问题
I wonder if there is any way to retrieve, for both a server and a client connected through ssh (OpenSSH), some unique session identifier (let this be USID).
This would be used to restrict the execution of a specific (custom) software (let it be a.exe), so it can only be executed through a specific ssh session, even if other users (potentially root) have access to that executable:
- after a ssh session is opened from machine C (client) to machine S (server), machine C (which knows the USID) will update a record on machine X (a third-party server), letting it know that this USID is "safe".
- a.exe on machine S will check, when invoked, if the USID of the current session is "safe" (this information will be provided by X) and will halt execution if negative answer received.
The communication channels between X and C, X and S are secure, so the only issue here is retrieving that USID without having to write my own ssh client and/or server.
Any ideas?
回答1:
seems to me in a round about way, you are trying to re-implement kerberos. Seems to me that you want to GSSAPI secure the transport between client and server; so your client needs to authenticate to the server.
Typical way of doing this would be to 'kinit' to a prinicpal using a keytab, and then passing this credential to the server. Kerberos ensures that it's reasonably hard to fake.
that's probably going to be a little less brittle than the method that you describe above.
-Ace
来源:https://stackoverflow.com/questions/2232646/retrieve-ssh-unique-session-id