CN110708299A - Method and device for privilege centralized management and realization of dynamic host mutual trust authentication - Google Patents

Method and device for privilege centralized management and realization of dynamic host mutual trust authentication Download PDF

Info

Publication number
CN110708299A
CN110708299A CN201910901761.7A CN201910901761A CN110708299A CN 110708299 A CN110708299 A CN 110708299A CN 201910901761 A CN201910901761 A CN 201910901761A CN 110708299 A CN110708299 A CN 110708299A
Authority
CN
China
Prior art keywords
ssh
key
module
management
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910901761.7A
Other languages
Chinese (zh)
Inventor
陈明朗
邓祯恒
杨达盛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Haiyi Information Security Technology Co Ltd
Original Assignee
Guangzhou Haiyi Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Haiyi Information Security Technology Co Ltd filed Critical Guangzhou Haiyi Information Security Technology Co Ltd
Priority to CN201910901761.7A priority Critical patent/CN110708299A/en
Publication of CN110708299A publication Critical patent/CN110708299A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention discloses a method for privilege centralized management and dynamic host mutual trust authentication, which comprises the following steps: A) the public key and the private key are managed to a privileged account security management system; B) installing an SSH KEY host mutual trust module of the privileged account security management system; C) initiating SSH KEY login and executing SSH KEY authentication; D) providing a private key to the SSH client by a password vault of the privileged account security management system, and executing E); d') providing the public key to the SSH server by the password vault, and executing E); E) performing identity matching authentication, judging whether matching is successful, if so, executing F); otherwise, executing G); F) the login is successful; G) the login fails. The invention also relates to a device for realizing the privilege centralized management and the method for realizing the mutual trust authentication of the dynamic host. The invention ensures the security of the secret key, simultaneously unifies and centralizes the management of the configuration, reduces the workload of the configuration and the management and improves the security.

Description

Method and device for privilege centralized management and realization of dynamic host mutual trust authentication
Technical Field
The invention relates to the field of security management of privileged accounts, in particular to a method and a device for privilege (SSH KEY) centralized management and dynamic host mutual trust authentication.
Background
In the traditional SSH KEY mutual trust authentication, a root and a public and private KEY of an application OS account are used for matching authentication, a private KEY of the root and application OS account is stored in an SSH client server, a public KEY is written into an authoriziedkeys file of the SSH server, and mutual trust refers to mutually storing the public KEY and the private KEY of the other side so as to achieve the fastest secret-free login. Since SSH KEY is also a privileged account (high value, sensitive enterprise IT asset, target object of hacker), the best protection method is to rotate ITs public and private KEYs continuously.
Fig. 1 is a flowchart illustrating SSH KEY mutual authentication in the conventional art. Specifically, A, initiating SSH login, and firstly executing SSH KEY authentication by a target; B. checking whether a private key is configured locally, and if so, executing C; C. matching the configured special private key with the public key of the corresponding target server; D. if the step B has no configuration, executing step D, matching the default private key file id _ rsa, and if the step B has no configuration or fails, executing password authentication; E. the target server searches a corresponding public key from the/etc/authored keys file; F. matching authentication is successful, and login is successful; G. and the matching authentication fails, and the login fails. The traditional SSH KEY mutual trust is statically configured on a corresponding directory and a file of a server, although the dynamic change of a secret KEY can be realized, the private KEY is stored on the server, and the risk of being stolen exists.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method and an apparatus for implementing dynamic host mutual trust authentication, which can ensure the security of the key, centralize and standardize the management of configuration, reduce the workload of configuration and management, improve the security of privilege centralized management, and solve the above-mentioned defects of the prior art.
The technical scheme adopted by the invention for solving the technical problems is as follows: a method for constructing privilege centralized management and realizing dynamic host mutual trust authentication comprises the following steps:
A) the public key and the private key are managed to a privileged account security management system;
B) installing an SSH KEY host mutual trust module of the privileged account security management system;
C) initiating SSH KEY login and executing SSH KEY authentication;
D) the password vault of the privileged account security management system provides a private key to the SSH client, and step E) is executed;
d') the password vault provides a public key to the SSH server side, and step E) is executed;
E) performing identity matching authentication, judging whether the matching is successful, if so, executing the step F); otherwise, executing step G);
F) the login is successful;
G) the login fails.
In the method for privilege centralized management and dynamic host mutual trust authentication, the step C) further includes:
C1) the SSH client side initiates a request for obtaining a private KEY from the password vault to the SSH KEY host machine mutual trust module, or the SSH server side initiates a request for obtaining a public KEY from the password vault to the SSH KEY host machine mutual trust module;
C2) verifying the identity of the SSH client or the SSH server, and judging whether the verification is successful, if so, executing step C3); otherwise, performing step C4);
C3) performing step D) or D');
C4) the verification fails.
In the method for privilege centralized management and dynamic host mutual trust authentication, the privilege account security management system comprises:
a node management unit: the system is used for constructing a directory tree conforming to an enterprise organization architecture and allowing independent management of respective directories by different entitled users;
an account management unit: the system is used for importing and hosting the privileged account and realizes the life cycle management work of the account by taking the privileged account body as the center;
an access control unit: the system is used for realizing the permission subdivision of account use, so that different users have different use permissions for different accounts;
a session monitoring unit: the system is used for realizing video recording, monitoring, intercepting and auditing in the single sign-on process of the account by the user;
an audit management unit: the system comprises a log query module, a log query module and a log query module, wherein the log query module is used for providing log query for an auditing department, and the log query at least comprises the use and management of an account number and the log query of the change of a platform;
an approval management unit: the account use process approval capability is used for providing a transaction audit for the user;
a system setting unit: the system comprises a server, a client and a server, wherein the server is used for providing account strategy, connection strategy, portal setting and self-editing attribute parameters of a full platform for a user;
the node management unit, the account management unit, the access control unit, the session monitoring unit, the auditing management unit, the approval management unit and the system setting unit are connected with each other.
In the method for performing privilege centralized management and dynamic host mutual trust authentication according to the present invention, the account management unit further includes:
an account number rotation module: the system is used for carrying out automatic password alternation management on the target privileged account according to the requirement of an enterprise management strategy;
the embedded dependency synchronization module: the system is used for replacing hard code passwords in enterprise application programs, scripts and operation and maintenance tools into synchronous module codes, the passwords are not exposed, or a pushing mode is adopted, and new passwords are periodically pushed to hard code configuration;
single sign-on connection module: the system is used for providing a one-key connection capability for a user, allowing an administrator to provide a client tool for the user to release in a centralized manner, achieving a single sign-on effect, and finally enabling the password not to fall to the user side all the time, so that continuous monitoring and auditing capabilities are realized;
a fine-grained sharing module: the sharing capability based on account number level fine granularity is provided for the user;
the account number alternation module, the embedded dependency synchronization module, the single sign-on connection module and the fine-grained sharing module are connected with one another.
The invention also relates to a device for realizing the privilege centralized management and the method for realizing the mutual trust authentication of the dynamic host, which comprises the following steps:
a hosting unit: the system is used for hosting the public key and the private key to a privileged account security management system;
mutual trust module installation unit: the SSH KEY host mutual trust module is used for installing the privileged account security management system;
a login authentication unit: the SSH KEY authentication system is used for initiating SSH KEY login and executing SSH KEY authentication;
the private key providing unit: the password vault is used for enabling the password vault of the privileged account security management system to provide a private key to the SSH client;
the public key providing unit: the key management server is used for enabling the password vault to provide a public key to the SSH server;
a matching unit: the system is used for carrying out identity matching authentication and judging whether matching is successful or not;
a login success unit: for login success;
a login failure unit: for login failure.
In the apparatus of the present invention, the login authentication unit further includes:
a request sending module: the SSH client side is used for initiating a request for obtaining a private KEY from the password vault to the SSH KEY host mutual trust module, or the SSH server side is used for initiating a request for obtaining a public KEY from the password vault to the SSH KEY host mutual trust module;
an identity verification module: the system comprises a server and a server, wherein the server is used for verifying the identity of an SSH client or an SSH server and judging whether the verification is successful;
and a verification success module: for switching to the private key providing unit or the public key providing unit;
a verification failure module: for authentication failure.
The method and the device for implementing privilege centralized management and realizing dynamic host mutual trust authentication have the following beneficial effects: compared with an SSH KEY mutual trust mechanism in the prior art, the invention adopts a mechanism of automatic KEY alternation, dynamic provision and identity verification, provides a more complete and safe mode for the stages of generation, storage, replacement, delivery and the like of the privileged account KEY, and the KEY is not stored on a server any more and is stolen by people at will; meanwhile, the client is prevented from configuring a large number of authorized keys, and the configuration work is uniformly centralized in the privilege account security management system for management, so that the invention ensures the security of the key, simultaneously uniformly centralizes and standardizes the management of the configuration, reduces the workload of the configuration and the management, improves the security privilege centralized management and realizes the mutual trust authentication of the dynamic host.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of SSH KEY mutual trust authentication in the prior art;
FIG. 2 is a flowchart of a method in an embodiment of the present invention for privilege centralized management and dynamic host mutual trust authentication;
FIG. 3 is a specific flowchart of SSH KEY authentication executed by initiating SSH KEY login in the embodiment;
fig. 4 is a schematic structural diagram of the security management system for privileged accounts in the embodiment;
fig. 5 is a schematic structural diagram of an account management unit in the embodiment;
fig. 6 is a schematic structural diagram of the device in the embodiment.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the embodiment of the method and apparatus for privilege centralized management and dynamic host mutual trust authentication of the present invention, a flowchart of the method for privilege centralized management and dynamic host mutual trust authentication is shown in fig. 2. In fig. 2, the method for privilege centralized management and dynamic host mutual trust authentication includes the following steps:
step S01 hosts the public key and the private key to the privileged account security management system: in this step, the public key and the private key are hosted to the privileged account security management system.
Fig. 4 is a schematic structural diagram of the privileged account security management system in this embodiment. In fig. 4, the privileged account security management system includes a node management unit 1, an account management unit 2, an access control unit 3, a session monitoring unit 4, an audit management unit 5, an approval management unit 6, and a system setting unit 7, which are connected to each other; the node management unit 1 is used for constructing a directory tree conforming to an enterprise organization architecture, and allows different entitled users to independently manage respective directories.
The account management unit 2 is used for importing and hosting the privileged account, and realizes the life cycle management work of the account by taking the privileged account body as the center. When a user needs to use a novel account certificate, the safe use that the certificate does not fall to the ground can be implemented through the single sign-on connection module of the account management unit 2.
The access control unit 3 is responsible for subdividing the use permission of the account, so that different users have different use permissions for different accounts. The account number password box of the access control unit 3 provides the capacity of adding, modifying and managing the account number password box, and provides a logic independent space for account number storage. And also provides access usage authorization for the user based on the set of lockboxes.
The session monitoring unit 4 is used for conveniently realizing video recording, monitoring, intercepting and auditing for the single sign-on process of the account of the user. The functions of quickly inquiring conversation, positioning operation records, realizing conversation intervention, operation interception and the like can be provided.
The audit management unit 5 is used for providing log query for the audit department, wherein the log query at least comprises log query of account use and management and platform self change. In other words, the audit management unit 5 provides log query of dimensions such as account use and management, platform self change and the like for the audit department. The log content meets the requirements of account operation track backtracking and user behavior analysis.
The approval management unit 6 is used for providing an approval capability of an account use process in a single examination for the user. The approval process may specify the approver, the content of the operation, a time window, a reason, and the like. And the approval management unit has plug-in expansion capability and meets the requirement of butting an external work order system platform.
The system setting unit 7 is used for providing the capabilities of account strategy, connection strategy, portal setting, self-editing attribute parameters and the like of the whole platform for the user. The system setting unit 7 is mainly interconnected with the account management unit 2.
By setting the node management unit 1, the account management unit 2, the access control unit 3, the session monitoring unit 4, the audit management unit 5, the approval management unit 6 and the system setting unit 7, the privileged account of an enterprise can be automatically managed, a user can perform single sign-on use on the premise of not contacting a password, and flexible and plug-in account management can be performed on the privileged account in environments such as cloud, DevOps, containerization and the like.
Fig. 5 is a schematic structural diagram of an account management unit in this embodiment, in fig. 5, the account management unit 2 further includes an account rotation module 21, an embedded dependency synchronization module 22, a single sign-on connection module 23, and a fine-grained sharing module 24 that are connected to each other; in addition, the account number rotation module 21, the embedded dependency synchronization module 22 and the single sign-on connection module 23 are connected with the system setting unit 7, the node management unit 1, the approval management unit 6 and the audit management unit 5.
The account shift module 21 is configured to perform automatic password shift management on the target privileged account according to the requirement of the enterprise management policy, such as periodic verification, password change, automatic reset in case of a mistake, and the like. The account number rotation module 21 implements automatic rotation of the account number password of the target privileged account number according to the account number policy defined by the account number policy module 71, and the type of the target account number is not limited. Currently, the types of supported accounts include, but are not limited to, an operating system account, a database account, a network security device account, a virtualization control console account, a cloud platform console account, a containerization administrator account, a DevOps tool console account, an application middleware console account (non-operating system account), a development interface program access key account, and the like.
The embedded dependency synchronization module 22 is used to replace hard coded passwords in the enterprise applications, scripts and operation and maintenance tools with synchronization module codes, so that the passwords are not exposed, or a push mode is adopted to periodically push new passwords to the hard coded configuration. The embedded dependency synchronization module 22 is interconnected with the account rotation module 21, and is responsible for synchronously pushing the account main body in the account rotation module 21 to a required embedded dependency position, such as a system service, a configuration file, tool setting, a database table entry, and the like. Meanwhile, the embedded dependency synchronization module 22 can also provide a related development language package for the embedded password code in the program code, replace the plain text password in the code, realize that the program encryption does not need hard coding, and can audit, limit and isolate the identity validity and safety of the encryption program.
The single sign-on connection module 23 is used for providing a key connection capability for the user, and allowing an administrator to provide a client tool for the user to issue in a centralized manner, so that a single sign-on effect is achieved, the password is not dropped to the user side all the time, the security is improved, and the continuous monitoring and auditing capability can be realized. The method provides one-key single-point login service of the account for the user, can realize the login logic of a user-defined login tool, and has the capabilities of file uploading and downloading control, text copying and pasting control, quick clone connection and the like.
The fine-grained sharing module 24 is used for providing a sharing capability based on account number fine-grained sharing for a user, and flexibly meeting the requirement of temporary authorization for use.
Step S02 is to install the SSH KEY host mutual trust module of the privileged account security management system: in this step, an SSH KEY host mutual trust module of the privileged account security management system is installed.
Step S03 initiates SSH KEY login, performs SSH KEY authentication: in this step, SSH login is initiated, and the target first performs SSH KEY authentication.
Step S04, the password vault of the privileged account security management system provides the private key to the SSH client: in this step, the password vault of the privileged account security management system provides the private key to the SSH client. After the present step is executed, step S05 is executed.
Step S04' the password vault provides the public key to the SSH server: in this step, the password vault of the privileged account security management system provides the public key to the SSH server. After the present step is executed, step S05 is executed.
Step S05, performing identity matching authentication, and determining whether matching is successful: in this step, identity matching authentication is performed, whether matching is successful or not is judged, and if the judgment result is yes, step S06 is executed; otherwise, step S07 is executed.
Step S06 login is successful: if the judgment result of the above step S05 is yes, the present step is executed. In this step, the matching authentication is successful and the login is successful.
Step S07 login failure: if the judgment result of the above step S05 is no, the present step is executed. In this step, the matching authentication fails, and the login fails.
Compared with an SSH KEY mutual trust mechanism in the prior art, the method for the privilege centralized management and the dynamic host mutual trust authentication adopts the mechanisms of KEY automatic rotation, dynamic provision and identity verification, provides a more complete and safe mode for the stages of generation, storage, replacement, delivery and the like of the privileged account KEY, and ensures that the KEY is not stored on the server and is randomly stolen by people. Meanwhile, the user is prevented from configuring a large number of authorized keys, the configuration work is uniformly centralized on the privileged account security management system for management, the key security is ensured, the configuration management is uniformly centralized and standardized, the configuration and management workload is reduced, and the security is improved.
For the present embodiment, the step S03 can be further refined, and the detailed flowchart is shown in fig. 3. In fig. 3, the step S03 further includes the following steps:
step S31 the SSH client side sends the request of obtaining the private KEY from the password vault to the SSH KEY host mutual trust module, or the SSH server side sends the request of obtaining the public KEY from the password vault to the SSH KEY host mutual trust module: in this step, the SSH client initiates a request for obtaining the private KEY from the password vault to the SSH KEY host mutual trust module, or the SSH server initiates a request for obtaining the public KEY from the password vault to the SSH KEY host mutual trust module.
Step S32, the identity of the SSH client or the SSH server is verified, and whether the verification is successful is determined: in this step, the identity of the SSH client or the SSH server is verified, whether the verification is successful is determined, and if the determination result is yes, that is, the request is successful, step S04 or step S04' is executed; otherwise, step S33 is executed.
Step S33 verifies failure: in this step, the authentication of the SSH client identity or the SSH server identity fails.
The embodiment also relates to a device for implementing the method for privilege centralized management and dynamic host mutual trust authentication, and a schematic structural diagram of the device is shown in fig. 6. In fig. 6, the apparatus includes a hosting unit 10, an mutually trusted module installing unit 20, a login authenticating unit 30, a private key providing unit 40, a public key providing unit 50, a matching unit 60, a login success unit 70, and a login failure unit 80; the escrow unit 10 is configured to escrow a public key and a private key to a privileged account security management system; the mutual trust module installation unit 20 is configured to install an SSH KEY host mutual trust module of the privileged account security management system; the login authentication unit 30 is configured to initiate an SSH KEY login and perform SSH KEY authentication; the private key providing unit 40 is configured to enable the password vault of the privileged account security management system to provide a private key to the SSH client; the public key providing unit 50 is used for enabling the password vault to provide a public key to the SSH server; the matching unit 60 is used for performing identity matching authentication and judging whether matching is successful; the login success unit 70 is used for successful login; the login failure unit 80 is used for login failure.
Compared with an SSH KEY mutual trust mechanism in the prior art, the device provided by the invention adopts a mechanism of automatic KEY rotation, dynamic identity provision and verification, provides a more complete and safe mode for the stages of generation, storage, replacement, delivery and the like of the privileged account KEY, and the KEY is not stored on the server any more and is stolen by people at will. Meanwhile, the user is prevented from configuring a large number of authorized keys, the configuration work is uniformly centralized on the privileged account security management system for management, the key security is ensured, the configuration management is uniformly centralized and standardized, the configuration and management workload is reduced, and the security is improved.
In this embodiment, the login authentication unit 30 further includes a request sending module 301, an identity verification module 302, a verification success module 303, and a verification failure module 304; the request sending module 301 is configured to enable the SSH client to initiate a request for obtaining a private KEY from the password vault to the SSH KEY host mutual trust module, or enable the SSH server to initiate a request for obtaining a public KEY from the password vault to the SSH KEY host mutual trust module; the identity authentication module 302 is configured to authenticate an identity of the SSH client or the SSH server, and determine whether the authentication is successful; the verification success module 303 is configured to go to the private key providing unit 40 or the public key providing unit 50; the verification failure module 304 verifies the failure.
In a word, the invention stores the public and private keys into the privileged account security management system and continuously rotates, and dynamically delivers the SSH public and private keys through the module provided by the privileged account security management system, thereby realizing that the public and private keys do not fall to the server side. The invention ensures the security of the key, simultaneously unifies, centralizes and standardizes the management of the configuration, reduces the workload of the configuration and the management, improves the privilege centralized management of the security and realizes the mutual trust authentication of the dynamic host.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (6)

1. A method for privilege centralized management and dynamic host mutual trust authentication is characterized by comprising the following steps:
A) the public key and the private key are managed to a privileged account security management system;
B) installing an SSH KEY host mutual trust module of the privileged account security management system;
C) initiating SSH KEY login and executing SSH KEY authentication;
D) the password vault of the privileged account security management system provides a private key to the SSH client, and step E) is executed;
d') the password vault provides a public key to the SSH server side, and step E) is executed;
E) performing identity matching authentication, judging whether the matching is successful, if so, executing the step F); otherwise, executing step G);
F) the login is successful;
G) the login fails.
2. The method for privilege centralized management and dynamic host trust authentication as claimed in claim 1, wherein said step C) further comprises:
C1) the SSH client side initiates a request for obtaining a private KEY from the password vault to the SSH KEY host machine mutual trust module, or the SSH server side initiates a request for obtaining a public KEY from the password vault to the SSH KEY host machine mutual trust module;
C2) verifying the identity of the SSH client or the SSH server, and judging whether the verification is successful, if so, executing step C3); otherwise, performing step C4);
C3) performing step D) or D');
C4) the verification fails.
3. The method for privilege centralized management and dynamic host mutual trust authentication as claimed in claim 1 or 2, wherein the privilege account security management system comprises:
a node management unit: the system is used for constructing a directory tree conforming to an enterprise organization architecture and allowing independent management of respective directories by different entitled users;
an account management unit: the system is used for importing and hosting the privileged account and realizes the life cycle management work of the account by taking the privileged account body as the center;
an access control unit: the system is used for realizing the permission subdivision of account use, so that different users have different use permissions for different accounts;
a session monitoring unit: the system is used for realizing video recording, monitoring, intercepting and auditing in the single sign-on process of the account by the user;
an audit management unit: the system comprises a log query module, a log query module and a log query module, wherein the log query module is used for providing log query for an auditing department, and the log query at least comprises the use and management of an account number and the log query of the change of a platform;
an approval management unit: the account use process approval capability is used for providing a transaction audit for the user;
a system setting unit: the system comprises a server, a client and a server, wherein the server is used for providing account strategy, connection strategy, portal setting and self-editing attribute parameters of a full platform for a user;
the node management unit, the account management unit, the access control unit, the session monitoring unit, the auditing management unit, the approval management unit and the system setting unit are connected with each other.
4. The method for privilege centralized management and dynamic host mutual trust authentication as claimed in claim 3, wherein the account management unit further comprises:
an account number rotation module: the system is used for carrying out automatic password alternation management on the target privileged account according to the requirement of an enterprise management strategy;
the embedded dependency synchronization module: the system is used for replacing hard code passwords in enterprise application programs, scripts and operation and maintenance tools into synchronous module codes, the passwords are not exposed, or a pushing mode is adopted, and new passwords are periodically pushed to hard code configuration;
single sign-on connection module: the system is used for providing a one-key connection capability for a user, allowing an administrator to provide a client tool for the user to release in a centralized manner, achieving a single sign-on effect, and finally enabling the password not to fall to the user side all the time, so that continuous monitoring and auditing capabilities are realized;
a fine-grained sharing module: the sharing capability based on account number level fine granularity is provided for the user;
the account number alternation module, the embedded dependency synchronization module, the single sign-on connection module and the fine-grained sharing module are connected with one another.
5. An apparatus for implementing the method for privilege centralized management and dynamic host mutual trust authentication as claimed in claim 1, comprising:
a hosting unit: the system is used for hosting the public key and the private key to a privileged account security management system;
mutual trust module installation unit: the SSH KEY host mutual trust module is used for installing the privileged account security management system;
a login authentication unit: the SSH KEY authentication system is used for initiating SSH KEY login and executing SSH KEY authentication;
the private key providing unit: the password vault is used for enabling the password vault of the privileged account security management system to provide a private key to the SSH client;
the public key providing unit: the key management server is used for enabling the password vault to provide a public key to the SSH server;
a matching unit: the system is used for carrying out identity matching authentication and judging whether matching is successful or not;
a login success unit: for login success;
a login failure unit: for login failure.
6. The apparatus of claim 5, wherein the login authentication unit further comprises:
a request sending module: the SSH client side is used for initiating a request for obtaining a private KEY from the password vault to the SSH KEY host mutual trust module, or the SSH server side is used for initiating a request for obtaining a public KEY from the password vault to the SSH KEY host mutual trust module;
an identity verification module: the system comprises a server and a server, wherein the server is used for verifying the identity of an SSH client or an SSH server and judging whether the verification is successful;
and a verification success module: for switching to the private key providing unit or the public key providing unit;
a verification failure module: for authentication failure.
CN201910901761.7A 2019-09-23 2019-09-23 Method and device for privilege centralized management and realization of dynamic host mutual trust authentication Pending CN110708299A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910901761.7A CN110708299A (en) 2019-09-23 2019-09-23 Method and device for privilege centralized management and realization of dynamic host mutual trust authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910901761.7A CN110708299A (en) 2019-09-23 2019-09-23 Method and device for privilege centralized management and realization of dynamic host mutual trust authentication

Publications (1)

Publication Number Publication Date
CN110708299A true CN110708299A (en) 2020-01-17

Family

ID=69195019

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910901761.7A Pending CN110708299A (en) 2019-09-23 2019-09-23 Method and device for privilege centralized management and realization of dynamic host mutual trust authentication

Country Status (1)

Country Link
CN (1) CN110708299A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111651737A (en) * 2020-04-26 2020-09-11 北京宏达隆和科技有限公司 Program account password security management system
CN113645249A (en) * 2021-08-17 2021-11-12 杭州时趣信息技术有限公司 Server password control method, system and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070083665A1 (en) * 2005-10-10 2007-04-12 Huawei Technologies Co., Ltd. Method and system for obtaining secure shell host key of managed device
CN101068255A (en) * 2007-06-14 2007-11-07 杭州华三通信技术有限公司 User identification method and device in safety shell protocol application
CN102970292A (en) * 2012-11-20 2013-03-13 无锡成电科大科技发展有限公司 Single sign on system and method based on cloud management and key management
CN106534291A (en) * 2016-11-04 2017-03-22 广东电网有限责任公司电力科学研究院 Voltage monitoring method based on big data processing
CN106796641A (en) * 2014-10-02 2017-05-31 微软技术许可有限责任公司 The end-to-end security of the hardware of software is had verified that for operation
US10007767B1 (en) * 2007-12-21 2018-06-26 EMC IP Holding Company LLC System and method for securing tenant data on a local appliance prior to delivery to a SaaS data center hosted application service
CN108960456A (en) * 2018-08-14 2018-12-07 东华软件股份公司 Private clound secure, integral operation platform
CN109472130A (en) * 2018-11-13 2019-03-15 试金石信用服务有限公司 Linux cipher management method, middle control machine, readable storage medium storing program for executing
KR101992976B1 (en) * 2019-01-25 2019-06-26 주식회사 넷앤드 A remote access system using the SSH protocol and managing SSH authentication key securely

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070083665A1 (en) * 2005-10-10 2007-04-12 Huawei Technologies Co., Ltd. Method and system for obtaining secure shell host key of managed device
CN1949765A (en) * 2005-10-10 2007-04-18 华为技术有限公司 Method and system for obtaining SSH host computer public key of device being managed
CN101068255A (en) * 2007-06-14 2007-11-07 杭州华三通信技术有限公司 User identification method and device in safety shell protocol application
US10007767B1 (en) * 2007-12-21 2018-06-26 EMC IP Holding Company LLC System and method for securing tenant data on a local appliance prior to delivery to a SaaS data center hosted application service
CN102970292A (en) * 2012-11-20 2013-03-13 无锡成电科大科技发展有限公司 Single sign on system and method based on cloud management and key management
CN106796641A (en) * 2014-10-02 2017-05-31 微软技术许可有限责任公司 The end-to-end security of the hardware of software is had verified that for operation
CN106534291A (en) * 2016-11-04 2017-03-22 广东电网有限责任公司电力科学研究院 Voltage monitoring method based on big data processing
CN108960456A (en) * 2018-08-14 2018-12-07 东华软件股份公司 Private clound secure, integral operation platform
CN109472130A (en) * 2018-11-13 2019-03-15 试金石信用服务有限公司 Linux cipher management method, middle control machine, readable storage medium storing program for executing
KR101992976B1 (en) * 2019-01-25 2019-06-26 주식회사 넷앤드 A remote access system using the SSH protocol and managing SSH authentication key securely

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GZHARDSHELL: "海颐特权账号安全管理系统白皮书", 《HTTPS://WENKU.BAIDU.COM/VIEW/EA199AC8F121DD36A32D82B1.HTML》 *
曲广平: "基于密钥对认证登录SSH", 《网络安全和信息化》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111651737A (en) * 2020-04-26 2020-09-11 北京宏达隆和科技有限公司 Program account password security management system
CN113645249A (en) * 2021-08-17 2021-11-12 杭州时趣信息技术有限公司 Server password control method, system and storage medium

Similar Documents

Publication Publication Date Title
US11074357B2 (en) Integration of a block chain, managing group authority and access in an enterprise environment
US12010248B2 (en) Systems and methods for providing authentication to a plurality of devices
JP5635978B2 (en) Authenticated database connection for applications without human intervention
US8254579B1 (en) Cryptographic key distribution using a trusted computing platform
CN110661831B (en) Big data test field security initialization method based on trusted third party
US11888856B2 (en) Secure resource authorization for external identities using remote principal objects
US11233800B2 (en) Secure resource authorization for external identities using remote principal objects
CN107145531B (en) Distributed file system and user management method of distributed file system
US20170279806A1 (en) Authentication in a Computer System
CN110719298A (en) Method and device for supporting user-defined change of privileged account password
CN107204995A (en) A kind of system, certificate server and the method for control access rights
CN106911744B (en) A kind of management method and managing device of image file
US11778048B2 (en) Automatically executing responsive actions upon detecting an incomplete account lineage chain
CN110708299A (en) Method and device for privilege centralized management and realization of dynamic host mutual trust authentication
CN110717176A (en) Method and device for changing application embedded privileged account on line
CN118159967A (en) Control of access to computing resources implemented in an isolated environment
CN110474916A (en) Web oriented application provides the method and device of franchise account
CN117176402A (en) Unified identity authentication method, device and medium of operating system platform
CN110708298A (en) Method and device for centralized management of dynamic instance identity and access
CN117195177A (en) Unified user management system and method for big data platform
Sabharwal et al. Getting started with vault
CN110737906A (en) Method and device for noninductive switching of privileged account of middleware connection pool
CN114900372B (en) Resource protection system based on zero trust security sentinel system
Coelho Hypercloud: A blockchain-based secret management in multi-cloud storage platforms
CN117579291A (en) Cloud primary multi-cloud management method, system, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200117

RJ01 Rejection of invention patent application after publication