CN107707550B - Method, device and system for accessing virtual machine - Google Patents
Method, device and system for accessing virtual machine Download PDFInfo
- Publication number
- CN107707550B CN107707550B CN201710920314.7A CN201710920314A CN107707550B CN 107707550 B CN107707550 B CN 107707550B CN 201710920314 A CN201710920314 A CN 201710920314A CN 107707550 B CN107707550 B CN 107707550B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- identity information
- host
- authentication
- machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Stored Programmes (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method, a device and a system for accessing a virtual machine, relates to the technical field of data security, and can solve the problem that the access control of the virtual machine cannot be realized based on a USBKey authentication mechanism when the virtual machine is controlled by a network in the prior art. The method of the invention comprises the following steps: after receiving the access request, the virtual machine acquires identity information to be authenticated in an intelligent password key corresponding to the access request; sending the identity information to a host machine through a semi-virtual interface so that the host machine sends the identity information to an authentication server through a network, and the host machine receives an authentication result of identity authentication of the identity information by the authentication server through the network; and receiving an authentication result sent by the host machine through the semi-virtual interface so as to determine whether the user corresponding to the intelligent password key has the access right according to the authentication result. The method is mainly suitable for the scene of realizing the access control of the virtual machine based on the USBKey authentication.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method, an apparatus, and a system for accessing a virtual machine.
Background
Virtual machine technology refers to one or more virtual machines simulated on one physical machine through virtual machine software. For security of data inside a virtual machine, access control is often performed on the virtual machine so that only a user having access rights can access the virtual machine.
An existing implementation manner for performing access control on a virtual machine is as follows: when a user needs to access a certain virtual machine, a USBKey device needs to be inserted into a physical machine, before the virtual machine allows the user to access, identity information (including a digital certificate and a private key for example) in the USBKey device is obtained firstly, then the identity information is sent to an authentication server through a network for identity authentication, the authentication server returns an authentication result to the virtual machine through the network, and the virtual machine determines whether the user is allowed to access according to the authentication result.
However, when the network function is not needed in the subsequent process of accessing the virtual machine by the user, or the virtual machine is prohibited from accessing the network, the above-mentioned identity authentication method cannot be implemented. Therefore, how to realize the access control of the virtual machine based on the USBkey authentication mechanism is urgently solved under the condition that the virtual machine is not controlled by the network.
Disclosure of Invention
In view of this, the method, the device and the system for accessing the virtual machine provided by the invention can solve the problem that access control of the virtual machine cannot be realized based on the USBkey authentication mechanism when the virtual machine is controlled by a network in the prior art.
The purpose of the invention is realized by adopting the following technical scheme:
in a first aspect, the present invention provides a method for accessing a virtual machine, the method comprising:
after receiving an access request, the virtual machine acquires identity information to be authenticated in an intelligent password key corresponding to the access request;
sending the identity information to a host machine through a semi-virtual interface so that the host machine sends the identity information to an authentication server through a network, and receiving an authentication result of identity authentication of the authentication server on the identity information through the network;
and receiving the authentication result sent by the host machine through the para-virtualization interface so as to determine whether the user corresponding to the intelligent password key has the access right according to the authentication result.
In a second aspect, the present invention provides a method for accessing a virtual machine, the method comprising:
the host machine receives identity information to be authenticated, which is sent by a virtual machine through a semi-virtualization interface, wherein the identity information is obtained from an intelligent password key corresponding to an access request after the virtual machine receives the access request;
sending the identity information to an authentication server through a network;
receiving an authentication result of performing identity authentication on the identity information, which is sent by the authentication server, through the network;
and sending the authentication result to the virtual machine through the paravirtualized interface, so that the virtual machine determines whether the user corresponding to the intelligent password key has the access right according to the authentication result.
In a third aspect, the present invention provides a virtual machine, including:
the system comprises an acquisition unit, a verification unit and a verification unit, wherein the acquisition unit is used for acquiring identity information to be authenticated in an intelligent password key corresponding to an access request after receiving the access request;
the sending unit is used for sending the identity information to a host machine through a semi-virtual interface so that the host machine sends the identity information to an authentication server through a network, and the host machine receives an authentication result of the authentication server for performing identity authentication on the identity information through the network;
and the receiving unit is used for receiving the authentication result sent by the host machine through the paravirtualized interface so as to determine whether the user corresponding to the intelligent password key has the access right according to the authentication result.
In a fourth aspect, the present invention provides a host, comprising:
the virtual machine authentication system comprises a receiving unit, a verification unit and a verification unit, wherein the receiving unit is used for receiving identity information to be authenticated sent by a virtual machine through a semi-virtual interface, and the identity information is acquired from an intelligent password key corresponding to an access request after the virtual machine receives the access request;
a sending unit, configured to send the identity information to an authentication server through a network;
the receiving unit is further configured to receive, through the network, an authentication result for performing identity authentication on the identity information, where the authentication result is sent by the authentication server;
the sending unit is further configured to send the authentication result to the virtual machine through the paravirtualized interface, so that the virtual machine determines whether the user corresponding to the smart key has an access right according to the authentication result.
In a fifth aspect, the present invention provides a storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the method of accessing a virtual machine according to the first aspect; or to load and execute a method of accessing a virtual machine as described in the second aspect.
In a sixth aspect, the present invention provides an electronic device comprising a storage medium and a processor;
the processor is suitable for realizing instructions;
the storage medium adapted to store a plurality of instructions;
the instructions are adapted to be loaded by the processor and to perform a method of accessing a virtual machine as described in the first aspect; or to load and execute a method of accessing a virtual machine as described in the second aspect.
In a seventh aspect, the present invention provides a system for accessing a virtual machine, the system comprising: the system comprises a virtual machine, a host machine and an intelligent password key;
wherein the virtual machine comprises the virtual machine of the third aspect; the host comprises a host as described in the fourth aspect;
the intelligent password key is physically connected with the host machine or other physical machines, and the intelligent password key is equipment required by the virtual machine and comprises identity information of a user who applies for accessing the virtual machine.
By means of the technical scheme, the method, the device and the system for accessing the virtual machine provided by the invention can be used for sending the identity information to the authentication server through a semi-virtual machine interface without a network after the virtual machine acquires the identity information in the intelligent password key (such as the USBKey), and then the host forwards the identity information to the authentication server through the network, and after the server to be authenticated authenticates the identity information to obtain an authentication result, the host acquires the authentication result through the network and forwards the authentication result to the virtual machine through the semi-virtual interface, so that the virtual machine is not controlled by the network in the whole authentication process, namely under the condition that the virtual machine is not controlled by the network, the access control of the virtual machine can be realized based on the USBKey authentication mechanism.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart illustrating a method for accessing a virtual machine according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating a system architecture for accessing a virtual machine according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating another system structure for accessing a virtual machine according to an embodiment of the present invention;
FIG. 4 is a flow chart illustrating another method for accessing a virtual machine according to an embodiment of the present invention;
FIG. 5 is a block diagram illustrating an apparatus for accessing a virtual machine according to an embodiment of the present invention;
FIG. 6 is a block diagram illustrating another apparatus for accessing a virtual machine according to an embodiment of the present invention;
fig. 7 is a block diagram illustrating another apparatus for accessing a virtual machine according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
An embodiment of the present invention provides a method for accessing a virtual machine, where the method is mainly applied to a virtual machine side, and as shown in fig. 1, the method mainly includes:
101. after receiving an access request, the virtual machine acquires identity information to be authenticated in an intelligent password key corresponding to the access request.
The intelligent password key may be a key (i.e., a USB key) of a Universal Serial Bus (USB) interface, or may be a key of another interface. When a user needs to access a virtual machine with an identity authentication mechanism, an access request can be triggered and generated after a control (such as a login button) for accessing the virtual machine is clicked; after the virtual machine receives the access request, in order to ensure the security of internal data of the virtual machine, the identity information of a user applying for access needs to be authenticated, and at this time, the user can be prompted to insert an intelligent password key (for example, the user is prompted to insert a USB key through a USB interface); after the user inserts the intelligent password key, the virtual machine can acquire the identity information carried in the intelligent password key so as to forward the identity information to the authentication server through the host machine for identity authentication.
The intelligent password key needs to be inserted into a device for the user to click and access the virtual machine, and the device can be the same device as a host machine to which the virtual machine belongs or different devices. That is, the user may directly access the virtual machine in the device, or may remotely access the virtual machine in the device through another device.
102. The virtual machine sends the identity information to a host machine through a semi-virtual interface, so that the host machine sends the identity information to an authentication server through a network, and the host machine receives an authentication result of identity authentication of the authentication server on the identity information through the network.
The paravirtualized interface can be set through a virtio mechanism and is used for realizing communication between the virtual machine and the host machine. Therefore, after the virtual machine acquires the identity information in the intelligent password key, the identity information can be sent to the host machine through the paravirtualized interface, so that the host machine can forward the identity information to the authentication server through the network for authentication after receiving the identity information. And after the authentication server authenticates the identity information to obtain an authentication result, the authentication result is sent to the host machine through the network so that the host machine can forward the authentication result to the virtual machine.
103. And the virtual machine receives the authentication result sent by the host machine through the paravirtualized interface so as to determine whether the user corresponding to the intelligent password key has the access right according to the authentication result.
After the virtual machine receives the authentication result sent by the host machine through the paravirtualized interface, if the authentication result is that the identity authentication is successful, the virtual machine internal page can be output to the user, and if the authentication result is that the identity authentication is failed, prompt information that the identity authentication is failed and cannot be accessed can be output to the user.
The method for accessing the virtual machine provided by the embodiment of the invention can be used for sending the identity information to the host machine through a semi-virtual machine interface without a network after the virtual machine acquires the identity information in the intelligent password key (such as a USBKey), then the identity information is forwarded to the authentication server through the network by the host machine, and after the server to be authenticated authenticates the identity information to obtain an authentication result, the host machine acquires the authentication result through the network and forwards the authentication result to the virtual machine through the semi-virtual interface, so that the virtual machine is not controlled by the network in the whole authentication process, namely under the condition that the virtual machine is not controlled by the network, the access control of the virtual machine can be realized based on the USBKey authentication mechanism.
Optionally, in step 101, it is mentioned that the user may directly access the virtual machine in the device, or may remotely access the virtual machine in the device through another device. When a user directly accesses a virtual machine in a device, that is, when a network address carried in the access request is a network address of a host to which the virtual machine belongs, the specific implementation manner of step 101 may be that the virtual machine acquires identity information to be authenticated in the intelligent password key through a physical connection interface between the host and the intelligent password key.
For example, when a user directly accesses a virtual machine in a device, a system architecture composed of the virtual machine, a host, a smart key (for example, USBkey), and an authentication server may be as shown in fig. 2. The USBKey is connected with the host machine through a USB interface, the virtual machine is communicated with the host machine through a semi-virtual interface (the virtual machine sends identity information to the host machine, and the host machine sends an authentication result to the virtual machine), and the host machine is communicated with the authentication server through a network (the host machine sends the identity information to the authentication server, and the authentication server sends the authentication result to the host machine).
When a user remotely accesses a virtual machine in the device through other devices, that is, when a network address carried in the access request is a network address of an external terminal independent of the host, the specific implementation manner of step 101 may be that the virtual machine sends an identity information acquisition request to the external terminal through the host, so that the external terminal acquires, according to the identity information acquisition request, identity information to be authenticated in the connected intelligent cryptographic key through a physical connection interface; and receiving the identity information sent by the external terminal through the host machine. Specifically, the virtual machine may send an identity information acquisition request to the host machine through the paravirtualized interface, and the host machine sends the identity information acquisition request to the external terminal through the network, so that the external terminal acquires the identity information to be authenticated in the connected intelligent password key through the physical connection interface according to the identity information acquisition request, and sends the identity information to the host machine through the network, so that the host machine forwards the identity information to the virtual machine through the paravirtualized interface.
In addition, after the host computer obtains the identity information from the external terminal side, in order to accelerate the identity authentication speed, the identity information can be directly sent to the authentication server through the network instead of being forwarded to the virtual machine. It should be added that, when a user remotely accesses a virtual machine in a device through an external terminal, the device may be a terminal of a function type similar to the external terminal, or may be a server, such as a cloud platform server.
For example, when a user remotely accesses a virtual machine in the device through an external terminal, a system architecture consisting of the virtual machine, a host, a smart key, the external terminal, and an authentication server may be as shown in fig. 3. The external terminal is connected with the USBKey, the external terminal is communicated with a host machine of a virtual machine to be accessed through a network (the host machine sends an identity information acquisition request to the external terminal, the external terminal sends identity information to the host machine), the virtual machine is communicated with the host machine through a semi-virtual interface (the virtual machine sends the identity information acquisition request to the host machine, the host machine sends the identity information to the virtual machine, the virtual machine sends the identity information to the host machine), and the host machine is communicated with the authentication server through the network (the host machine sends the identity information to the authentication server, and the authentication server sends an authentication result to the host machine).
Further, according to the method shown in fig. 1, another embodiment of the present invention further provides a method for accessing a virtual machine, which is mainly applied to the host side, as shown in fig. 4, where the method includes:
201. and the host machine receives the identity information to be authenticated sent by the virtual machine through the paravirtualization interface.
The identity information is information obtained from an intelligent password key corresponding to the access request after the virtual machine receives the access request. Wherein, the smart key corresponding to the access request is: and the intelligent coded lock is connected with the equipment which initiates the access request through a physical interface. When a user wants to access the virtual machine, the virtual machine side receives the access request, acquires the identity information to be authenticated from the intelligent password key, and then sends the identity information to the host machine through the paravirtualized interface, so that the host machine forwards the identity information to the host machine for identity authentication after receiving the identity information. In addition, other related contents of the smart key (including the connection manner of the smart key to the host) can be described in detail in the embodiment of the virtual machine side.
202. And the host machine sends the identity information to an authentication server through a network.
After the host receives the sent identity information, the host can forward the identity information to the authentication server for authentication through network connection established with the authentication server.
It should be noted that the network established between the host and the authentication server may be a public network or a virtual private network, and the specific network type is not limited herein. In addition, when the host and the authentication server meet other communication conditions, interaction can be performed in other communication modes, for example, when the host and the authentication server are close to each other, communication can be realized through bluetooth.
203. And the host machine receives an authentication result which is sent by the authentication server and used for carrying out identity authentication on the identity information through the network.
After receiving the identity information sent by the host machine through the network, the authentication server can authenticate the identity information through a preset algorithm, and can also directly match the identity information with the pre-stored identity information, so that identity authentication is realized, and the specific authentication means is not limited herein.
204. And the host machine sends the authentication result to the virtual machine through the semi-virtual interface so that the virtual machine can determine whether the user corresponding to the intelligent password key has the access right according to the authentication result.
The specific implementation manner of this step may refer to step 103 described above, and is not described herein again.
The method for accessing the virtual machine provided by the embodiment of the invention can be used for sending the identity information to the host machine through a semi-virtual machine interface without a network after the virtual machine acquires the identity information in the intelligent password key (such as a USBKey), then the identity information is forwarded to the authentication server through the network by the host machine, and after the server to be authenticated authenticates the identity information to obtain an authentication result, the host machine acquires the authentication result through the network and forwards the authentication result to the virtual machine through the semi-virtual interface, so that the virtual machine is not controlled by the network in the whole authentication process, namely under the condition that the virtual machine is not controlled by the network, the access control of the virtual machine can be realized based on the USBKey authentication mechanism.
Further, according to the method shown in fig. 1, another embodiment of the present invention further provides a virtual machine, as shown in fig. 5, where the virtual machine includes:
the acquiring unit 31 is configured to acquire, after receiving an access request, identity information to be authenticated in an intelligent cryptographic key corresponding to the access request;
a sending unit 32, configured to send the identity information to a host through a paravirtualized interface, so that the host sends the identity information to an authentication server through a network, and the host receives an authentication result of performing identity authentication on the identity information by the authentication server through the network;
a receiving unit 33, configured to receive the authentication result sent by the host through the paravirtualized interface, so as to determine whether a user corresponding to the smart key has an access right according to the authentication result.
Optionally, as shown in fig. 6, the obtaining unit 31 includes:
a first obtaining module 311, configured to, when the network address carried in the access request is a network address of a host to which the virtual machine belongs, obtain, through a physical connection interface between the host and the smart key, identity information to be authenticated in the smart key;
a sending module 312, configured to send, when the network address carried in the access request is a network address of an external terminal that is independent of the host, an identity information acquisition request to the external terminal through the host, so that the external terminal acquires, according to the identity information acquisition request, identity information to be authenticated in the connected intelligent cryptographic key through a physical connection interface;
a receiving module 313, configured to receive, by the host, the identity information sent by the external terminal.
Firstly, the paravirtualization interface is set through a virtio mechanism.
Optionally, the smart key includes a USBkey.
The device for accessing the virtual machine provided by the embodiment of the invention can send the identity information to the authentication server through a semi-virtual machine interface without a network after the virtual machine acquires the identity information in the intelligent password key (such as a USBKey), and then the identity information is sent to the host machine through the semi-virtual machine interface without the network, and then the host machine forwards the identity information to the authentication server through the network, and after the server to be authenticated authenticates the identity information to obtain an authentication result, the host machine acquires the authentication result through the network and forwards the authentication result to the virtual machine through the semi-virtual interface, so that the virtual machine is not controlled by the network in the whole authentication process, namely the access control of the virtual machine can be realized based on the USBKey authentication mechanism under the condition that the virtual machine is not controlled by the network.
Further, according to the method shown in fig. 4, another embodiment of the present invention further provides a host, as shown in fig. 7, the host includes:
a receiving unit 41, configured to receive identity information to be authenticated, which is sent by a virtual machine through a paravirtualized interface, where the identity information is information obtained from an intelligent cryptographic key corresponding to an access request after the virtual machine receives the access request;
a sending unit 42, configured to send the identity information to an authentication server through a network;
the receiving unit 41 is configured to receive, through the network, an authentication result that is sent by the authentication server and performs identity authentication on the identity information;
the sending unit 42 is further configured to send the authentication result to the virtual machine through the paravirtualized interface, so that the virtual machine determines whether the user corresponding to the smart key has an access right according to the authentication result.
Optionally, the paravirtualized interface is set by a virtio mechanism.
Optionally, the smart key includes a USBkey.
The device for accessing the virtual machine provided by the embodiment of the invention can send the identity information to the authentication server through a semi-virtual machine interface without a network after the virtual machine acquires the identity information in the intelligent password key (such as a USBKey), and then the identity information is sent to the host machine through the semi-virtual machine interface without the network, and then the host machine forwards the identity information to the authentication server through the network, and after the server to be authenticated authenticates the identity information to obtain an authentication result, the host machine acquires the authentication result through the network and forwards the authentication result to the virtual machine through the semi-virtual interface, so that the virtual machine is not controlled by the network in the whole authentication process, namely the access control of the virtual machine can be realized based on the USBKey authentication mechanism under the condition that the virtual machine is not controlled by the network.
Further, according to the above method embodiment, another embodiment of the present invention further provides a storage medium storing a plurality of instructions, the instructions being adapted to be loaded by a processor and execute the method for accessing a virtual machine executed by the virtual machine side as described above; or load and execute the method for accessing the virtual machine executed on the host side as described above.
Further, according to the above method embodiment, another embodiment of the present invention also provides an electronic device, which includes a storage medium and a processor;
the processor is suitable for realizing instructions;
the storage medium adapted to store a plurality of instructions;
the instructions are adapted to be loaded by the processor and to perform a method of accessing a virtual machine as described above for virtual machine side execution; or load and execute the method for accessing the virtual machine executed on the host side as described above.
Further, according to the above embodiment, another embodiment of the present invention further provides a system for accessing a virtual machine, where the system includes: the system comprises a virtual machine, a host machine and an intelligent password key;
wherein the virtual machine comprises a virtual machine as described above; the host machine comprises the host machine as described above;
the intelligent password key is physically connected with the host machine or other physical machines, and the intelligent password key is equipment required by the virtual machine and comprises identity information of a user who applies for accessing the virtual machine.
The system for accessing the virtual machine provided by the embodiment of the invention can send the identity information to the authentication server through a semi-virtual machine interface without a network after the virtual machine acquires the identity information in the intelligent password key (such as a USBKey), and then the host machine forwards the identity information to the authentication server through the network, and after the server to be authenticated authenticates the identity information to obtain an authentication result, the host machine acquires the authentication result through the network and forwards the authentication result to the virtual machine through the semi-virtual interface, so that the virtual machine is not controlled by the network in the whole authentication process, namely, the access control of the virtual machine can be realized based on the USBKey authentication mechanism under the condition that the virtual machine is not controlled by the network.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
It will be appreciated that the relevant features of the method and apparatus described above are referred to one another. In addition, "first", "second", and the like in the above embodiments are for distinguishing the embodiments, and do not represent merits of the embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the method, apparatus and system for accessing virtual machines according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Claims (9)
1. A method of accessing a virtual machine, the method comprising:
after receiving an access request, the virtual machine acquires identity information to be authenticated in an intelligent password key corresponding to the access request;
sending the identity information to a host machine through a semi-virtual interface so that the host machine sends the identity information to an authentication server through a network, and receiving an authentication result of identity authentication of the authentication server on the identity information through the network;
receiving the authentication result sent by the host machine through the para-virtualization interface so as to determine whether the user corresponding to the intelligent password key has access right according to the authentication result;
acquiring identity information to be authenticated in the intelligent password key corresponding to the access request comprises the following steps:
when the network address carried in the access request is the network address of the host machine to which the virtual machine belongs, acquiring identity information to be authenticated in the intelligent password key through a physical connection interface between the host machine and the intelligent password key;
when the network address carried in the access request is a network address of an external terminal independent of the host machine, sending an identity information acquisition request to the external terminal through the host machine, so that the external terminal can acquire the identity information to be authenticated in the connected intelligent password key through a physical connection interface according to the identity information acquisition request; and receiving the identity information sent by the external terminal through the host machine.
2. The method of claim 1, wherein the para-virtualization interface is provided via a virtio mechanism.
3. The method of claim 1, wherein the smart cryptographic key comprises a USBKey.
4. A virtual machine, comprising:
the system comprises an acquisition unit, a verification unit and a verification unit, wherein the acquisition unit is used for acquiring identity information to be authenticated in an intelligent password key corresponding to an access request after receiving the access request;
the sending unit is used for sending the identity information to a host machine through a semi-virtual interface so that the host machine sends the identity information to an authentication server through a network, and the host machine receives an authentication result of the authentication server for performing identity authentication on the identity information through the network;
the receiving unit is used for receiving the authentication result sent by the host machine through the paravirtualized interface so as to determine whether the user corresponding to the intelligent password key has the access right according to the authentication result;
wherein the acquisition unit includes:
the first obtaining module is used for obtaining the identity information to be authenticated in the intelligent password key through a physical connection interface between the host and the intelligent password key when the network address carried in the access request is the network address of the host to which the virtual machine belongs;
a sending module, configured to send an identity information acquisition request to an external terminal through the host when a network address carried in the access request is a network address of the external terminal that is independent of the host, so that the external terminal acquires, according to the identity information acquisition request, identity information to be authenticated in the connected intelligent cryptographic key through a physical connection interface;
the receiving module is used for receiving the identity information sent by the external terminal through the host machine.
5. The virtual machine according to claim 4, wherein the paravirtualized interface is provided by a virtio mechanism.
6. The virtual machine of claim 4, wherein the smart cryptographic key comprises a USBKey.
7. A computer-readable storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform a method of accessing a virtual machine according to any one of claims 1-3.
8. An electronic device, comprising a computer-readable storage medium and a processor;
the processor is suitable for realizing instructions;
the computer-readable storage medium adapted to store a plurality of instructions;
the instructions are adapted to be loaded by the processor and to perform a method of accessing a virtual machine according to any one of claims 1 to 3.
9. A system for accessing a virtual machine, the system comprising: the system comprises a virtual machine, a host machine and an intelligent password key;
wherein the virtual machine comprises the virtual machine of any one of claims 4-6;
the intelligent password key is physically connected with the host machine or other physical machines, and the intelligent password key is equipment required by the virtual machine and comprises identity information of a user who applies for accessing the virtual machine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710920314.7A CN107707550B (en) | 2017-09-30 | 2017-09-30 | Method, device and system for accessing virtual machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710920314.7A CN107707550B (en) | 2017-09-30 | 2017-09-30 | Method, device and system for accessing virtual machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107707550A CN107707550A (en) | 2018-02-16 |
| CN107707550B true CN107707550B (en) | 2021-08-10 |
Family
ID=61184436
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710920314.7A Active CN107707550B (en) | 2017-09-30 | 2017-09-30 | Method, device and system for accessing virtual machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107707550B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110888716A (en) * | 2019-12-17 | 2020-03-17 | 北京天融信网络安全技术有限公司 | Data processing method and device, storage medium and electronic equipment |
| CN113765866B (en) * | 2020-07-31 | 2023-09-05 | 北京沃东天骏信息技术有限公司 | Method and device for logging in remote host |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546601A (en) * | 2011-12-19 | 2012-07-04 | 广州杰赛科技股份有限公司 | Auxiliary device of cloud computing terminal for accessing virtual machine |
| CN104184743A (en) * | 2014-09-10 | 2014-12-03 | 西安电子科技大学 | Three-layer authentication system and method oriented to cloud computing platform |
| CN104639516A (en) * | 2013-11-13 | 2015-05-20 | 华为技术有限公司 | Method, equipment and system for authenticating identities |
| CN106936760A (en) * | 2015-12-30 | 2017-07-07 | 航天信息股份有限公司 | A kind of apparatus and method of login Openstack cloud system virtual machines |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102262557B (en) * | 2010-05-25 | 2015-01-21 | 运软网络科技(上海)有限公司 | Method for constructing virtual machine monitor by bus architecture and performance service framework |
| CN104252375B (en) * | 2013-06-25 | 2017-07-28 | 国际商业机器公司 | Method and system for sharing USB Key positioned at multiple virtual machines of different main frames |
| US9961052B2 (en) * | 2013-06-28 | 2018-05-01 | Extreme Networks, Inc. | Virtualized host ID key sharing |
| CN104580188B (en) * | 2014-12-29 | 2017-11-07 | 中国科学院信息工程研究所 | A kind of method and system of the protection root ca certificate in virtualized environment |
| CN106161396B (en) * | 2015-04-20 | 2019-10-22 | 阿里巴巴集团控股有限公司 | A kind of method and device for realizing virtual machine network access control |
| CN106020997B (en) * | 2016-05-13 | 2019-07-16 | 北京红山世纪科技有限公司 | A kind of method and system for data transmission between virtual machines |
| CN107026860B (en) * | 2017-04-01 | 2020-10-16 | 成都灵跃云创科技有限公司 | Login authentication method, device and system |
-
2017
- 2017-09-30 CN CN201710920314.7A patent/CN107707550B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546601A (en) * | 2011-12-19 | 2012-07-04 | 广州杰赛科技股份有限公司 | Auxiliary device of cloud computing terminal for accessing virtual machine |
| CN104639516A (en) * | 2013-11-13 | 2015-05-20 | 华为技术有限公司 | Method, equipment and system for authenticating identities |
| CN104184743A (en) * | 2014-09-10 | 2014-12-03 | 西安电子科技大学 | Three-layer authentication system and method oriented to cloud computing platform |
| CN106936760A (en) * | 2015-12-30 | 2017-07-07 | 航天信息股份有限公司 | A kind of apparatus and method of login Openstack cloud system virtual machines |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107707550A (en) | 2018-02-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106779716B (en) | Authentication method, device and system based on block chain account address | |
| CN109672683B (en) | Binding method and binding device of Internet of things equipment and terminal equipment | |
| US8348157B2 (en) | Dynamic remote peripheral binding | |
| CN106899544B (en) | Container login method, device and system based on Docker | |
| US20140282992A1 (en) | Systems and methods for securing the boot process of a device using credentials stored on an authentication token | |
| US20150195268A1 (en) | Method and system for determining whether a terminal logging into a website is a mobile terminal | |
| CN105490815B (en) | Short message verification code acquisition methods and device, login method, apparatus and system | |
| US20180157809A1 (en) | Increased security using dynamic watermarking | |
| CN105337949A (en) | SSO (Single Sign On) authentication method, web server, authentication center and token check center | |
| CN106716957A (en) | efficient and reliable authentication | |
| EP2924947B1 (en) | Method and apparatus for controlling access | |
| CN107483987B (en) | Authentication method and device for video stream address | |
| CN105991614A (en) | Open authorization, resource access method and device, and a server | |
| KR102017505B1 (en) | User authentication method using random number generator | |
| CN107111511B (en) | Access control method, device and system | |
| CN106034134A (en) | Method and device and auxiliary method and device for implementing identity authentication request in webpage application | |
| CN110069909B (en) | Method and device for login of third-party system without secret | |
| CN106992859B (en) | Bastion machine private key management method and device | |
| CN107566329A (en) | A kind of access control method and device | |
| US9455972B1 (en) | Provisioning a mobile device with a security application on the fly | |
| CN107707550B (en) | Method, device and system for accessing virtual machine | |
| CN112804222B (en) | Data transmission method, device, equipment and storage medium based on cloud deployment | |
| CN108600259B (en) | Authentication and binding method of equipment, computer storage medium and server | |
| CN113553557A (en) | Application secret-free login method and device, electronic equipment and storage medium | |
| US20150295918A1 (en) | User authentication system in web mash-up circumstance and authenticating method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |