CN113660283A - Validity authentication method and device - Google Patents

Validity authentication method and device Download PDF

Info

Publication number
CN113660283A
CN113660283A CN202110983607.6A CN202110983607A CN113660283A CN 113660283 A CN113660283 A CN 113660283A CN 202110983607 A CN202110983607 A CN 202110983607A CN 113660283 A CN113660283 A CN 113660283A
Authority
CN
China
Prior art keywords
authentication
information
authenticated
configuration
bmc
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110983607.6A
Other languages
Chinese (zh)
Inventor
熊定山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Cloud Technologies Co Ltd
Original Assignee
New H3C Cloud Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Cloud Technologies Co Ltd filed Critical New H3C Cloud Technologies Co Ltd
Priority to CN202110983607.6A priority Critical patent/CN113660283A/en
Publication of CN113660283A publication Critical patent/CN113660283A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The specification provides a legality authentication method and a legality authentication device, and relates to the technical field of communication. A validity authentication method is applied to a BMC in a server and comprises the following steps: receiving an instruction message sent by a client, wherein the instruction message comprises information to be authenticated and an operation instruction, and the information to be authenticated comprises address information and user information of the client; sending the information to be authenticated to an authentication server so that the authentication server carries out validity authentication on the information to be authenticated according to the recorded authentication configuration; if the authentication is confirmed to pass, executing an operation instruction in the instruction message; and if the command message is determined not to pass the authentication, discarding the command message. By the method, the operation and maintenance efficiency of the server can be improved.

Description

Validity authentication method and device
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method and an apparatus for legitimacy authentication.
Background
With the popularization of networks, server applications for the operation of bearer services and data storage are also increasingly widespread. In order to monitor and manage the server, a BMC (Baseboard Management Controller) is provided in the server to monitor various devices in the server and a system installed in the server.
In order to improve the security of management for the server, user information needs to be configured in the BMC in advance to realize legitimacy authentication for a user to access the BMC. Thus, the user is required to configure the BMCs of each server one by one, thereby reducing the efficiency of operation and maintenance of the servers.
Disclosure of Invention
In order to overcome the problems in the related art, the present specification provides a method and an apparatus for legitimacy authentication.
In combination with the first aspect of the embodiments of the present specification, the present application provides a validity authentication method, applied to a BMC in a server, including:
receiving an instruction message sent by a client, wherein the instruction message comprises information to be authenticated and an operation instruction, and the information to be authenticated comprises address information and user information of the client;
sending the information to be authenticated to an authentication server so that the authentication server carries out validity authentication on the information to be authenticated according to the recorded authentication configuration;
if the authentication is confirmed to pass, executing an operation instruction in the instruction message;
and if the command message is determined not to pass the authentication, discarding the command message.
Optionally, the authentication configuration includes a first corresponding relationship between the user information and the address information of the client, and a second corresponding relationship between the operation authority and the user information;
sending the information to be authenticated to an authentication server, comprising:
judging whether the information to be authenticated hits local configuration, wherein a third corresponding relation between the user information and the address information of the client side which pass the authentication and a fourth corresponding relation between the user information and the operation authority which pass the authentication are recorded in the local configuration;
if the local configuration is not hit, the information to be authenticated is sent to an authentication server;
if the local configuration is hit, executing an operation instruction in the instruction message;
after confirming that passes the authentication, also include:
and updating the third corresponding relation and/or the fourth corresponding relation in the local configuration according to the information to be authenticated and the corresponding operation authority.
Optionally, a retention time is further recorded in the third corresponding relationship and/or the fourth corresponding relationship;
the method further comprises the following steps:
and if the timed exceeding of the holding time exists, clearing the overtime corresponding item from the third corresponding relation and/or the fourth corresponding relation.
Optionally, the interface for receiving the instruction packet is a Redfish interface or an IPMI interface.
In combination with the second aspect of the embodiments of the present specification, the present application provides a validity authentication method, applied to an authentication server, including:
receiving to-be-authenticated information sent by a BMC of a server, wherein the to-be-authenticated information comprises address information and user information of a client;
judging whether the information to be authenticated hits the recorded authentication configuration;
if the recorded authentication configuration is hit, informing the BMC that the authentication is passed so that the BMC executes the operation instruction carried in the instruction message;
if the recorded authentication configuration is not hit, the BMC is informed of failing to pass the authentication, so that the BMC discards the instruction message.
Optionally, the authentication configuration includes a first corresponding relationship between the user information and the address information of the client, and a second corresponding relationship between the operation authority and the user information;
judging whether the information to be authenticated hits the recorded authentication configuration, including:
judging whether address information of a client and user information carried in information to be authenticated hit a first corresponding relation in authentication configuration or not;
judging whether the user information and the operation instruction carried in the information to be authenticated hit the second corresponding relation in the authentication configuration or not;
the first corresponding relation and the second corresponding relation are respectively hit on the basis of the information to be authenticated and the operation instruction, and the first corresponding relation and/or the second corresponding relation are not hit on the basis of the information to be authenticated and the operation instruction.
In combination with the third aspect of the embodiments of the present specification, the present application provides a validity authentication apparatus applied to a BMC in a server, including:
the system comprises a receiving unit, a processing unit and a processing unit, wherein the receiving unit is used for receiving an instruction message sent by a client, the instruction message comprises information to be authenticated and an operation instruction, and the information to be authenticated comprises address information and user information of the client;
the sending unit is used for sending the information to be authenticated to the authentication server so that the authentication server carries out validity authentication on the information to be authenticated according to the recorded authentication configuration;
the processing unit is used for executing the operation instruction in the instruction message if the authentication is confirmed to pass; and if the command message is determined not to pass the authentication, discarding the command message.
Optionally, the authentication configuration includes a first corresponding relationship between the user information and the address information of the client, and a second corresponding relationship between the operation authority and the user information;
a transmitting unit comprising:
the judging module is used for judging whether the information to be authenticated hits local configuration, wherein the local configuration comprises a third corresponding relation between the user information and the address information of the client side which pass the authentication and a fourth corresponding relation between the user information and the operation authority which pass the authentication; if the local configuration is not hit, the information to be authenticated is sent to an authentication server; if the local configuration is hit, executing an operation instruction in the instruction message;
the device also comprises:
and the recording unit is used for updating the third corresponding relation and/or the fourth corresponding relation according to the information to be authenticated and the corresponding operation authority in the local configuration.
Further, the third corresponding relation and/or the holding time is/are also recorded;
the device also comprises:
and the clearing unit is used for clearing the overtime corresponding item from the third corresponding relation and/or the fourth corresponding relation if the timed exceeding exceeds the holding time.
Optionally, the interface for receiving the instruction packet is a Redfish interface or an IPMI interface.
In combination with the fourth aspect of the embodiments of the present specification, the present application provides a validity authentication apparatus applied to an authentication server, including:
the system comprises a receiving unit, a sending unit and a receiving unit, wherein the receiving unit is used for receiving information to be authenticated sent by a BMC of a server, and the information to be authenticated comprises address information and user information of a client;
the judging unit is used for judging whether the information to be authenticated hits the recorded authentication configuration;
the notification unit is used for notifying the BMC that the authentication is passed if the recorded authentication configuration is hit, so that the BMC executes the operation instruction carried in the instruction message; if the recorded authentication configuration is not hit, the BMC is informed of failing to pass the authentication, so that the BMC discards the instruction message.
Optionally, the authentication configuration includes a first corresponding relationship between the user information and the address information of the client, and a second corresponding relationship between the operation authority and the user information;
a determination unit including:
the user judging module is used for judging whether address information of the client and user information carried in the information to be authenticated hit a first corresponding relation in the authentication configuration or not;
the authority judgment module is used for judging whether the user information and the operation instruction carried in the information to be authenticated hit the second corresponding relation in the authentication configuration or not;
the first corresponding relation and the second corresponding relation are respectively hit on the basis of the information to be authenticated and the operation instruction, and the first corresponding relation and/or the second corresponding relation are not hit on the basis of the information to be authenticated and the operation instruction.
The technical scheme provided by the implementation mode of the specification can have the following beneficial effects:
in the implementation manner of this specification, the BMC obtains the address information and the user information of the client carried in the instruction packet, and sends the information to be authenticated carried with the address information and the user information to the authentication server for authentication, so that the authentication server performs remote centralized authentication on the configured server, and the efficiency of performing operation and maintenance on the server is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the specification.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
FIG. 1 is a flow chart of a method for legitimacy authentication according to the present application, which is suitable for a BMC of a server;
fig. 2 is a schematic networking diagram of a validity authentication method according to an embodiment of the present application;
FIG. 3 is a flow chart of a method of legitimacy authentication, applicable to an authentication server, to which the present application relates;
FIG. 4 is a schematic diagram of a validity authentication apparatus according to the present application, which is suitable for a BMC of a server;
fig. 5 is a schematic configuration diagram of a validity authentication device according to the present application, and is applied to an authentication server.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification.
The application provides a validity authentication method, which is applied to a BMC in a server, as shown in fig. 1, and includes:
s100, receiving an instruction message sent by a client.
In the networking shown in fig. 2, the network includes a server, an authentication server and a client, and a user can access the server through the client to monitor the server. The server is provided with a mainboard, the BMC is arranged on the mainboard, and various interfaces for realizing server monitoring, such as a login interface for authenticating access validity and an operation interface for managing the server, are stored in a storage space of the BMC. The BMC is configured with a management IP (Internet Protocol) address, which a user may access by entering on a client, such as in a browser opened on the client, i.e., may generate an access request and send it to the BMC of the server. When the BMC receives the access request, the BMC can read the login interface from the storage space of the BMC and send related information such as the login interface to the client so that the login interface can be displayed on a browser of the client.
On the login interface, the user may enter user information, including a username and password. At this time, the client may generate an instruction packet based on the user information, where the instruction packet may be referred to as an access packet, and is used to implement access of the user to the BMC. However, the type of the instruction message is not limited to this, and the instruction message may be an operation message generated based on an operation instruction input by the user on the operation interface after the user logs in to the BMC. For example, the operation instruction may be, without limitation, configuration of a parameter of the device, configuration of a state of the device, and the like.
The generated instruction message can be transmitted through an Interface and the like which are mutually communicated between the client and the BMC of the server, and the Interface for receiving the instruction message is a Redfish Interface or an IPMI (Intelligent Platform Management Interface).
When the instruction message is transmitted through the Redfish interface, the instruction message is transmitted in the form of an HTTP Protocol (hypertext Transfer Protocol) or an HTTPs Protocol (hypertext Transfer security Protocol over Secure Socket Layer).
When the instruction message is transmitted through the IPMI interface, the instruction message is carried in the instruction message in a code form for transmission.
No matter a Redfish interface is adopted or an IPMI interface is adopted, user information, address information and an operation instruction can be carried in the instruction message, wherein the user information and the address information can be called information to be authenticated. The user information may include a user name and a password, the address information may include an IP address or an IP address and a MAC (Media Access Control) address, and the operation command may include an operation object, operation content, and the like. If the BMCs of the client and the server are in different network segments, the address information may not include the MAC address.
After the BMC receives the instruction message, the information to be authenticated and the operation instruction can be acquired therefrom.
S101, the information to be authenticated is sent to an authentication server, so that the authentication server carries out validity authentication on the information to be authenticated according to the recorded authentication configuration.
After the information to be authenticated is acquired, since the authentication configuration is not set in the local of the server, that is, the BMC, the information to be authenticated needs to be legally authenticated by the authentication server. At this time, the BMC may extract information to be authenticated (i.e., user information and address information) from the instruction packet, and provide a constructed authentication packet carrying the information to be authenticated and send the authentication packet to the authentication server for validity authentication.
In this way, the authentication server can confirm the validity of the user based on the received information to be authenticated and the authentication configuration uniformly configured on the authentication server. The authentication configuration may be set in a form of a table, a first corresponding relationship between the user information and the address information of the client may be recorded in the authentication configuration, and through the first corresponding relationship, the binding between the user information and the client operated by the user may be implemented, and the user needs to implement the monitoring of the server through an authorized client. After the client and the user pass the authentication, the authentication result can be fed back to the BMC to inform the BMC whether the last instruction message passes the authentication or not.
And S102, if the authentication is confirmed to be passed, executing the operation instruction in the instruction message.
S103, if the authentication is not passed, discarding the instruction message.
Under the condition of passing the authentication, the BMC executes the operation instruction carried in the instruction message, performs corresponding configuration on the server or acquires the state information, and the like, and the operations that can be realized in the BMC can be realized in such a manner, which is not limited to this.
In the implementation manner of this specification, the BMC obtains the address information and the user information of the client carried in the instruction packet, and sends the information to be authenticated carried with the address information and the user information to the authentication server for authentication, so that the authentication server performs remote centralized authentication on the configured server, and the efficiency of performing operation and maintenance on the server is improved.
Besides authenticating the login operation of the user on the client, different operation permissions can be configured for different users, for example, permission for acquiring state information of a device in the server can be configured for user a, and permission for modifying a BIOS (Basic Input Output System) parameter of the server can be configured for user B.
In order to be able to distinguish the rights owned by different users, a second correspondence between user information and operation rights is included in addition to the first correspondence included in the authentication configuration. It is understood that, through the first corresponding relationship, it may be determined whether the user can access the BMC, and through the second corresponding relationship, it may be determined what operation the user may perform on the server.
Moreover, since the user may configure the server through the BMC multiple times during accessing the BMC, a large amount of time may be consumed if the user needs to repeatedly request authentication from the authentication server. Therefore, in order to further improve the efficiency of monitoring and managing the server, optionally, step S101 of sending the information to be authenticated to the authentication server includes:
S101A, judging whether the information to be authenticated hits local configuration;
S101B, if the local configuration is not hit, the information to be authenticated is sent to an authentication server;
S101C, if the local configuration is hit, executing the operation instruction in the instruction message.
Before sending the information to be authenticated to the authentication server, the BMC may make a determination based on its own stored local configuration. The local configuration of the BMC may be manual configuration from a user, or may be recorded in the local configuration when it is determined that the to-be-authenticated information sent to the authentication server at this time passes authentication based on a notification message fed back by the authentication server after the validity authentication is achieved by the authentication server, which is not limited to this.
The BMC receives the instruction packet and extracts the information to be authenticated from the instruction packet, and at this time, if the user accesses the BMC for the first time within a period of time, the corresponding relationship between the user information and the address information carried in the information to be authenticated, that is, the third corresponding relationship may not be recorded in the local configuration. Then, the BMC may determine that the information to be authenticated needs to be sent to the authentication server for validity authentication.
After the authentication server realizes authentication based on the information to be authenticated, a notification message is fed back to the BMC of the server, and the notification message can contain two authentication results, namely passing authentication or failing authentication.
If the BMC determines that the information to be authenticated passes the authentication according to the notification message, the BMC can feed back the operation interface to the client, so that the client can jump from the login interface to the operation interface, and the server can be monitored and managed based on the operation interface. And if the instruction message also contains an operation instruction for the functional module, executing corresponding operation.
If the BMC determines that the information to be authenticated is not authenticated according to the notification message, the BMC can directly discard the instruction message and feed back an alarm such as non-authentication to the client.
In step S102, if the authentication is confirmed, the method further includes:
and S104, updating the third corresponding relation and/or the fourth corresponding relation according to the information to be authenticated and the corresponding operation authority in the local configuration.
In the authentication configuration of the authentication server, an operation authority for the user, that is, a second correspondence between the operation authority and the user information may be further set, and after the authentication server determines that the information to be authenticated passes the authentication, the information to be authenticated and the operation authority may be carried in a notification message and sent to the BMC. When the BMC acquires the information to be authenticated and the operation right according to the notification message, the corresponding items including the user information and the client address information may be generated in the locally configured third corresponding relationship, and the corresponding items including the user information and the operation right may be generated in the fourth corresponding relationship, respectively, thereby completing the update of the third corresponding relationship and the fourth corresponding relationship.
In this way, the BMC can inform the BMC of the authentication result through the interaction of the messages on the basis of the authentication by the authentication server, so that the BMC can record the authenticated user information, the address information of the client, the operation authority and other contents in the local configuration. When the BMC receives the hit local configuration, the authentication is not needed to be performed through the authentication server again, the legality authentication is directly completed according to the operation instruction, and the monitoring and management efficiency of the server is improved.
Due to the fact that the storage space of the BMC is limited, the stored corresponding items are gradually increased in the long-term operation of the server, and the problem that the storage space of the BMC is insufficient is possibly caused. Optionally, a holding time is further recorded in the third corresponding relationship and/or the fourth corresponding relationship, for example, the third corresponding relationship and the fourth corresponding relationship may be set to respectively include a holding time, and the holding time of each item is five minutes, that is, after one authentication is passed, it is understood that the authentication server does not need to apply for the authentication based on the same information to be authenticated or the same information to be authenticated and the same operation authority within five minutes. In the holding time, the BMC can match the information to be authenticated according to local configuration, and if the hit corresponding item exists, the BMC directly executes the operation instruction in the instruction message.
The method further comprises the following steps:
and S105, if the timed exceeding exceeds the holding time, clearing the overtime corresponding item from the third corresponding relation and/or the fourth corresponding relation.
After the BMC receives the notification message sent by the authentication server and updates the third corresponding relationship and the fourth corresponding relationship in the local configuration, the BMC may start timing for the updated corresponding item, and clear the overtime corresponding item from the third corresponding relationship and/or the fourth corresponding relationship when the timing time is exceeded, so as to release part of the storage space for storing the new corresponding item, thereby avoiding a user who does not perform server management currently or an operation right that is not used temporarily from occupying the storage space of the BMC excessively.
Correspondingly, the present application provides a validity authentication method, applied to an authentication server, as shown in fig. 3, including:
s200, receiving information to be authenticated sent by the BMC of the server.
S201, judging whether the information to be authenticated hits the recorded authentication configuration.
After the BMC receives the instruction message sent by the user through the client, the information to be authenticated is obtained from the instruction message, and the information to be authenticated is sent to the authentication server for authentication. The information to be authenticated comprises address information and user information of the client.
In addition, besides the information to be authenticated, the BMC may also send the operation instruction in the instruction message to the authentication server. After receiving the operation permission, the authentication server can authenticate the operation permission of the user, and only the user with the operation permission is allowed to execute corresponding operation on the BMC.
And S202, if the recorded authentication configuration is hit, informing the BMC that the authentication is passed so that the BMC executes the operation instruction carried in the instruction message.
S203, if the recorded authentication configuration is not hit, the BMC is notified that the authentication is not passed, so that the BMC discards the instruction packet.
In the process of carrying out validity authentication on information to be authenticated by the authentication server, the validity of the user and the operation authority of the user can be authenticated respectively, so that the authentication configuration comprises a first corresponding relation between the user information and the address information of the client, and also comprises a second corresponding relation between the operation authority and the user information.
Correspondingly, in the process of authentication by the authentication server, two judgments need to be performed, that is, whether the user meets the legitimacy and has a corresponding operation authority is judged, and for the two judgments, the authentication server can pass the authentication when the user meets the legality and has the corresponding operation authority.
Step S201, determining whether the information to be authenticated hits the recorded authentication configuration, includes:
S201A, judging whether the address information of the client and the user information carried in the information to be authenticated hit the first corresponding relation in the authentication configuration.
S201B, judging whether the user information and the operation instruction carried in the information to be authenticated hit the second corresponding relation in the authentication configuration.
The authentication recorded by hit is configured to hit the first corresponding relation and the second corresponding relation respectively based on the information to be authenticated and the operation instruction, and the authentication recorded by miss is configured to miss the first corresponding relation and/or the second corresponding relation based on the information to be authenticated and the operation instruction.
That is, when the authentication server performs authentication, it is necessary to confirm the validity of the user based on the user information and the address information of the client, and determine whether or not the operation performed by the user is permitted based on the user information and the operation authority, respectively. The first corresponding relationship and the second corresponding relationship may be recorded in two tables, or may be recorded in one table, which is not limited to this.
In the process of authentication by the authentication server, if only one corresponding relation can be matched, the authentication configuration is not hit, and if the two corresponding relations can be respectively matched, the authentication configuration, the information to be authenticated or the information to be authenticated and the operation authority pass the authentication. Otherwise, the information to be authenticated, or the information to be authenticated and the operation authority may not be authenticated.
Correspondingly, the present application provides a validity authentication apparatus, which is applied to a BMC in a server, as shown in fig. 4, and includes:
the system comprises a receiving unit, a processing unit and a processing unit, wherein the receiving unit is used for receiving an instruction message sent by a client, the instruction message comprises information to be authenticated and an operation instruction, and the information to be authenticated comprises address information and user information of the client;
the sending unit is used for sending the information to be authenticated to the authentication server so that the authentication server carries out validity authentication on the information to be authenticated according to the recorded authentication configuration;
the processing unit is used for executing the operation instruction in the instruction message if the authentication is confirmed to pass; and if the command message is determined not to pass the authentication, discarding the command message.
Optionally, the authentication configuration includes a first corresponding relationship between the user information and the address information of the client, and a second corresponding relationship between the operation authority and the user information;
a transmitting unit comprising:
the judging module is used for judging whether the information to be authenticated hits local configuration, wherein a third corresponding relation between the user information and the address information of the client side which pass the authentication and a fourth corresponding relation between the user information and the operation authority which pass the authentication are recorded in the local configuration; if the local configuration is not hit, the information to be authenticated is sent to an authentication server; if the local configuration is hit, executing an operation instruction in the instruction message;
the device also comprises:
and the recording unit is used for updating the third corresponding relation and/or the fourth corresponding relation according to the information to be authenticated and the corresponding operation authority in the local configuration.
Further, a retention time is recorded in the third corresponding relationship and/or the fourth corresponding relationship;
the device also comprises:
and the clearing unit is used for clearing the overtime corresponding item from the third corresponding relation and/or the fourth corresponding relation if the timed exceeding exceeds the holding time.
Optionally, the interface for receiving the instruction packet is a Redfish interface or an IPMI interface.
Correspondingly, the present application provides a validity authentication apparatus, applied to an authentication server, as shown in fig. 5, including:
the system comprises a receiving unit, a sending unit and a receiving unit, wherein the receiving unit is used for receiving information to be authenticated sent by a BMC of a server, and the information to be authenticated comprises address information and user information of a client;
the judging unit is used for judging whether the information to be authenticated hits the recorded authentication configuration;
the notification unit is used for notifying the BMC that the authentication is passed if the recorded authentication configuration is hit, so that the BMC executes the operation instruction carried in the instruction message; if the recorded authentication configuration is not hit, the BMC is informed of failing to pass the authentication, so that the BMC discards the instruction message.
Optionally, the authentication configuration includes a first corresponding relationship between the user information and the address information of the client, and a second corresponding relationship between the operation authority and the user information;
a determination unit including:
the user judging module is used for judging whether address information of the client and user information carried in the information to be authenticated hit a first corresponding relation in the authentication configuration or not;
the authority judgment module is used for judging whether the user information and the operation instruction carried in the information to be authenticated hit the second corresponding relation in the authentication configuration or not;
the first corresponding relation and the second corresponding relation are respectively hit on the basis of the information to be authenticated and the operation instruction, and the first corresponding relation and/or the second corresponding relation are not hit on the basis of the information to be authenticated and the operation instruction.
The technical scheme provided by the implementation mode of the specification can have the following beneficial effects:
in the implementation manner of this specification, the BMC obtains the address information and the user information of the client carried in the instruction packet, and sends the information to be authenticated carried with the address information and the user information to the authentication server for authentication, so that the authentication server performs remote centralized authentication on the configured server, and the efficiency of performing operation and maintenance on the server is improved.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof.
The above description is only for the purpose of illustrating the preferred embodiments of the present disclosure and is not to be construed as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure are intended to be included within the scope of the present disclosure.

Claims (12)

1. A method for legality authentication is applied to a Baseboard Management Controller (BMC) in a server, and comprises the following steps:
receiving an instruction message sent by a client, wherein the instruction message comprises information to be authenticated and an operation instruction, and the information to be authenticated comprises address information and user information of the client;
sending the information to be authenticated to an authentication server so that the authentication server carries out validity authentication on the information to be authenticated according to the recorded authentication configuration;
if the authentication is confirmed to pass, executing the operation instruction in the instruction message;
and if the command message is determined not to pass the authentication, discarding the command message.
2. The method according to claim 1, wherein the authentication configuration includes a first corresponding relationship between the user information and address information of the client and a second corresponding relationship between the operation authority and the user information;
sending the information to be authenticated to an authentication server, including:
judging whether the information to be authenticated hits local configuration, wherein the local configuration comprises a third corresponding relation between user information and address information of a client side which pass authentication and a fourth corresponding relation between the user information which pass authentication and the operation authority;
if the local configuration is not hit, the information to be authenticated is sent to an authentication server;
if the local configuration is hit, executing an operation instruction in the instruction message;
after the confirmation is authenticated, the method further comprises the following steps:
and updating the third corresponding relation and/or the fourth corresponding relation according to the information to be authenticated and the corresponding operation authority in local configuration.
3. The method according to claim 2, wherein a holding time is further recorded in the third correspondence and/or the fourth correspondence;
the method further comprises the following steps:
and if the timed corresponding item exceeds the holding time, clearing the corresponding item with the overtime from the third corresponding relation and/or the fourth corresponding relation.
4. The method of claim 1, wherein the interface for receiving the command message is a Redfish interface or an IPMI (Intelligent platform management interface).
5. A legality authentication method is applied to an authentication server and comprises the following steps:
receiving information to be authenticated sent by a BMC of a server, wherein the information to be authenticated comprises address information and user information of a client;
judging whether the information to be authenticated hits the recorded authentication configuration;
if the recorded authentication configuration is hit, the BMC is informed of passing the authentication so as to enable the BMC to execute the operation instruction carried in the instruction message;
and if the recorded authentication configuration is not hit, informing the BMC that the authentication is not passed so that the BMC discards the instruction message.
6. The method according to claim 5, wherein the authentication configuration includes a first corresponding relationship between the user information and address information of a client and a second corresponding relationship between an operation authority and the user information;
judging whether the information to be authenticated hits the recorded authentication configuration, including:
judging whether address information of a client and the user information carried in the information to be authenticated hit a first corresponding relation in the authentication configuration or not;
judging whether the user information and the operation instruction carried in the information to be authenticated hit a second corresponding relation in the authentication configuration or not;
the hit recorded authentication is configured to hit the first corresponding relationship and the second corresponding relationship respectively based on the information to be authenticated and the operation instruction, and the miss recorded authentication is configured to miss the first corresponding relationship and/or the second corresponding relationship based on the information to be authenticated and the operation instruction.
7. A validity authentication device applied to a BMC in a server includes:
the system comprises a receiving unit, a processing unit and a processing unit, wherein the receiving unit is used for receiving an instruction message sent by a client, the instruction message comprises information to be authenticated and an operation instruction, and the information to be authenticated comprises address information and user information of the client;
the sending unit is used for sending the information to be authenticated to an authentication server so that the authentication server carries out validity authentication on the information to be authenticated according to the recorded authentication configuration;
the processing unit is used for executing the operation instruction in the instruction message if the authentication is confirmed to pass; and if the command message is determined not to pass the authentication, discarding the command message.
8. The apparatus according to claim 7, wherein the authentication configuration includes a first corresponding relationship between the user information and address information of a client and a second corresponding relationship between an operation authority and the user information;
the transmitting unit includes:
the judging module is used for judging whether the information to be authenticated hits local configuration, wherein a third corresponding relation between the user information which passes the authentication and the address information of the client and a fourth corresponding relation between the user information which passes the authentication and the operation authority are recorded in the local configuration; if the local configuration is not hit, the information to be authenticated is sent to an authentication server; if the local configuration is hit, executing an operation instruction in the instruction message;
the device, still include:
and the recording unit is used for updating the third corresponding relation and/or the fourth corresponding relation according to the information to be authenticated and the corresponding operation authority in local configuration.
9. The apparatus according to claim 8, wherein a retention time is further recorded in the third corresponding relationship and/or the fourth corresponding relationship;
the device, still include:
a clearing unit, configured to clear the overtime corresponding item from the third corresponding relationship and/or the fourth corresponding relationship if the timed time exceeds the holding time.
10. The apparatus according to claim 7, wherein the interface for receiving the command packet is a Redfish interface or an IPMI interface.
11. A validity authentication device, applied to an authentication server, includes:
the system comprises a receiving unit, a sending unit and a receiving unit, wherein the receiving unit is used for receiving information to be authenticated sent by a BMC of a server, and the information to be authenticated comprises address information and user information of a client;
the judging unit is used for judging whether the information to be authenticated hits the recorded authentication configuration;
the notification unit is used for notifying the BMC that the authentication is passed if the recorded authentication configuration is hit, so that the BMC executes the operation instruction carried in the instruction message; and if the recorded authentication configuration is not hit, informing the BMC that the authentication is not passed so that the BMC discards the instruction message.
12. The apparatus according to claim 11, wherein the authentication configuration includes a first corresponding relationship between the user information and address information of a client and a second corresponding relationship between an operation authority and the user information;
the judging unit includes:
the user judging module is used for judging whether address information of a client and the user information carried in the information to be authenticated hit a first corresponding relation in the authentication configuration or not;
the authority judgment module is used for judging whether the user information and the operation instruction carried in the information to be authenticated hit a second corresponding relation in the authentication configuration;
the hit recorded authentication is configured to hit the first corresponding relationship and the second corresponding relationship respectively based on the information to be authenticated and the operation instruction, and the miss recorded authentication is configured to miss the first corresponding relationship and/or the second corresponding relationship based on the information to be authenticated and the operation instruction.
CN202110983607.6A 2021-08-25 2021-08-25 Validity authentication method and device Pending CN113660283A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110983607.6A CN113660283A (en) 2021-08-25 2021-08-25 Validity authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110983607.6A CN113660283A (en) 2021-08-25 2021-08-25 Validity authentication method and device

Publications (1)

Publication Number Publication Date
CN113660283A true CN113660283A (en) 2021-11-16

Family

ID=78482027

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110983607.6A Pending CN113660283A (en) 2021-08-25 2021-08-25 Validity authentication method and device

Country Status (1)

Country Link
CN (1) CN113660283A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104410636A (en) * 2014-12-01 2015-03-11 浪潮集团有限公司 Method for enhancing security of BMC/SMC in cloud computing system
CN108846267A (en) * 2018-05-28 2018-11-20 郑州云海信息技术有限公司 A kind of authentication method and server
CN109358888A (en) * 2018-12-18 2019-02-19 郑州云海信息技术有限公司 Server firmware upgrade method, device, system and computer readable storage medium
CN109862043A (en) * 2019-03-28 2019-06-07 新华三技术有限公司 A kind of method and device of terminal authentication
CN110413487A (en) * 2018-04-28 2019-11-05 中国长城科技集团股份有限公司 A kind of indicator light management method, system and the baseboard management controller of server
CN110781465A (en) * 2019-10-18 2020-02-11 中电科技(北京)有限公司 BMC remote identity verification method and system based on trusted computing
EP3687140A2 (en) * 2020-04-07 2020-07-29 CyberArk Software Ltd. On-demand and proactive detection of application misconfiguration security threats
CN112100027A (en) * 2020-08-31 2020-12-18 新华三信息技术有限公司 Server maintenance method, device, equipment and machine readable storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104410636A (en) * 2014-12-01 2015-03-11 浪潮集团有限公司 Method for enhancing security of BMC/SMC in cloud computing system
CN110413487A (en) * 2018-04-28 2019-11-05 中国长城科技集团股份有限公司 A kind of indicator light management method, system and the baseboard management controller of server
CN108846267A (en) * 2018-05-28 2018-11-20 郑州云海信息技术有限公司 A kind of authentication method and server
CN109358888A (en) * 2018-12-18 2019-02-19 郑州云海信息技术有限公司 Server firmware upgrade method, device, system and computer readable storage medium
CN109862043A (en) * 2019-03-28 2019-06-07 新华三技术有限公司 A kind of method and device of terminal authentication
CN110781465A (en) * 2019-10-18 2020-02-11 中电科技(北京)有限公司 BMC remote identity verification method and system based on trusted computing
EP3687140A2 (en) * 2020-04-07 2020-07-29 CyberArk Software Ltd. On-demand and proactive detection of application misconfiguration security threats
CN112100027A (en) * 2020-08-31 2020-12-18 新华三信息技术有限公司 Server maintenance method, device, equipment and machine readable storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
丛林: "统一身份验证在微软云环境中的应用", 《微型电脑应用》 *

Similar Documents

Publication Publication Date Title
US8560645B2 (en) Location-aware configuration
JP4728258B2 (en) Method and system for managing access authentication for a user in a local management domain when the user connects to an IP network
CN106034104B (en) Verification method, device and system for network application access
JP5099139B2 (en) How to get and check public key certificate status
CA2592702C (en) Use of configurations in device with multiple configurations
US9003485B2 (en) Systems and methods for the rapid deployment of network security devices
CN102047262B (en) Authentication for distributed secure content management system
EP2320362A1 (en) Apparatus and methods for managing network resources
US20180198786A1 (en) Associating layer 2 and layer 3 sessions for access control
EP1836798A2 (en) Method and apparatus providing policy-based revocation of network security credentials
JP2004007690A (en) Method and apparatus for checking authentication of first communication component in communication network
WO2007115488A1 (en) Device parameters configuring method, system and device in digital subscriber line access network
US20110107410A1 (en) Methods, systems, and computer program products for controlling server access using an authentication server
CN108881309A (en) Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform
CN103023856A (en) Single sign-on method, single sign-on system, information processing method and information processing system
JP5043953B2 (en) Resource transmission method and information providing method
WO2014038820A1 (en) Method for managing access right of terminal to resource by server in wireless communication system, and device for same
US8112535B2 (en) Securing a server in a dynamic addressing environment
WO2008025277A1 (en) Method, system and password management server for managing user password of network device
CN100426753C (en) Network managing method based on SNMP
CN113660283A (en) Validity authentication method and device
CN112395586A (en) File access control method, device, system, storage medium and electronic device
CN114513326B (en) Method and system for realizing communication audit based on dynamic proxy
KR100913976B1 (en) Use of configurations in device with multiple configurations
CN102148704A (en) Software implementation method for universal network management interface of safe switch

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination