CN107707550A - Access the method, apparatus and system of virtual machine - Google Patents

Access the method, apparatus and system of virtual machine Download PDF

Info

Publication number
CN107707550A
CN107707550A CN201710920314.7A CN201710920314A CN107707550A CN 107707550 A CN107707550 A CN 107707550A CN 201710920314 A CN201710920314 A CN 201710920314A CN 107707550 A CN107707550 A CN 107707550A
Authority
CN
China
Prior art keywords
virtual machine
host
identity information
sent
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710920314.7A
Other languages
Chinese (zh)
Other versions
CN107707550B (en
Inventor
陈川
唐青昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201710920314.7A priority Critical patent/CN107707550B/en
Publication of CN107707550A publication Critical patent/CN107707550A/en
Application granted granted Critical
Publication of CN107707550B publication Critical patent/CN107707550B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a kind of method, apparatus and system for accessing virtual machine, it is related to technical field of data security, can solve the problem that in the prior art when virtual machine is controlled by network, the problem of virtual machine access control can not being realized based on USBkey authentication mechanisms.The method of the present invention includes:Virtual machine obtains identity information to be certified in the intelligent code key corresponding with access request after access request is received;Identity information is sent to host by half virtualization interface, so as to which identity information is sent into certificate server by network by host, and authentication result of the certificate server to identity information progress authentication is received by network by host;The authentication result that host is sent by half virtualization interface is received, so that whether the user corresponding to determining intelligent code key according to authentication result has access rights.The present invention is mainly suitable in the scene that virtual machine access control is realized based on USBkey certifications.

Description

Access the method, apparatus and system of virtual machine
Technical field
The present invention relates to technical field of data security, more particularly to a kind of method, apparatus and system for accessing virtual machine.
Background technology
Virtual machine technique refers to simulate one or more virtual machines by software virtual machine in a physical machine.In order to The safety of virtual machine internal data, can usually conduct interviews control to virtual machine so that the user only with access rights is The virtual machine can be accessed.
A kind of existing control that conducted interviews to virtual machine is achieved in that:When user needs to access certain virtual machine, Need to insert USBkey equipment in physical machine, before virtual machine allows the user to access, first obtain in USBkey equipment Identity information (such as including digital certificate and private key), the identity information is then sent to by certificate server by network and carried out Authentication, authentication result is returned to virtual machine by certificate server by the network again, true according to authentication result by virtual machine It is fixed whether to allow the user to access.
Network function is not needed during user's subsequent access virtual machine however, working as, or forbids virtual machine to access During network, above-mentioned identification authentication mode can not just be realized.Therefore, in the case where virtual machine is not controlled by network, how to be based on USBkey authentication mechanisms realize that the access control of virtual machine is urgently to be resolved hurrily.
The content of the invention
In view of this, a kind of method, apparatus and system for accessing virtual machine provided by the invention, can solve the problem that prior art In when virtual machine is controlled by network, the problem of virtual machine access control can not being realized based on USBkey authentication mechanisms.
The purpose of the present invention is realized using following technical scheme:
In a first aspect, the invention provides a kind of method for accessing virtual machine, methods described includes:
Virtual machine obtains after access request is received and waits to recognize in the intelligent code key corresponding with the access request The identity information of card;
The identity information is sent to host by half virtualization interface, to be incited somebody to action by the host by network The identity information is sent to certificate server, and receives the certificate server to the body by network by the host Part information carries out the authentication result of authentication;
The authentication result that the host is sent by the half virtualization interface is received, so as to according to the certification As a result determine whether the user corresponding to the intelligent code key has access rights.
Second aspect, the invention provides a kind of method for accessing virtual machine, methods described includes:
Host receives the identity information to be certified that virtual machine is sent by half virtualization interface, and the identity information is After access request being received by the virtual machine, the letter that is obtained from the intelligent code key corresponding with the access request Breath;
The identity information is sent to by certificate server by network;
The certification that authentication is carried out to the identity information of the certificate server transmission is received by the network As a result;
The authentication result is sent to by the virtual machine by the half virtualization interface, so as to the virtual machine according to The authentication result determines whether the user corresponding to the intelligent code key has access rights.
The third aspect, the invention provides a kind of virtual machine, the virtual machine includes:
Acquiring unit, for after access request is received, obtaining the intelligent cipher key corresponding with the access request Identity information to be certified in spoon;
Transmitting element, for the identity information to be sent into host by half virtualization interface, so as to by the place The identity information is sent to certificate server by main frame by network, and receives the certification by network by the host Server carries out the authentication result of authentication to the identity information;
Receiving unit, the authentication result sent for receiving the host by the half virtualization interface, with Just whether the user according to corresponding to the authentication result determines the intelligent code key has access rights.
Fourth aspect, the invention provides a kind of host, the host includes:
Receiving unit, the identity information to be certified sent for receiving virtual machine by half virtualization interface, the body Part information is after receiving access request by the virtual machine, to be obtained from the intelligent code key corresponding with the access request The information taken;
Transmitting element, for the identity information to be sent into certificate server by network;
The receiving unit is additionally operable to by the network reception certificate server transmission to the identity information Carry out the authentication result of authentication;
The transmitting element is additionally operable to that the authentication result is sent into the virtual machine by the half virtualization interface, So that whether user of the virtual machine according to corresponding to the authentication result determines the intelligent code key has access right Limit.
5th aspect, the invention provides a kind of storage medium, the storage medium is stored with a plurality of instruction, the instruction Method suitable for being loaded by processor and being performed access virtual machine as described in relation to the first aspect;Or load and perform such as second The method of access virtual machine described in aspect.
6th aspect, the invention provides a kind of electronic equipment, the electronic equipment includes storage medium and processor;
The processor, it is adapted for carrying out each instruction;
The storage medium, suitable for storing a plurality of instruction;
The instruction is suitable to be loaded by the processor and performed the method for access virtual machine as described in relation to the first aspect;Or The method that person loads and performs the access virtual machine as described in second aspect.
7th aspect, the invention provides a kind of system for accessing virtual machine, the system includes:Virtual machine, host And intelligent code key;
Wherein, the virtual machine includes the virtual machine as described in the third aspect;The host is included such as fourth aspect institute The host stated;
The intelligent code key carries out physical connection, the intelligent cipher key with the host or other physical machines Spoon is the equipment needed for the application access virtual machine, includes the identity information that application accesses the user of the virtual machine.
By above-mentioned technical proposal, the method, apparatus and system provided by the invention for accessing virtual machine can be in virtual machine After getting the identity information in intelligent code key (such as USBkey), it is not directed through network and is sent to certificate server, But first pass through and the identity information is sent to host without half virtual machine interface of network, then network is passed through by host Certificate server is transmitted to, and after server to be certified is authenticated access authentication result to the identity information, is led to by host Network Capture authentication result is crossed, and authentication result is transmitted to by virtual machine by half virtualization interface, so that whole certification During, virtual machine is not controlled by network, i.e., in the case where virtual machine is not controlled by network, can be based on USBkey certifications Mechanism realizes the access control of virtual machine.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of method for accessing virtual machine provided in an embodiment of the present invention;
Fig. 2 shows a kind of system structure diagram for accessing virtual machine provided in an embodiment of the present invention;
Fig. 3 shows another system structure diagram for accessing virtual machine provided in an embodiment of the present invention;
Fig. 4 shows the flow chart of another method for accessing virtual machine provided in an embodiment of the present invention;
Fig. 5 shows a kind of composition frame chart of device for accessing virtual machine provided in an embodiment of the present invention;
Fig. 6 shows the composition frame chart of another device for accessing virtual machine provided in an embodiment of the present invention;
Fig. 7 shows the composition frame chart of another device for accessing virtual machine provided in an embodiment of the present invention.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Completely it is communicated to those skilled in the art.
The embodiments of the invention provide a kind of method for accessing virtual machine, this method is mainly used in virtual pusher side, such as Fig. 1 Shown, methods described mainly includes:
101st, virtual machine is obtained in the intelligent code key corresponding with the access request after access request is received Identity information to be certified.
Wherein, intelligent code key can be the key of USB (Universal Serial Bus, USB) interface Spoon (i.e. USBkey), or the key of other interfaces.When user needs to access the virtual machine with ID authentication mechanism, After clicking on the control (such as login button) for accessing virtual machine, generation access request can be triggered;Virtual machine receives access please After asking, in order to ensure the safety of virtual machine internal data, it is necessary to be first authenticated to the identity information of the user of application access, this When can prompt user insert intelligent code key (such as prompting user pass through USB interface insert USBkey);Treat that user inserts After intelligent code key, virtual machine can obtain the identity information carried in intelligent code key, so as to which the identity information is led to Cross host and be transmitted to certificate server progress authentication.
Wherein, intelligent code key needs to be inserted in user and clicked in the equipment for accessing virtual machine, the equipment can with it is virtual The affiliated host of machine is same equipment or different equipment.That is, user can be directly in access equipment Virtual machine, the virtual machine in the equipment can also be remotely accessed by other equipment.
102nd, the identity information is sent to host by virtual machine by half virtualization interface, so as to by the host The identity information is sent to by certificate server by network, and the authentication service is received by network by the host Device carries out the authentication result of authentication to the identity information.
Wherein, the half virtualization interface can be set by virtio mechanism forms, for realizing virtual machine and host Communication between machine.Therefore, after virtual machine obtains the identity information in intelligent code key, can be connect by half virtualization The identity information is sent host by mouth so that after host receives the identity information, can be believed the identity by network Breath is transmitted to certificate server and is authenticated.After certificate server is authenticated access authentication result to the identity information, meeting The authentication result is sent to host by network, so that host forwards it to virtual machine.
103rd, virtual machine receives the authentication result that the host is sent by the half virtualization interface, so as to root Determine whether the user corresponding to the intelligent code key has access rights according to the authentication result.
After virtual machine receives the authentication result that host is sent by half virtualization interface, if the authentication result is body Part certification success, then can export the virtual machine internal page to user, and if the authentication result is authentication failure, can be with The prompt message that export authentication failure to user, can not access.
The method that the present invention provides the access virtual machine of embodiment, can get intelligent code key (example in virtual machine Such as USBkey) in identity information after, be not directed through network and be sent to certificate server, but first pass through half without network The identity information is sent to host by virtual machine interface, then by host by forwarded to certificate server, and treat After certificate server is authenticated access authentication result to the identity information, by host by Network Capture authentication result, and Authentication result is transmitted to by virtual machine by half virtualization interface, so that in whole verification process, virtual machine is not by net Network is controlled, i.e., in the case where virtual machine is not controlled by network, the access of virtual machine can be realized based on USBkey authentication mechanisms Control.
Optionally, the virtual machine that user can be directly in access equipment is referred in above-mentioned steps 101, it can also be passed through His equipment remotely accesses the virtual machine in the equipment.When the virtual machine in the direct access equipment of user, i.e., when the access please When the network address for asking middle carrying is the network address of the affiliated host of the virtual machine, the specific implementation side of above-mentioned steps 101 Formula can be physical connection interface of the virtual machine by the host and the intelligent code key, obtain the intelligent cipher Identity information to be certified in key.
It is exemplary, during virtual machine in the direct access equipment of user, virtual machine, host, intelligent code key (with Exemplified by USBkey) and certificate server composition system architecture can be as shown in Figure 2.Wherein, USBkey by USB interface with Host connects, and virtual machine and host are communicated by half virtualization interface, and (including virtual machine is to host transmission identity Information, host send authentication result to virtual machine), host and certificate server are communicated by network (including host Machine sends identity information to certificate server, and certificate server sends authentication result to host).
When user remotely accesses the virtual machine in the equipment by other equipment, i.e., when being carried in the access request When network address is independently of the network address of the exterior terminal of the host, the specific implementation of above-mentioned steps 101 can Think that virtual machine sends identity information to the exterior terminal by the host and obtains request, so as to the exterior terminal root Obtained according to the identity information to be certified in the intelligent code key for asking to be connected by physical connection interface acquisition Identity information;The identity information of the exterior terminal transmission is received by the host.Specifically, virtual machine can lead to Identity information acquisition request is sent to host by more than half virtualization interfaces, is obtained the identity information by network by host Request is sent to exterior terminal, connects so that exterior terminal obtains request and obtained by physical connection interface according to the identity information Identity information to be certified in the intelligent code key connect, and the identity information is sent to by host by network so that place The identity information is transmitted to virtual machine by main frame by half virtualization interface.
In addition, after host gets identity information from exterior terminal side, can not in order to accelerate authentication speed Identity information is transmitted to virtual machine again, but identity information is directly sent to by certificate server by network.Require supplementation with , when user remotely accesses the virtual machine in certain equipment by exterior terminal, the equipment can be and exterior terminal function The terminal or server of type, such as cloud platform server.
It is exemplary, when user remotely accesses the virtual machine in the equipment by exterior terminal, virtual machine, host, The system architecture of intelligent code key, exterior terminal and certificate server composition can be as shown in Figure 3.Wherein, exterior terminal Be connected with USBkey, exterior terminal and the host of virtual machine that needs to access communicated by network (including host to Exterior terminal sends identity information and obtains request, and exterior terminal sends identity information to host), virtual machine passes through with host Half virtualization interface is communicated, and (including virtual machine sends identity information to host and obtains request, and host is sent out to virtual machine Identity information is sent, virtual machine sends identity information to host), host is communicated by network with certificate server and (wrapped Include host and send identity information to certificate server, certificate server sends authentication result to host).
Further, according to the method shown in Fig. 1, an alternative embodiment of the invention additionally provides a kind of access virtual machine Method, this method is mainly used in host's pusher side, as shown in figure 4, methods described includes:
201st, host receives the identity information to be certified that virtual machine is sent by half virtualization interface.
Wherein, the identity information is after receiving access request by the virtual machine, from relative with the access request The information obtained in the intelligent code key answered.Wherein, the intelligent code key corresponding with the access request refers to:With hair Play the intelligent cipher lock that the equipment of access request is attached by physical interface.It is empty when there is user to desire access to virtual machine Access request can be received by intending pusher side, and identity information to be certified is obtained from intelligent code key, then virtual by half Change interface and the identity information is sent to host, after receiving the identity information so as to host, the identity information is forwarded Authentication is carried out to host.In addition, other related contents (including intelligent code key and place on intelligent code key The connected mode of main frame) embodiment of above-mentioned virtual pusher side can be referred to.
202nd, the identity information is sent to certificate server by host by network.
, can be by the network connection established with certificate server after host receives the identity information of transmission, will The identity information is transmitted to certificate server and is authenticated.
It should be noted that the network established between host and certificate server can be public network, or VPN, its specific network type do not limit herein.In addition, when host meets other communications with certificate server During condition, can also be interacted by other communication modes, for example, when host and certificate server mutually from it is nearer when, can be with Realized and communicated by bluetooth.
203rd, host carries out identity by what the network reception certificate server was sent to the identity information The authentication result of certification.
, can be by preset algorithm to the body after certificate server receives the identity information that host is sent by network Part information is authenticated, and directly can also be matched the identity information with the identity information prestored, so as to realize body Part certification, its specific authentication means do not limit herein.
204th, the authentication result is sent to the virtual machine by host by the half virtualization interface, so as to described Whether user of the virtual machine according to corresponding to the authentication result determines the intelligent code key has access rights.
The specific implementation of this step may refer to above-mentioned steps 103, will not be repeated here.
The method that the present invention provides the access virtual machine of embodiment, can get intelligent code key (example in virtual machine Such as USBkey) in identity information after, be not directed through network and be sent to certificate server, but first pass through half without network The identity information is sent to host by virtual machine interface, then by host by forwarded to certificate server, and treat After certificate server is authenticated access authentication result to the identity information, by host by Network Capture authentication result, and Authentication result is transmitted to by virtual machine by half virtualization interface, so that in whole verification process, virtual machine is not by net Network is controlled, i.e., in the case where virtual machine is not controlled by network, the access of virtual machine can be realized based on USBkey authentication mechanisms Control.
Further, a kind of virtual machine is additionally provided according to the method shown in Fig. 1, an alternative embodiment of the invention, such as Shown in Fig. 5, the virtual machine includes:
Acquiring unit 31, for after access request is received, obtaining the intelligent cipher corresponding with the access request Identity information to be certified in key;
Transmitting element 32, for the identity information to be sent into host by half virtualization interface, so as to by described The identity information is sent to certificate server by host by network, and is recognized described in being received by network as the host Demonstrate,prove the authentication result that server carries out authentication to the identity information;
Receiving unit 33, the authentication result sent for receiving the host by the half virtualization interface, So that whether the user corresponding to determining the intelligent code key according to the authentication result has access rights.
Optionally, as shown in fig. 6, the acquiring unit 31 includes:
First acquisition module 311, for being the affiliated place of the virtual machine when the network address carried in the access request During the network address of main frame, by the host and the physical connection interface of the intelligent code key, the intelligence is obtained Identity information to be certified in cipher key;
Sending module 312, for being independently of the outer of the host when the network address carried in the access request During the network address of portion's terminal, identity information is sent to the exterior terminal by the host and obtains request, so as to described Exterior terminal obtains request according to the identity information and obtains the intelligent code key connected by physical connection interface In identity information to be certified;
Mould 313 is received, for receiving the identity information of the exterior terminal transmission by the host.
Can be first, the half virtualization interface is set by virtio mechanism to be formed.
Optionally, the intelligent code key includes USBkey.
The present invention provides the device of the access virtual machine of embodiment, can get intelligent code key (example in virtual machine Such as USBkey) in identity information after, be not directed through network and be sent to certificate server, but first pass through half without network The identity information is sent to host by virtual machine interface, then by host by forwarded to certificate server, and treat After certificate server is authenticated access authentication result to the identity information, by host by Network Capture authentication result, and Authentication result is transmitted to by virtual machine by half virtualization interface, so that in whole verification process, virtual machine is not by net Network is controlled, i.e., in the case where virtual machine is not controlled by network, the access of virtual machine can be realized based on USBkey authentication mechanisms Control.
Further, a kind of host is additionally provided according to the method shown in Fig. 4, an alternative embodiment of the invention, such as Shown in Fig. 7, the host includes:
Receiving unit 41, the identity information to be certified sent for receiving virtual machine by half virtualization interface are described Identity information is after receiving access request by the virtual machine, from the intelligent code key corresponding with the access request The information of acquisition;
Transmitting element 42, for the identity information to be sent into certificate server by network;
The receiving unit 41, for by the network receive that the certificate server sends to the identity information Carry out the authentication result of authentication;
The transmitting element 42 is additionally operable to be sent to the authentication result by the half virtualization interface described virtual Machine, accessed so that whether user of the virtual machine according to corresponding to the authentication result determines the intelligent code key has Authority.
Optionally, the half virtualization interface is set by virtio mechanism forms.
Optionally, the intelligent code key includes USBkey.
The present invention provides the device of the access virtual machine of embodiment, can get intelligent code key (example in virtual machine Such as USBkey) in identity information after, be not directed through network and be sent to certificate server, but first pass through half without network The identity information is sent to host by virtual machine interface, then by host by forwarded to certificate server, and treat After certificate server is authenticated access authentication result to the identity information, by host by Network Capture authentication result, and Authentication result is transmitted to by virtual machine by half virtualization interface, so that in whole verification process, virtual machine is not by net Network is controlled, i.e., in the case where virtual machine is not controlled by network, the access of virtual machine can be realized based on USBkey authentication mechanisms Control.
Further, a kind of storage media, institute are additionally provided according to above method embodiment, an alternative embodiment of the invention State storage medium and be stored with a plurality of instruction, the instruction is applied to be loaded by processor and performed virtual pusher side as described above and held The method of capable access virtual machine;Or the method for loading and performing the access virtual machine that host's pusher side as described above performs.
Further, a kind of electronic equipment is additionally provided according to above method embodiment, an alternative embodiment of the invention, The electronic equipment includes storage medium and processor;
The processor, it is adapted for carrying out each instruction;
The storage medium, suitable for storing a plurality of instruction;
The instruction is suitable to be loaded by the processor and performed the access virtual machine that virtual pusher side as described above performs Method;Or the method for loading and performing the access virtual machine that host's pusher side as described above performs.
Further, according to above-described embodiment, an alternative embodiment of the invention additionally provides a kind of access virtual machine System, the system include:Virtual machine, host and intelligent code key;
Wherein, the virtual machine includes virtual machine as described above;The host includes host as described above;
The intelligent code key carries out physical connection, the intelligent cipher key with the host or other physical machines Spoon is the equipment needed for the application access virtual machine, includes the identity information that application accesses the user of the virtual machine.
The system that the present invention provides the access virtual machine of embodiment, can get intelligent code key (example in virtual machine Such as USBkey) in identity information after, be not directed through network and be sent to certificate server, but first pass through half without network The identity information is sent to host by virtual machine interface, then by host by forwarded to certificate server, and treat After certificate server is authenticated access authentication result to the identity information, by host by Network Capture authentication result, and Authentication result is transmitted to by virtual machine by half virtualization interface, so that in whole verification process, virtual machine is not by net Network is controlled, i.e., in the case where virtual machine is not controlled by network, the access of virtual machine can be realized based on USBkey authentication mechanisms Control.
The embodiment of the present invention additionally provides:
A1, a kind of method for accessing virtual machine, methods described include:
Virtual machine obtains after access request is received and waits to recognize in the intelligent code key corresponding with the access request The identity information of card;
The identity information is sent to host by half virtualization interface, to be incited somebody to action by the host by network The identity information is sent to certificate server, and receives the certificate server to the body by network by the host Part information carries out the authentication result of authentication;
The authentication result that the host is sent by the half virtualization interface is received, so as to according to the certification As a result determine whether the user corresponding to the intelligent code key has access rights.
A2, the method according to A1, obtain to be certified in the intelligent code key corresponding with the access request Identity information includes:
When the network address carried in the access request is the network address of the affiliated host of the virtual machine, pass through The physical connection interface of the host and the intelligent code key, obtains identity to be certified in the intelligent code key Information;
When the network address carried in the access request is independently of the network address of the exterior terminal of the host When, identity information is sent to the exterior terminal by the host and obtains request, so that the exterior terminal is according to Identity information obtains request and identity letter to be certified in the intelligent code key connected is obtained by physical connection interface Breath;The identity information of the exterior terminal transmission is received by the host.
A3, the method according to A1 or A2, the half virtualization interface is set by virtio mechanism to be formed.
A4, the method according to A1 or A2, the intelligent code key include USBkey.
B5, a kind of method for accessing virtual machine, methods described include:
Host receives the identity information to be certified that virtual machine is sent by half virtualization interface, and the identity information is After access request being received by the virtual machine, the letter that is obtained from the intelligent code key corresponding with the access request Breath;
The identity information is sent to by certificate server by network;
The certification that authentication is carried out to the identity information of the certificate server transmission is received by the network As a result;
The authentication result is sent to by the virtual machine by the half virtualization interface, so as to the virtual machine according to The authentication result determines whether the user corresponding to the intelligent code key has access rights.
B6, the method according to B5, the half virtualization interface is set by virtio mechanism to be formed.
B7, the method according to B5 or B6, the intelligent code key include USBkey.
C8, a kind of virtual machine, the virtual machine include:
Acquiring unit, for after access request is received, obtaining the intelligent cipher key corresponding with the access request Identity information to be certified in spoon;
Transmitting element, for the identity information to be sent into host by half virtualization interface, so as to by the place The identity information is sent to certificate server by main frame by network, and receives the certification by network by the host Server carries out the authentication result of authentication to the identity information;
Receiving unit, the authentication result sent for receiving the host by the half virtualization interface, with Just whether the user according to corresponding to the authentication result determines the intelligent code key has access rights.
C9, the virtual machine according to C8, the acquiring unit include:
First acquisition module, for being the affiliated host of the virtual machine when the network address carried in the access request Network address when, by the physical connection interface of the host and the intelligent code key, obtain the intelligent cipher Identity information to be certified in key;
Sending module, for being independently of the outside whole of the host when the network address carried in the access request During the network address at end, identity information is sent to the exterior terminal by the host and obtains request, so as to the outside Terminal is obtained to ask to obtain in the intelligent code key connected by physical connection interface according to the identity information and treated The identity information of certification;
Receiving module is used for the identity information for receiving the exterior terminal by the host and sending.
C10, the virtual machine according to C8 or C9, the half virtualization interface is set by virtio mechanism to be formed.
C11, the virtual machine according to C8 or C9, the intelligent code key include USBkey.
D12, a kind of host, the host include:
Receiving unit, the identity information to be certified sent for receiving virtual machine by half virtualization interface, the body Part information is after receiving access request by the virtual machine, to be obtained from the intelligent code key corresponding with the access request The information taken;
Transmitting element, for the identity information to be sent into certificate server by network;
The receiving unit is additionally operable to by the network reception certificate server transmission to the identity information Carry out the authentication result of authentication;
The transmitting element is additionally operable to that the authentication result is sent into the virtual machine by the half virtualization interface, So that whether user of the virtual machine according to corresponding to the authentication result determines the intelligent code key has access right Limit.
D13, the host according to D12, the half virtualization interface is set by virtio mechanism to be formed.
D14, the host according to D12 or D13, the intelligent code key include USBkey.
D15, a kind of storage medium, the storage medium are stored with a plurality of instruction, and the instruction is applied to be added by processor The method for carrying and performing the access virtual machine as any one of A1-A4;Or load and perform such as any one of B5-B7 institutes The method for the access virtual machine stated.
E16, a kind of electronic equipment, the electronic equipment include storage medium and processor;
The processor, it is adapted for carrying out each instruction;
The storage medium, suitable for storing a plurality of instruction;
The instruction is suitable to be loaded as the processor and performed the side of the access virtual machine as any one of A1-A4 Method;Or the method for loading and performing the access virtual machine as any one of B5-B7.
F17, a kind of system for accessing virtual machine, the system include:Virtual machine, host and intelligent code key;
Wherein, the virtual machine includes the virtual machine as any one of D8-D11;The host includes such as E12- Host any one of E14;
The intelligent code key carries out physical connection, the intelligent cipher key with the host or other physical machines Spoon is the equipment needed for the application access virtual machine, includes the identity information that application accesses the user of the virtual machine.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion being described in detail in some embodiment Point, it may refer to the associated description of other embodiment.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment " first ", " second " etc. be to be used to distinguish each embodiment, and do not represent the quality of each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit requires, summary and accompanying drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be realized with hardware, or to be run on one or more processor Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice Microprocessor or digital signal processor (DSP) realize the method, apparatus of access virtual machine according to embodiments of the present invention And some or all functions of some or all parts in system.The present invention is also implemented as being used to perform institute here The some or all equipment or program of device of the method for description are (for example, computer program and computer program production Product).Such program for realizing the present invention can store on a computer-readable medium, or can have one or more The form of signal.Such signal can be downloaded from internet website and obtained, and either be provided or on carrier signal to appoint What other forms provides.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.

Claims (10)

  1. A kind of 1. method for accessing virtual machine, it is characterised in that methods described includes:
    Virtual machine obtains to be certified in the intelligent code key corresponding with the access request after access request is received Identity information;
    The identity information is sent to host by half virtualization interface, described in being incited somebody to action as the host by network Identity information is sent to certificate server, and receives the certificate server by network by the host and the identity is believed Breath carries out the authentication result of authentication;
    The authentication result that the host is sent by the half virtualization interface is received, so as to according to the authentication result Determine whether the user corresponding to the intelligent code key has access rights.
  2. 2. according to the method for claim 1, it is characterised in that obtain the intelligent cipher key corresponding with the access request Identity information to be certified includes in spoon:
    When the network address carried in the access request is the network address of the affiliated host of the virtual machine, by described The physical connection interface of host and the intelligent code key, obtain identity letter to be certified in the intelligent code key Breath;
    When the network address carried in the access request is independently of the network address of the exterior terminal of the host, lead to Cross the host and send identity information acquisition request to the exterior terminal, so that the exterior terminal is believed according to the identity Breath obtains request and identity information to be certified in the intelligent code key connected is obtained by physical connection interface;Pass through The host receives the identity information that the exterior terminal is sent.
  3. 3. method according to claim 1 or 2, it is characterised in that the half virtualization interface is set by virtio mechanism Put and form.
  4. 4. method according to claim 1 or 2, it is characterised in that the intelligent code key includes USBkey.
  5. A kind of 5. method for accessing virtual machine, it is characterised in that methods described includes:
    Host receives the identity information to be certified that virtual machine is sent by half virtualization interface, and the identity information is by institute State the information after virtual machine receives access request, obtained from the intelligent code key corresponding with the access request;
    The identity information is sent to by certificate server by network;
    The authentication result that authentication is carried out to the identity information of the certificate server transmission is received by the network;
    The authentication result is sent to by the virtual machine by the half virtualization interface, so that the virtual machine is according to Authentication result determines whether the user corresponding to the intelligent code key has access rights.
  6. 6. a kind of virtual machine, it is characterised in that the virtual machine includes:
    Acquiring unit, for after access request is received, obtaining in the intelligent code key corresponding with the access request Identity information to be certified;
    Transmitting element, for the identity information to be sent into host by half virtualization interface, so as to by the host The identity information is sent to by certificate server by network, and the authentication service is received by network by the host Device carries out the authentication result of authentication to the identity information;
    Receiving unit, the authentication result sent for receiving the host by the half virtualization interface, so as to root Determine whether the user corresponding to the intelligent code key has access rights according to the authentication result.
  7. 7. a kind of host, it is characterised in that the host includes:
    Receiving unit, the identity information to be certified sent for receiving virtual machine by half virtualization interface, the identity letter Breath is after receiving access request by the virtual machine, to be obtained from the intelligent code key corresponding with the access request Information;
    Transmitting element, for the identity information to be sent into certificate server by network;
    The receiving unit is additionally operable to receive the carrying out the identity information of the certificate server transmission by the network The authentication result of authentication;
    The transmitting element is additionally operable to that the authentication result is sent into the virtual machine by the half virtualization interface, so as to Whether user of the virtual machine according to corresponding to the authentication result determines the intelligent code key has access rights.
  8. 8. a kind of storage medium, it is characterised in that the storage medium is stored with a plurality of instruction, and the instruction is applied to by handling The method that device loads and performs the access virtual machine as any one of claim 1-4;Or load and perform such as right It is required that the method for the access virtual machine described in 5.
  9. 9. a kind of electronic equipment, it is characterised in that the electronic equipment includes storage medium and processor;
    The processor, it is adapted for carrying out each instruction;
    The storage medium, suitable for storing a plurality of instruction;
    The instruction is suitable to be loaded as the processor and performed the access virtual machine as any one of claim 1-4 Method;Or load and perform the method as claimed in claim 5 for accessing virtual machine.
  10. 10. a kind of system for accessing virtual machine, it is characterised in that the system includes:Virtual machine, host and intelligent cipher key Spoon;
    Wherein, the virtual machine includes virtual machine as claimed in claim 6;The host includes as claimed in claim 7 Host;
    The intelligent code key carries out physical connection with the host or other physical machines, and the intelligent code key is Application accesses the equipment needed for the virtual machine, including application accesses the identity information of the user of the virtual machine.
CN201710920314.7A 2017-09-30 2017-09-30 Method, device and system for accessing virtual machine Active CN107707550B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710920314.7A CN107707550B (en) 2017-09-30 2017-09-30 Method, device and system for accessing virtual machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710920314.7A CN107707550B (en) 2017-09-30 2017-09-30 Method, device and system for accessing virtual machine

Publications (2)

Publication Number Publication Date
CN107707550A true CN107707550A (en) 2018-02-16
CN107707550B CN107707550B (en) 2021-08-10

Family

ID=61184436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710920314.7A Active CN107707550B (en) 2017-09-30 2017-09-30 Method, device and system for accessing virtual machine

Country Status (1)

Country Link
CN (1) CN107707550B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110888716A (en) * 2019-12-17 2020-03-17 北京天融信网络安全技术有限公司 Data processing method and device, storage medium and electronic equipment
CN113765866A (en) * 2020-07-31 2021-12-07 北京沃东天骏信息技术有限公司 Method and device for logging in remote host

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102262557A (en) * 2010-05-25 2011-11-30 运软网络科技(上海)有限公司 Method for constructing virtual machine monitor by bus architecture and performance service framework
CN102546601A (en) * 2011-12-19 2012-07-04 广州杰赛科技股份有限公司 Auxiliary device of cloud computing terminal for accessing virtual machine
CN104184743A (en) * 2014-09-10 2014-12-03 西安电子科技大学 Three-layer authentication system and method oriented to cloud computing platform
CN104252377A (en) * 2013-06-28 2014-12-31 阿瓦亚公司 Virtualized host ID key sharing
CN104580188A (en) * 2014-12-29 2015-04-29 中国科学院信息工程研究所 Method and system for protecting root CA certificate in virtualization environment
CN104639516A (en) * 2013-11-13 2015-05-20 华为技术有限公司 Method, equipment and system for authenticating identities
US20160219041A1 (en) * 2013-06-25 2016-07-28 International Business Machines Corporation Sharing usb key by multiple virtual machines located at different hosts
CN106020997A (en) * 2016-05-13 2016-10-12 北京红山世纪科技有限公司 Method and system used for data transmission between virtual machines
CN106161396A (en) * 2015-04-20 2016-11-23 阿里巴巴集团控股有限公司 A kind of virtual machine network that realizes accesses the method and device controlled
CN106936760A (en) * 2015-12-30 2017-07-07 航天信息股份有限公司 A kind of apparatus and method of login Openstack cloud system virtual machines
CN107026860A (en) * 2017-04-01 2017-08-08 成都虫洞奇迹科技有限公司 Login authentication method, apparatus and system

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102262557A (en) * 2010-05-25 2011-11-30 运软网络科技(上海)有限公司 Method for constructing virtual machine monitor by bus architecture and performance service framework
CN102546601A (en) * 2011-12-19 2012-07-04 广州杰赛科技股份有限公司 Auxiliary device of cloud computing terminal for accessing virtual machine
US20160219041A1 (en) * 2013-06-25 2016-07-28 International Business Machines Corporation Sharing usb key by multiple virtual machines located at different hosts
CN104252377A (en) * 2013-06-28 2014-12-31 阿瓦亚公司 Virtualized host ID key sharing
CN104639516A (en) * 2013-11-13 2015-05-20 华为技术有限公司 Method, equipment and system for authenticating identities
CN104184743A (en) * 2014-09-10 2014-12-03 西安电子科技大学 Three-layer authentication system and method oriented to cloud computing platform
CN104580188A (en) * 2014-12-29 2015-04-29 中国科学院信息工程研究所 Method and system for protecting root CA certificate in virtualization environment
CN106161396A (en) * 2015-04-20 2016-11-23 阿里巴巴集团控股有限公司 A kind of virtual machine network that realizes accesses the method and device controlled
CN106936760A (en) * 2015-12-30 2017-07-07 航天信息股份有限公司 A kind of apparatus and method of login Openstack cloud system virtual machines
CN106020997A (en) * 2016-05-13 2016-10-12 北京红山世纪科技有限公司 Method and system used for data transmission between virtual machines
CN107026860A (en) * 2017-04-01 2017-08-08 成都虫洞奇迹科技有限公司 Login authentication method, apparatus and system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110888716A (en) * 2019-12-17 2020-03-17 北京天融信网络安全技术有限公司 Data processing method and device, storage medium and electronic equipment
CN113765866A (en) * 2020-07-31 2021-12-07 北京沃东天骏信息技术有限公司 Method and device for logging in remote host
CN113765866B (en) * 2020-07-31 2023-09-05 北京沃东天骏信息技术有限公司 Method and device for logging in remote host

Also Published As

Publication number Publication date
CN107707550B (en) 2021-08-10

Similar Documents

Publication Publication Date Title
CN105207775B (en) The read method and device of verification information
CN107359996A (en) Automatic logging method and device between more websites
CN107848522A (en) For diagnostic command to be transmitted to the system and method for the vehicles
CN108091329A (en) Method, apparatus and computing device based on speech recognition controlled automobile
CN109525604A (en) A kind of method and relevant device of account binding
DE112012002780B4 (en) Method and device for taking into account the effort of applications based on customer hardware
CN110336810A (en) Information sharing method, platform and calculating equipment
CN105871821A (en) Device binding method
CN107257346A (en) The Operational Visit processing method and its equipment of single-sign-on
US20140136851A1 (en) Biometric-based wireless device association
CN109873749A (en) A kind of sharing method and relevant device of information of vehicles
CN109905474A (en) Data safety sharing method and device based on block chain
CN110096847A (en) User's specific application for remote session activates
CN104573493B (en) A kind of method for protecting software and system
CN106209727B (en) Session access method and device
CN105227673B (en) Data download method, client, server and the system of anti-abduction
CN106302606A (en) A kind of across application access method and device
CN107222545A (en) A kind of data transmission method and device
CN112740627A (en) Vehicle remote diagnosis method and system
CN108011917A (en) The method, apparatus and system of data sharing
CN106331003A (en) Method and device for accessing application portal system on cloud desktop
CN107707550A (en) Access the method, apparatus and system of virtual machine
CN106534082A (en) User registration method and apparatus
CN108833109A (en) Identity identifying method, device and electronic equipment
CN109572620A (en) A kind of method for limiting of vehicle launch, apparatus and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant