CN113852681A - Gateway authentication method and device and security gateway equipment - Google Patents
Gateway authentication method and device and security gateway equipment Download PDFInfo
- Publication number
- CN113852681A CN113852681A CN202111109145.1A CN202111109145A CN113852681A CN 113852681 A CN113852681 A CN 113852681A CN 202111109145 A CN202111109145 A CN 202111109145A CN 113852681 A CN113852681 A CN 113852681A
- Authority
- CN
- China
- Prior art keywords
- ssh
- authentication
- server
- client
- connection request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000004891 communication Methods 0.000 claims abstract description 34
- 238000012795 verification Methods 0.000 claims description 45
- 238000004590 computer program Methods 0.000 claims description 15
- 238000005422 blasting Methods 0.000 abstract description 8
- 230000009977 dual effect Effects 0.000 abstract 1
- 230000000977 initiatory effect Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 6
- 238000012550 audit Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a gateway authentication method, a gateway authentication device, a security gateway device and a readable storage medium, wherein the method comprises the following steps: after acquiring an SSH connection request of a client, the security gateway equipment performs user identity authentication on the SSH connection request; if the user identity authentication result is that the authentication is successful, acquiring a user password corresponding to the SSH connection request sent by the client, and forwarding the user password to the SSH server so that the SSH server performs SSH authentication on the user password; if the result of the SSH authentication is successful, the SSH communication information between the client and the SSH server is forwarded; the invention uses the security gateway equipment as the middle man of the client and the SSH server to carry out the preposed authentication on the user identity, realizes the zero trust authentication of the SSH server of the internal network and the dual authentication of the SSH connection, can effectively prevent the SSH password blasting attack and improves the security of the SSH connection.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a gateway authentication method and apparatus, a security gateway device, and a readable storage medium.
Background
Currently, in an intranet, administrators and operation and maintenance personnel usually use SSH (Secure Shell, a security protocol) to connect and manage various host servers, and since SSH traffic is end-to-end encrypted, attackers are also interested in using SSH to hide their identities and behaviors. And the authentication limits of all SSH servers in the intranet are not uniform, so that an attacker can control the host server by blasting the SSH weak password.
Therefore, how to improve the security of SSH connection and prevent password blasting attack is a problem that needs to be solved.
Disclosure of Invention
The invention aims to provide a gateway authentication method, a gateway authentication device, a security gateway device and a readable storage medium, which are used for improving the security of SSH connection and preventing password blasting attack.
In order to solve the above technical problem, the present invention provides a gateway authentication method, including:
after acquiring an SSH connection request of a client, a security gateway device performs user identity authentication on the SSH connection request;
if the user identity authentication result is that the authentication is successful, acquiring a user password corresponding to the SSH connection request sent by the client, and forwarding the user password to an SSH server so that the SSH server performs SSH authentication on the user password;
and if the result of the SSH authentication is successful, determining that the client and the SSH server complete SSH connection, and forwarding SSH communication information between the client and the SSH server.
Optionally, the performing user identity authentication on the SSH connection request includes:
and carrying out user identity authentication on the SSH connection request by utilizing an admission server.
Optionally, the performing, by using the admission server, user identity authentication on the SSH connection request includes:
obtaining and sending an admission two-dimensional code corresponding to the SSH connection request to the client;
and determining the user identity authentication result according to the code scanning authentication result returned by the access server.
Optionally, the performing, by using the admission server, user identity authentication on the SSH connection request includes:
acquiring a verification code corresponding to the SSH connection request sent by the access server, and sending the verification code to the client;
receiving a verification code input result returned by the client, and sending the verification code input result to the access server so as to perform verification code authentication on the verification code input result by using the access server;
and determining the user identity authentication result according to the verification code authentication result returned by the access server.
Optionally, before obtaining the user password corresponding to the SSH connection request sent by the client, the method further includes:
the security gateway equipment and the client side negotiate for encrypted communication information; wherein the encrypted communication information comprises: plaintext version information, key information, and encryption suite information;
correspondingly, the obtaining of the user password corresponding to the SSH connection request sent by the client includes:
and decrypting the encrypted user password sent by the client to acquire the user password.
Optionally, the forwarding the user password to the SSH server includes:
and the security gateway equipment initiates an SSH connection to the SSH server by using the user password so that the SSH server performs SSH authentication on the user password.
Optionally, after performing user identity authentication on the SSH connection request, the method further includes:
and if the user identity authentication result is authentication failure, discarding the SSH connection request.
The invention also provides a gateway authentication device, which is applied to the security gateway equipment and comprises the following components:
the zero trust authentication module is used for performing user identity authentication on the SSH connection request after the SSH connection request of the client is acquired;
the SSH connection authentication module is used for acquiring a user password corresponding to the SSH connection request sent by the client if the user identity authentication result is successful, and forwarding the user password to the SSH server so that the SSH server performs SSH authentication on the user password;
and the SSH connection forwarding module is used for determining that the client side and the SSH server complete SSH connection and forwarding SSH communication information between the client side and the SSH server if the result of the SSH authentication is that the authentication is successful.
The present invention also provides a security gateway device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the gateway authentication method as described above when executing the computer program.
Furthermore, the present invention also provides a readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the gateway authentication method as described above.
The invention provides a gateway authentication method, which comprises the following steps: after acquiring an SSH connection request of a client, the security gateway equipment performs user identity authentication on the SSH connection request; if the user identity authentication result is that the authentication is successful, acquiring a user password corresponding to the SSH connection request sent by the client, and forwarding the user password to the SSH server so that the SSH server performs SSH authentication on the user password; if the result of the SSH authentication is successful, determining that the client and the SSH server complete SSH connection, and forwarding SSH communication information between the client and the SSH server;
therefore, after the SSH connection request of the client is acquired through the security gateway equipment, the user identity authentication is carried out on the SSH connection request, the security gateway equipment is used as an intermediary between the client and the SSH server to carry out pre-authentication on the user identity, and the zero trust authentication of the SSH server of the internal network is realized; the user password is forwarded to the SSH server, so that the SSH server performs SSH authentication on the user password, double authentication of the SSH server is realized, SSH password blasting attack can be effectively prevented, and the safety of SSH connection is improved. In addition, the invention also provides a gateway authentication device, a security gateway device and a readable storage medium, and the gateway authentication device, the security gateway device and the readable storage medium also have the beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a gateway authentication method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating another gateway authentication method according to an embodiment of the present invention;
fig. 3 is a flowchart of another gateway authentication method according to an embodiment of the present invention;
fig. 4 is a block diagram of a gateway authentication apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a security gateway device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a security gateway device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a flowchart of a gateway authentication method according to an embodiment of the present invention. The method can comprise the following steps:
step 101: and after acquiring the SSH connection request of the client, the security gateway equipment performs user identity authentication on the SSH connection request.
The security gateway device in this step may provide a device of the security gateway for the SSH server in the intranet. The client in this step may be a terminal device that initiates an SSH connection request to an SSH server in the intranet, such as the SSH client in fig. 2.
It can be understood that, in this step, the security gateway device may serve as an intermediary between the client of the external network and the SSH server of the internal network, and perform user identity authentication on the user initiating the SSH connection request after intercepting and acquiring the SSH connection request of the client to the SSH server, thereby implementing zero trust authentication on the SSH server of the internal network.
Correspondingly, the method provided by this embodiment may further include, before this step, the security gateway device obtaining an SSH connection request of the client to the SSH server; that is to say, the security gateway device may intercept and acquire an SSH connection request to the SSH server in the intranet through the security gateway, thereby performing user identity authentication on the user initiating the SSH connection request.
Specifically, the specific manner in which the security gateway device performs user identity authentication on the SSH connection request in this step may be set by a designer according to a practical scenario and user requirements, for example, the security gateway device may perform user identity authentication on the SSH connection request by using an admission server, that is, the security gateway device may perform identity authentication on a user initiating the SSH connection request by using an additional server (i.e., an admission server); for example, the security gateway device may perform user identity authentication in a code scanning authentication or a verification code authentication, etc. on the user initiating the SSH connection request by using the admission server. The security gateway equipment can also perform user identity authentication on the SSH connection request by itself; for example, the security gateway device may generate and send a verification code (such as an image verification code or a sliding verification code) to the client by itself, and perform verification code authentication on a verification code input result returned by the client to identify whether a user initiating an SSH connection request is a computer program or a person, so as to screen out the SSH connection request of the computer program and prevent password blasting attack.
Correspondingly, for the case that the result of the user identity authentication in this step is authentication failure, the setting may be set by the designer, for example, the security gateway device may directly discard the SSH connection request for which the authentication failed, or may return the user identity authentication information to the client to prompt the user to reinitiate the SSH connection request.
Step 102: and if the user identity authentication result is that the authentication is successful, acquiring a user password corresponding to the SSH connection request sent by the client, and forwarding the user password to the SSH server so that the SSH server performs SSH authentication on the user password.
It can be understood that, in this step, the security gateway device may forward the user password sent by the client to the corresponding SSH server after the SSH connection request successfully passes the user identity authentication, so that the SSH server can perform SSH authentication (i.e., password authentication) on the user password, and determine whether the client can perform SSH connection with the SSH server, that is, the security gateway device in this embodiment does not perform authentication on the user password connected to the SSH server, but serves as a broker to forward the user password to the SSH server.
Specifically, the SSH server in this step may be a server in the intranet corresponding to the security gateway device that requests the SSH connection for the SSH connection request, that is, a server that requests the SSH connection through the security gateway device by the client. The user password in this step can be the password required for the password authentication of SSH connection; the embodiment does not limit the specific content of the user password, and for example, the user password may be set in the same or similar manner as the password setting method of SSH authentication in the prior art, which is not limited in any way.
It should be noted that, for the specific manner in which the security gateway device obtains the user password corresponding to the SSH connection request sent by the client in this step, the specific manner may be set by a designer according to a practical scenario and user requirements, for example, the security gateway device may decrypt the encrypted user password (i.e., encrypted user password) corresponding to the received SSH connection request sent by the client to obtain the decrypted user password, i.e., the security gateway device may audit the encrypted SSH traffic; for example, after receiving an SSH connection request from a client, the security gateway device may perform negotiation of encrypted communication information (such as plaintext version information, key information, and encryption suite information) with the client, so as to implement encrypted transmission and decryption of a user password; that is, the security gateway device may open the SSH broker server, direct the SSH connection through the security gateway in the intranet to the broker server port and respond to the connection, complete the negotiation of the version, key, and encryption suite of the plaintext, so that the encrypted SSH traffic can be decrypted at the broker server of the security gateway. The security gateway device may directly receive the encrypted user password corresponding to the SSH connection request sent by the client, and thus forward the encrypted user password to the SSH server, which is not limited in this embodiment.
Correspondingly, the specific manner in which the security gateway device forwards the user password to the SSH server in this step may be set by a designer according to a practical scenario and user requirements, for example, the security gateway device may initiate an SSH connection to the SSH server by using the decrypted user password, so that the SSH server performs an SSH authentication on the user password, that is, the security gateway device may serve as a broker client to initiate an SSH connection request to the SSH server, and forward the user password acquired as the broker server to the SSH server, so that the SSH server can perform an SSH authentication on the user password; the security gateway device may also directly forward the encrypted user password to the SSH server, so that the SSH server decrypts the user password by itself and performs SSH authentication, for example, after the SSH connection request of the client successfully passes the user identity authentication, the security gateway device may forward the SSH connection request to the SSH server, and directly forward the encrypted user password sent by the subsequent client to the SSH server. The present embodiment does not set any limit to this.
Specifically, the specific way of SSH authentication of the user password by the SSH server in this embodiment may be set by a designer according to a practical scenario and a user requirement, for example, the SSH authentication method may be implemented in the same or similar way as the SSH connected password authentication method in the prior art, which is not limited in this embodiment.
Step 103: and if the result of the SSH authentication is successful, determining that the client and the SSH server complete the SSH connection, and forwarding the SSH communication information between the client and the SSH server.
It can be understood that, in this step, the security gateway device may determine that the client and the SSH server complete the SSH connection after the user password successfully passes the SSH authentication, enter the SSH connection layer, and serve as a broker to forward all requests and responses (i.e., SSH communication information) between the client and the SSH server.
Correspondingly, as shown in fig. 2, in this step, the security gateway device may forward correct password information returned by the SSH server to the client, so that the client may perform subsequent SSH communication. For the case that the result of the SSH authentication in this step is authentication failure, the security gateway device may forward password error information returned by the SSH server to the client, so that the client may resend the user password or reinitiate the SSH connection request.
Specifically, the specific manner in which the security gateway device forwards the SSH communication information between the client and the SSH server in this step may be set by a designer, for example, the security gateway device may decrypt the received encrypted SSH communication information sent by the client, and then forward the decrypted SSH communication information to the SSH server; and after the SSH communication information sent by the SSH server is encrypted, the SSH communication information is forwarded to the client.
In the embodiment of the invention, after the SSH connection request of the client is acquired through the security gateway equipment, the user identity authentication is carried out on the SSH connection request, and the security gateway equipment is used as a middle person between the client and the SSH server to carry out the preposed authentication on the user identity, so that the zero trust authentication of the SSH server of the internal network is realized; the user password is forwarded to the SSH server, so that the SSH server performs SSH authentication on the user password, double authentication of the SSH server is realized, SSH password blasting attack can be effectively prevented, and the safety of SSH connection is improved.
Based on the above embodiments, please refer to fig. 3, and fig. 3 is a flowchart of another gateway authentication method according to an embodiment of the present invention. The method can comprise the following steps:
step 201: after the security gateway equipment acquires the SSH connection request of the client, the access server is used for carrying out user identity authentication on the SSH connection request.
In this step, the security gateway device may serve as a broker server, and after intercepting and acquiring an SSH connection request of the client to the SSH server of the intranet, perform identity authentication on the user initiating the SSH connection request by using the access server, thereby implementing zero trust authentication on the SSH server of the intranet.
Specifically, the specific manner in which the security gateway device performs user identity authentication on the SSH connection request by using the admission server in this step may be set by a designer according to a practical scenario and a user requirement, as shown in fig. 2, the security gateway device may perform code scanning authentication on the user identity on the SSH connection request by using the admission server, that is, obtain and send an admission two-dimensional code corresponding to the SSH connection request to the client; determining the result of user identity authentication according to the code scanning authentication result returned by the access server; the security gateway device may also perform, by using the admission server, verification code authentication of the user identity or other zero trust authentication on the SSH connection request, which is not limited in this embodiment.
Correspondingly, the specific process of the security gateway equipment for performing user identity authentication on the SSH connection request by using the access server in the step can be set by a designer, for example, when the security gateway equipment performs code scanning authentication on the user identity on the SSH connection request by using the access server, the security gateway equipment can acquire and send a character-string access two-dimensional code to the client, so that a user of the client can scan the code and initiate the access request to the access server; after the access server determines and sends the code scanning authentication result to the security gateway equipment according to the access request, the security gateway equipment can determine the user identity authentication result and complete the kbd (keyboard) authentication; for example, after receiving an admission request sent by a user by scanning a code by using a terminal, the admission server can directly determine that the code scanning authentication result is that the user passes the authentication, that is, the user identity authentication can pass the code scanning authentication of the admission two-dimensional code, and identify whether the user initiating the SSH connection request is a computer program or a person, so as to screen out the SSH connection request of the computer program; the admission server can also determine a code scanning authentication result according to the comparison between user information (such as login user information in a preset application program) in the admission request and preset user information after receiving the admission request sent by the user by scanning the code by using the terminal, that is, the user identity authentication can identify whether the user initiating the SSH connection request is a preset user through code scanning authentication of the admission two-dimensional code, so that the code scanning authentication result is determined to be passed through authentication when the user information is matched with the preset user information, and identity management of an SSH login user is realized.
Correspondingly, when the security gateway equipment performs verification code authentication of the user identity on the SSH connection request by using the access server, the security gateway equipment can acquire a verification code (such as a graphic verification code) corresponding to the SSH connection request sent by the access server and send the verification code to the client; receiving a verification code input result returned by the client, and sending the verification code input result to the access server so as to carry out verification code authentication on the verification code input result by using the access server; and determining the result of user identity authentication according to the verification code authentication result returned by the access server so as to identify whether the user initiating the SSH connection request is a computer program or a person, thereby screening out the SSH connection request of the computer program. The security gateway equipment can also acquire and send the registered user information (such as the user name) corresponding to the SSH connection request to the access server, so that the access server can send the short message verification code to the registered terminal (such as a mobile phone) corresponding to the registered user information; and receiving a verification code input result returned by the client, sending the verification code input result to the access server, and performing verification code authentication on the verification code input result by using the access server to identify whether the user initiating the SSH connection request is a registered user or not so as to realize identity management on the SSH loggers.
Step 202: if the authentication result of the user identity authentication is successful, carrying out negotiation of encrypted communication information with the client; wherein encrypting the communication information comprises: plaintext version information, key information, and encryption suite information.
It can be understood that, in this embodiment, the security gateway device may open the SSH broker server, direct an SSH connection request that passes through the security gateway in the intranet to the broker server port, and respond to the connection, complete negotiation of encrypted communication information such as a plaintext version, a secret key, and an encryption suite, so that the encrypted SSH traffic can be decrypted in the broker server of the security gateway device, and audit of the SSH traffic is achieved.
Specifically, in this embodiment, the security gateway device performs negotiation of encrypted communication information after the SSH connection request successfully passes the user identity authentication, and the security gateway device may also perform negotiation of encrypted communication information with the client after obtaining the SSH connection request, and then perform user identity authentication on the SSH connection request by using the admission server, that is, during the process of performing user identity authentication on the SSH connection request by using the admission server, encrypted communication can also be performed between the security gateway device and the client. The present embodiment does not set any limit to this.
Step 203: and decrypting the encrypted user password sent by the client to obtain the user password.
Step 204: and initiating an SSH connection to the SSH server by using the user password so that the SSH server performs SSH authentication on the user password.
Step 205: and if the result of the SSH authentication is successful, determining that the client and the SSH server complete the SSH connection, and forwarding the SSH communication information between the client and the SSH server.
Specifically, in this step, the security gateway device may decrypt the encrypted SSH communication information sent by the received client, and then forward the decrypted SSH communication information to the SSH server; and after the SSH communication information sent by the SSH server is encrypted, the SSH communication information is forwarded to the client side, so that the SSH flow can be audited.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a gateway authentication apparatus, and a gateway authentication apparatus described below and a gateway authentication method described above may be referred to in correspondence.
Referring to fig. 4, fig. 4 is a block diagram of a gateway authentication apparatus according to an embodiment of the present invention. The device is applied to the security gateway equipment, and can comprise:
the zero trust authentication module 10 is configured to perform user identity authentication on an SSH connection request after acquiring the SSH connection request of a client;
the SSH connection authentication module 20 is configured to, if the result of the user identity authentication is that the authentication is successful, obtain a user password corresponding to the SSH connection request sent by the client, and forward the user password to the SSH server, so that the SSH server performs SSH authentication on the user password;
and the SSH connection forwarding module 30 is configured to determine that the client and the SSH server complete SSH connection if the result of the SSH authentication is that the authentication is successful, and forward SSH communication information between the client and the SSH server.
Optionally, the zero-trust authentication module 10 may be specifically configured to perform user identity authentication on the SSH connection request by using the admission server.
Optionally, the zero trust authentication module 10 may include:
the two-dimension code acquisition sub-module is used for acquiring and sending an access two-dimension code corresponding to the SSH connection request to the client;
and the code scanning determining submodule is used for determining the result of the user identity authentication according to the code scanning authentication result returned by the access server.
Optionally, the zero trust authentication module 10 may include:
the verification code acquisition sub-module is used for acquiring a verification code corresponding to the SSH connection request sent by the access server and sending the verification code to the client;
the verification code forwarding submodule is used for receiving a verification code input result returned by the client and sending the verification code input result to the access server so as to carry out verification code authentication on the verification code input result by utilizing the access server;
and the verification code determining submodule is used for determining the result of the user identity authentication according to the verification code authentication result returned by the access server.
Optionally, the apparatus may further include:
the encryption negotiation module is used for carrying out negotiation of encrypted communication information with the client; wherein encrypting the communication information comprises: plaintext version information, key information, and encryption suite information;
correspondingly, the SSH connection authentication module 20 may include:
and the decryption submodule is used for decrypting the encrypted user password sent by the client to obtain the user password.
And the connection submodule is used for initiating SSH connection to the SSH server by the security gateway equipment by using the user password so that the SSH server performs SSH authentication on the user password.
Optionally, the apparatus may further include:
and the discarding module is used for discarding the SSH connection request if the result of the user identity authentication is authentication failure.
In the embodiment of the invention, after acquiring the SSH connection request of the client, the zero trust authentication module 10 performs user identity authentication on the SSH connection request, and performs pre-authentication on the user identity by using the security gateway device as an intermediary between the client and the SSH server, thereby realizing zero trust authentication on the SSH server of the intranet; the SSH connection authentication module 20 forwards the user password to the SSH server, so that the SSH server performs SSH authentication on the user password, thereby realizing double authentication of the SSH server, effectively preventing SSH password blasting attack and improving the security of SSH connection.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a security gateway device, and a security gateway device described below and a gateway authentication method described above may be referred to in correspondence.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a security gateway device according to an embodiment of the present invention. The apparatus may include:
a memory D1 for storing computer programs;
a processor D2, configured to implement the steps of the gateway authentication method provided by the above method embodiments when executing the computer program.
Specifically, referring to fig. 6, fig. 6 is a schematic diagram of a specific structure of a security gateway device according to an embodiment of the present invention, the security gateway device 310 may have a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing applications 342 or data 344. Memory 332 and storage media 330 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a series of instructions operating on a data processing device. Still further, central processor 322 may be configured to communicate with storage medium 330 to perform a series of instruction operations in storage medium 330 on security gateway device 310.
The steps in the gateway authentication method described above may be implemented by the structure of the security gateway device.
Corresponding to the above method embodiment, an embodiment of the present invention further provides a readable storage medium, and a readable storage medium described below and a gateway authentication method described above may be referred to correspondingly.
A readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the gateway authentication method provided by the above-mentioned method embodiments.
The readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and various other readable storage media capable of storing program codes.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device, the apparatus and the readable storage medium disclosed by the embodiments correspond to the method disclosed by the embodiments, so that the description is simple, and the relevant points can be referred to the method part for description.
The gateway authentication method, device, security gateway device and readable storage medium provided by the present invention are described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Claims (10)
1. A gateway authentication method, comprising:
after acquiring an SSH connection request of a client, a security gateway device performs user identity authentication on the SSH connection request;
if the user identity authentication result is that the authentication is successful, acquiring a user password corresponding to the SSH connection request sent by the client, and forwarding the user password to an SSH server so that the SSH server performs SSH authentication on the user password;
and if the result of the SSH authentication is successful, determining that the client and the SSH server complete SSH connection, and forwarding SSH communication information between the client and the SSH server.
2. The gateway authentication method according to claim 1, wherein the performing user identity authentication on the SSH connection request comprises:
and carrying out user identity authentication on the SSH connection request by utilizing an admission server.
3. The gateway authentication method of claim 2, wherein the performing user identity authentication on the SSH connection request by using the admission server comprises:
obtaining and sending an admission two-dimensional code corresponding to the SSH connection request to the client;
and determining the user identity authentication result according to the code scanning authentication result returned by the access server.
4. The gateway authentication method of claim 2, wherein the performing user identity authentication on the SSH connection request by using the admission server comprises:
acquiring a verification code corresponding to the SSH connection request sent by the access server, and sending the verification code to the client;
receiving a verification code input result returned by the client, and sending the verification code input result to the access server so as to perform verification code authentication on the verification code input result by using the access server;
and determining the user identity authentication result according to the verification code authentication result returned by the access server.
5. The gateway authentication method according to claim 1, wherein before obtaining the user password corresponding to the SSH connection request sent by the client, the method further comprises:
the security gateway equipment and the client side negotiate for encrypted communication information; wherein the encrypted communication information comprises: plaintext version information, key information, and encryption suite information;
correspondingly, the obtaining of the user password corresponding to the SSH connection request sent by the client includes:
and decrypting the encrypted user password sent by the client to acquire the user password.
6. The gateway authentication method of claim 1, wherein forwarding the user password to an SSH server comprises:
and the security gateway equipment initiates an SSH connection to the SSH server by using the user password so that the SSH server performs SSH authentication on the user password.
7. The gateway authentication method according to claim 1, wherein after the user identity authentication of the SSH connection request, further comprising:
and if the user identity authentication result is authentication failure, discarding the SSH connection request.
8. A gateway authentication device applied to a security gateway device includes:
the zero trust authentication module is used for performing user identity authentication on the SSH connection request after the SSH connection request of the client is acquired;
the SSH connection authentication module is used for acquiring a user password corresponding to the SSH connection request sent by the client if the user identity authentication result is successful, and forwarding the user password to the SSH server so that the SSH server performs SSH authentication on the user password;
and the SSH connection forwarding module is used for determining that the client side and the SSH server complete SSH connection and forwarding SSH communication information between the client side and the SSH server if the result of the SSH authentication is that the authentication is successful.
9. A security gateway device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the gateway authentication method according to any one of claims 1 to 7 when executing said computer program.
10. A readable storage medium, characterized in that the readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the gateway authentication method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111109145.1A CN113852681A (en) | 2021-09-22 | 2021-09-22 | Gateway authentication method and device and security gateway equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111109145.1A CN113852681A (en) | 2021-09-22 | 2021-09-22 | Gateway authentication method and device and security gateway equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113852681A true CN113852681A (en) | 2021-12-28 |
Family
ID=78974971
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111109145.1A Pending CN113852681A (en) | 2021-09-22 | 2021-09-22 | Gateway authentication method and device and security gateway equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113852681A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363054A (en) * | 2021-12-31 | 2022-04-15 | 杭州数梦工场科技有限公司 | Interface request conversion method, interface conversion device, electronic device and storage medium |
| CN114500005A (en) * | 2022-01-05 | 2022-05-13 | 上海安几科技有限公司 | ModbusTcp instruction protection method, device, terminal and storage medium |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104852902A (en) * | 2015-04-10 | 2015-08-19 | 中国民航大学 | SWIM user identity authentication method based on improved Diameter/EAP-TLS protocol |
| WO2015165325A1 (en) * | 2014-04-28 | 2015-11-05 | 华为技术有限公司 | Secure terminal authentication method, device and system |
| CN105162764A (en) * | 2015-07-30 | 2015-12-16 | 北京石盾科技有限公司 | Dual authentication method, system and device for SSH safe login |
| CN106161032A (en) * | 2015-04-24 | 2016-11-23 | 华为技术有限公司 | A kind of identity authentication method and device |
| US20170149772A1 (en) * | 2015-11-24 | 2017-05-25 | Alibaba Group Holding Limited | Identity authentication method, system, business server and authentication server |
| CN107612895A (en) * | 2017-09-05 | 2018-01-19 | 网宿科技股份有限公司 | A kind of internet anti-attack method and certificate server |
| CN108809659A (en) * | 2015-12-01 | 2018-11-13 | 神州融安科技(北京)有限公司 | Generation, verification method and system, the dynamic password system of dynamic password |
| CN109309565A (en) * | 2017-07-28 | 2019-02-05 | 中国移动通信有限公司研究院 | A kind of method and device of safety certification |
| WO2019037373A1 (en) * | 2017-08-24 | 2019-02-28 | 北京三快在线科技有限公司 | Identity authentication |
| KR101992976B1 (en) * | 2019-01-25 | 2019-06-26 | 주식회사 넷앤드 | A remote access system using the SSH protocol and managing SSH authentication key securely |
| CN109977641A (en) * | 2019-03-25 | 2019-07-05 | 山东浪潮云信息技术有限公司 | A kind of authentication processing method and system of Behavior-based control analysis |
| CN111510444A (en) * | 2020-04-09 | 2020-08-07 | 上海云励科技有限公司 | Remote access method, system, server and access auxiliary component of container |
| CN112291218A (en) * | 2020-10-22 | 2021-01-29 | 四川长虹电器股份有限公司 | Equipment identity authentication method based on two-dimensional code double fusion encryption algorithm |
| CN112528270A (en) * | 2020-12-09 | 2021-03-19 | 苏州市星际云通区块链科技有限公司 | Block chain management method and device, electronic equipment and readable storage medium |
| WO2021136290A1 (en) * | 2019-12-31 | 2021-07-08 | 华为技术有限公司 | Identity authentication method and apparatus, and related device |
-
2021
- 2021-09-22 CN CN202111109145.1A patent/CN113852681A/en active Pending
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015165325A1 (en) * | 2014-04-28 | 2015-11-05 | 华为技术有限公司 | Secure terminal authentication method, device and system |
| CN104852902A (en) * | 2015-04-10 | 2015-08-19 | 中国民航大学 | SWIM user identity authentication method based on improved Diameter/EAP-TLS protocol |
| CN106161032A (en) * | 2015-04-24 | 2016-11-23 | 华为技术有限公司 | A kind of identity authentication method and device |
| CN105162764A (en) * | 2015-07-30 | 2015-12-16 | 北京石盾科技有限公司 | Dual authentication method, system and device for SSH safe login |
| US20170149772A1 (en) * | 2015-11-24 | 2017-05-25 | Alibaba Group Holding Limited | Identity authentication method, system, business server and authentication server |
| CN108809659A (en) * | 2015-12-01 | 2018-11-13 | 神州融安科技(北京)有限公司 | Generation, verification method and system, the dynamic password system of dynamic password |
| CN109309565A (en) * | 2017-07-28 | 2019-02-05 | 中国移动通信有限公司研究院 | A kind of method and device of safety certification |
| WO2019037373A1 (en) * | 2017-08-24 | 2019-02-28 | 北京三快在线科技有限公司 | Identity authentication |
| CN107612895A (en) * | 2017-09-05 | 2018-01-19 | 网宿科技股份有限公司 | A kind of internet anti-attack method and certificate server |
| KR101992976B1 (en) * | 2019-01-25 | 2019-06-26 | 주식회사 넷앤드 | A remote access system using the SSH protocol and managing SSH authentication key securely |
| CN109977641A (en) * | 2019-03-25 | 2019-07-05 | 山东浪潮云信息技术有限公司 | A kind of authentication processing method and system of Behavior-based control analysis |
| WO2021136290A1 (en) * | 2019-12-31 | 2021-07-08 | 华为技术有限公司 | Identity authentication method and apparatus, and related device |
| CN111510444A (en) * | 2020-04-09 | 2020-08-07 | 上海云励科技有限公司 | Remote access method, system, server and access auxiliary component of container |
| CN112291218A (en) * | 2020-10-22 | 2021-01-29 | 四川长虹电器股份有限公司 | Equipment identity authentication method based on two-dimensional code double fusion encryption algorithm |
| CN112528270A (en) * | 2020-12-09 | 2021-03-19 | 苏州市星际云通区块链科技有限公司 | Block chain management method and device, electronic equipment and readable storage medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363054A (en) * | 2021-12-31 | 2022-04-15 | 杭州数梦工场科技有限公司 | Interface request conversion method, interface conversion device, electronic device and storage medium |
| CN114363054B (en) * | 2021-12-31 | 2023-12-01 | 杭州数梦工场科技有限公司 | Interface request conversion method, interface conversion device, electronic equipment and storage medium |
| CN114500005A (en) * | 2022-01-05 | 2022-05-13 | 上海安几科技有限公司 | ModbusTcp instruction protection method, device, terminal and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10554420B2 (en) | Wireless connections to a wireless access point | |
| US9917829B1 (en) | Method and apparatus for providing a conditional single sign on | |
| US7702901B2 (en) | Secure communications between internet and remote client | |
| US11102191B2 (en) | Enabling single sign-on authentication for accessing protected network services | |
| CN104468115B (en) | information system access authentication method and device | |
| CN109347835A (en) | Information transferring method, client, server and computer readable storage medium | |
| CN109845214B (en) | Method, device and system for transmitting data | |
| US20180375648A1 (en) | Systems and methods for data encryption for cloud services | |
| CN111770088A (en) | Data authentication method, device, electronic equipment and computer readable storage medium | |
| WO2004042537A2 (en) | System and method for securing digital messages | |
| CN113852681A (en) | Gateway authentication method and device and security gateway equipment | |
| CN114390524B (en) | Method and device for realizing one-key login service | |
| CN113411187A (en) | Identity authentication method and system, storage medium and processor | |
| CN106576050B (en) | Three-tier security and computing architecture | |
| CN116647345A (en) | Method and device for generating permission token, storage medium and computer equipment | |
| CN105871788B (en) | Password generation method and device for login server | |
| US11611541B2 (en) | Secure method to replicate on-premise secrets in a cloud environment | |
| KR101962349B1 (en) | Consolidated Authentication Method based on Certificate | |
| CN101453335B (en) | User information secured inputting method, and customer terminal | |
| KR101448711B1 (en) | security system and security method through communication encryption | |
| CN115801252B (en) | Safe cloud desktop system combined with quantum encryption technology | |
| CN116032556A (en) | Key negotiation method and device for applet application | |
| CN114090996A (en) | Multi-party system mutual trust authentication method and device | |
| WO2024020666A1 (en) | End to end encryption with roaming capabilities | |
| CN117978419A (en) | Password-free login method, password-free login device, password-free login equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |