限公司 Login method based on open source secure shell and login system thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YIN, GANG;: "Research on the Data Secure Transmission Mechanism Based on the SSH and Agents", SILICON VALLEY, 30 April 2009 (2009-04-30), pages 32 and 43 *

Also Published As

Publication number Publication date
CN105282175A (en) 2016-01-27
CN105282175B (en) 2018-05-18

Similar Documents

Publication Publication Date Title
US11843589B2 (en) Network connection automation
US8769127B2 (en) Cross-domain solution (CDS) collaborate-access-browse (CAB) and assured file transfer (AFT)
EP3454213B1 (en) Function library build architecture for serverless execution frameworks
US10171591B2 (en) Connecting public cloud with private network resources
US10320940B1 (en) Managing generic data
US9584325B1 (en) User-configurable cryptographic interface controller
US10564987B1 (en) Efficient infrastructure updates for executable code development
US20150067399A1 (en) Analysis, recovery and repair of devices attached to remote computing systems
US9898384B2 (en) Automated problem determination for cooperating web services using debugging technology
US10970264B2 (en) Supporting secure layer extensions for communication protocols
US20170034311A1 (en) Method for selecting between multiple RPC frameworks during a TCP/IP session
US9886405B1 (en) Low latency write requests over a network using a pipelined I/O adapter device
WO2017080334A1 (en) Login method and login system based on open-source secure shell protocol
US10176271B2 (en) Command line interface browser
WO2015131553A1 (en) Data transmission method and system
CN106331051A (en) File transmission method and system, file receiving device and file transmission device
CN108259581A (en) A kind of document transmission method, master system and storage medium
US20240039794A1 (en) Data Center Asset Client Module Authentication via a Connectivity Management Authentication Operation
US20220052909A1 (en) Blockchain-based network device management methods and devices
US20150095635A1 (en) Secure Communication Port Redirector
Kathiravelu et al. Python Network Programming Cookbook
CN117041339A (en) Communication deployment, connection and reconfigurable method of heterogeneous system message proxy
Chaganti et al. Security in DSC
Garcia Gonzalo Viri, Remote execution of Python scripts

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16863511

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16863511

Country of ref document: EP

Kind code of ref document: A1