WO2022027904A1

WO2022027904A1 - Server login method, system and device

Info

Publication number: WO2022027904A1
Application number: PCT/CN2020/138588
Authority: WO
Inventors: 吴宏亮; 李涛
Original assignee: 郑州阿帕斯数云信息科技有限公司
Priority date: 2020-08-07
Filing date: 2020-12-23
Publication date: 2022-02-10
Also published as: CN112039851B; CN112039851A

Abstract

Disclosed is a server login method, system and device. The method comprises: receiving a login request, which is sent by a target server, of a first user with regard to the target server; determining a user category of the first user according to user identification information of the first user, so as to determine target login authority information corresponding to a second user that belongs to the user category, and authenticating a first authority of the first user logging into the target server; and if authentication is passed, returning, to the target server, a second login password corresponding to the target server.

Description

Server login method, system and device

cross reference

This application claims the priority of the Chinese patent application with the application number 202010787009.7 and the invention titled "Server Login Method, System and Device" filed with the China Patent Office on August 7, 2019, the entire contents of the above application are incorporated herein by reference invention.

technical field

The present application relates to the technical field of information security, and in particular, to a server login method, system and device.

Background technique

At present, in the process of user login to the server, the user generally interacts with the server, according to the user's uid (user identify, user identity certificate), gid (group identify, group identity certificate), home User-related data such as directory path, login public key, and server login authority to verify whether the user can log in to the server. However, since each server is independent of each other, when a user needs to log in to multiple servers, the above-mentioned user-related data of the user needs to be created on each server. When a user wants to log in to a certain server, the server verifies whether the user has the right to log in to the server according to the relevant data of the user, which not only leads to redundant information, but also makes the data storage pressure of the server great, and it is inconvenient for the user to log in to the server. to manage.

Regarding the management of the user's server login authority, in the prior art, since the corresponding user-related data is created for each user, if the user's login authority to the server is to be changed, it is necessary to store the corresponding data in the corresponding server. Change the server login authority corresponding to the user. If you need to change the user's login authority to multiple servers at the same time, you need to change the server login authority corresponding to the user in the multiple servers. Obviously, this method of managing login permissions not only consumes manpower, but also has low efficiency, especially for application scenarios with many users and many servers, it is more difficult to meet the needs.

SUMMARY OF THE INVENTION

Embodiments of the present application provide a server login method, system, and device, which are used to solve the problems in the prior art that storing and managing user's login authority information on a server leads to high data storage pressure in the server and poor management and control effect of login authority information. .

In order to solve the above technical problems, the embodiments of the present application are implemented in this way.

On the one hand, one or more embodiments of this specification provide a server login method, applied to an authentication center, including: receiving a login request sent by a target server and directed to the target server by a first user; the login request includes the User identification information of the first user, server identification information of the target server, and first login password for logging in to the target server; according to the user identification information of the first user, determine the user category of the first user ; The user category includes at least one of user identity, user level, and belonging user group; based on the user category of the first user, determine the target login authority information corresponding to the second user belonging to the user category, and according to The target login authority information is used to authenticate the first authority of the first user to log in to the target server; if the authentication of the first authority is passed, the second authority corresponding to the target server is returned to the target server. login password, so that the target server determines whether to allow the first user to log in to the target server according to the first login password and the second login password.

On the other hand, an embodiment of the present application provides a server login method, which is applied to a target server and includes: receiving a login request from a first user to the target server; the login request includes user identification information of the first user, The server identification information of the target server and the first login password for logging in to the target server; forwarding the login request to the authentication center; the authentication center is used to determine the user identification information of the first user The user category of the first user, and based on the user category of the first user, the first authority of the first user to log in to the target server is authenticated; the second login password, and determine whether the first login password and the second login password match; the second login password is sent to the target by the authentication center after passing the authentication of the first authority server; determining whether to allow the first user to log in to the target server according to the judgment result.

In yet another aspect, an embodiment of the present application provides a server login system, including a target server and an authentication center; the target server is configured to receive a login request from a first user to the target server; forward the login request to all the authentication center; the login request includes the user identification information of the first user, the server identification information of the target server, and the first login password used to log in to the target server; the authentication center is used to receive all the login request sent by the target server; determine the user category of the first user according to the user identification information of the first user; determine the second user belonging to the user category based on the user category of the first user The target login authority information corresponding to the user, and according to the target login authority information, the first authority of the first user to log in to the target server is authenticated; Return the second login password corresponding to the target server; the target server is further configured to receive the second login password corresponding to the target server sent by the authentication center, and determine the first login password and the whether the second login password matches; according to the judgment result, determine whether to allow the first user to log in to the target server.

In another aspect, an embodiment of the present application provides a server login device, including: a first receiving module, configured to receive a login request sent by a target server and sent by a first user to the target server; the login request includes the first receiving module. User identification information of a user, server identification information of the target server, and a first login password for logging in to the target server; a first determining module, configured to determine the first user according to the user identification information of the first user The user category of the first user; the user category includes at least one of a user identity, a user level, and a user group to which he belongs; a first execution module, configured to determine the user category belonging to the user category based on the user category of the first user the target login authority information corresponding to the second user, and authenticate the first authority of the first user to log in to the target server according to the target login authority information; a return module is used to authenticate if the first authority If passed, return the second login password corresponding to the target server to the target server, so that the target server determines whether to allow the first user to log in according to the first login password and the second login password the target server.

In another aspect, an embodiment of the present application provides a server login device, including: a third receiving module configured to receive a login request from a first user to a target server; the login request includes user identification information of the first user, The server identification information of the target server and the first login password used to log in to the target server; the forwarding module is used to forward the login request to the authentication center; the authentication center is used to User identification information, determine the user category of the first user, and authenticate the first permission of the first user to log in to the target server based on the user category of the first user; the fourth execution module is used to receive The authentication center sends the second login password corresponding to the target server, and judges whether the first login password matches the second login password; the second login password is checked by the authentication center for all users. After the first authority authentication is passed, it is sent to the target server; the fourth determination module is configured to determine whether to allow the first user to log in to the target server according to the judgment result.

In yet another aspect, an embodiment of the present application provides a server login device, comprising: a processor; and a memory arranged to store computer-executable instructions, the executable instructions, when executed, cause the processor to: receive a target server The sent login request of the first user to the target server; the login request includes the user identification information of the first user, the server identification information of the target server, and the first login for logging in to the target server. password; determine the user category of the first user according to the user identification information of the first user; the user category includes at least one of user identity, user level, and user group to which he belongs; User category, determine the target login authority information corresponding to the second user belonging to the user category, and authenticate the first authority of the first user to log in to the target server according to the target login authority information; if the If the first authority authentication is passed, the second login password corresponding to the target server is returned to the target server, so that the target server can determine whether to allow the The first user logs in to the target server.

In yet another aspect, an embodiment of the present application provides a server login device, comprising: a processor; and a memory arranged to store computer-executable instructions, the executable instructions, when executed, cause the processor to: receive a first A user's login request for the target server; the login request includes the user identification information of the first user, the server identification information of the target server, and the first login password used to log in to the target server; Forwarded to the authentication center; the authentication center is configured to determine the user category of the first user according to the user identification information of the first user, and based on the user category of the first user, log in to the first user. authenticate the first authority of the target server; receive the second login password corresponding to the target server sent by the authentication center, and determine whether the first login password and the second login password match; the The second login password is sent to the target server by the authentication center after passing the authentication of the first authority; and whether the first user is allowed to log in to the target server is determined according to the judgment result.

In another aspect, an embodiment of the present application provides a storage medium for storing computer-executable instructions, and when the executable instructions are executed, the following process is implemented: receiving a message sent by a target server and sent by a first user for the target server A login request; the login request includes the user identification information of the first user, the server identification information of the target server, and the first login password used to log in to the target server; according to the user identification information of the first user , determine the user category of the first user; the user category includes at least one item of user identity, user level, and user group to which he belongs; based on the user category of the first user, determine the second user category belonging to the user category The target login authority information corresponding to the user, and according to the target login authority information, the first authority of the first user to log in to the target server is authenticated; The second login password corresponding to the target server is returned, so that the target server determines whether to allow the first user to log in to the target server according to the first login password and the second login password.

In another aspect, an embodiment of the present application provides a storage medium for storing computer-executable instructions, and when the executable instructions are executed, the following processes are implemented: receiving a login request from a first user to a target server; the login request Including the user identification information of the first user, the server identification information of the target server and the first login password for logging in to the target server; forwarding the login request to the authentication center; the authentication center is used for The user identification information of the first user, determine the user category of the first user, and authenticate the first permission of the first user to log in to the target server based on the user category of the first user; The second login password corresponding to the target server sent by the authentication center, and determine whether the first login password and the second login password match; After the first authority authentication is passed, it is sent to the target server; according to the judgment result, it is determined whether to allow the first user to log in to the target server.

By adopting the technical solutions of the embodiments of the present application, the authentication center determines the user category of the first user according to the login request of the first user to the target server sent by the target server, and based on the user category of the first user, the first user logs in to the target server. The first authority of the server is authenticated, and when the first authority authentication is passed, the second login password corresponding to the target server is returned to the target server, so that the target server can judge whether to allow the first user according to the first login password and the second login password. Log in to the target server. It can be seen that in this technical solution, through the interaction between the target server and the authentication center, the login of the target server can be realized by obtaining the second login password corresponding to the target server from the authentication center, without storing user-related data in each server. Compared with the traditional way of creating and storing user-related data by the server, it can effectively relieve the data storage pressure of the server, especially when the user needs to log in to multiple servers, and there is no need to repeatedly create the user-related data of the same user in each server. data, thereby avoiding information redundancy and saving server storage resources. In addition, by authenticating the user's authority to log in to the server according to the user category, the effect of authenticating and controlling the authority of the user to log in to the server according to each user category is realized, compared with the traditional way of individually managing authority information for users. , the technical solution improves the convenience of management and control of the server login authority, and the management and control effect is better.

Further, when the user's permission information for logging in to the server needs to be changed, the technical solution only needs to change the user category to which the user belongs in the user-related data, or only needs to change the permission information corresponding to the user category to which the user belongs. Each user can change the user's personal information and authority information separately, which makes the management and control of server login authority more flexible and fast.

Description of drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following briefly introduces the accompanying drawings required for the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some of the embodiments described in the embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.

FIG. 1 is a schematic structural diagram of a server login system provided by an embodiment of the present application.

FIG. 2 is a schematic flowchart of a server login method provided by an embodiment of the present application.

FIG. 3 is a schematic flowchart of a server login method provided by another embodiment of the present application.

FIG. 4 is a schematic flowchart of a server login method provided by another embodiment of the present application.

FIG. 5 is a schematic structural diagram of a server login apparatus provided by an embodiment of the present application.

FIG. 6 is a schematic structural diagram of a server login apparatus provided by another embodiment of the present application.

FIG. 7 is a schematic diagram of a hardware structure of a server login device provided by an embodiment of the present application.

FIG. 8 is a schematic diagram of a hardware structure of a server login device provided by another embodiment of the present application.

detailed description

In order to make those skilled in the art better understand the technical solutions in the embodiments of the present application, the following will clearly and completely describe the technical solutions in the embodiments of the present application with reference to the accompanying drawings in the embodiments of the present application. The described embodiments are only some of the embodiments of this specification, but not all of the embodiments. Based on the embodiments of the present application, all other embodiments obtained by persons of ordinary skill in the art without creative work shall fall within the protection scope of the embodiments of the present application.

FIG. 1 is a schematic structural diagram of a server login system according to an embodiment of the present application. As shown in FIG. 1 , the server login system includes a server set and an authentication center 120 ; the server set includes a plurality of servers 110 , and each server 110 is connected to the authentication center 120 via a network. The target server 110 to which the user wants to log in may be any server 110 in the server set.

In this embodiment, the target server 110 is configured to receive a login request from the first user to the target server 110 , and forward the login request to the authentication center 120 .

In this embodiment, the authentication center 120 is configured to receive the login request sent by the target server 110, determine the user category of the first user according to the user identification information of the first user, and determine the first user belonging to the user category based on the user category of the first user. The target login authority information corresponding to the two users, and according to the target login authority information, the first authority of the first user to log in to the target server 110 is authenticated. Second login password.

In this embodiment, the target server 110 is further configured to receive the second login password corresponding to the target server 110 sent by the authentication center 120, determine whether the first login password and the second login password match, and determine whether to allow the first login password according to the judgment result. A user logs into the target server 110 .

The following describes the specific operations performed by the authentication center 120 and the target server 110 in the server login system when the user requests to log in to the server.

As shown in FIG. 2, it is a schematic flowchart of a server login method according to an embodiment of the present application, which is applied to the authentication center as shown in FIG. 1. The method in FIG. 2 may include:

S202: Receive a login request of the first user for the target server sent by the target server.

The login request includes user identification information of the first user, server identification information of the target server, and a first login password used to log in to the target server.

In this embodiment, the user identification information of the first user may be information used to identify the user, for example, the uid, gid, and user name of the first user. The server identification information of the target server may be the server name of the target server, for example, server X, server Y, and so on. The first login password used to log in to the target server may be a unique password issued by the authentication center and corresponding to the target server, and the corresponding first login passwords are different for different servers.

S204: Determine the user category of the first user according to the user identification information of the first user.

The user category includes user identity, user level, user group to which they belong, and the like.

In this embodiment, the user identity may include the user's social identity, for example, a student, a staff member, a teacher, and the like. The user level may include the user's authority level, eg, primary, primary, advanced, and the like. The user group to which they belong may include the work group they belong to, the study group they belong to, the family group they belong to, and so on.

S206 , based on the user category of the first user, determine target login authority information corresponding to the second user belonging to the user category, and authenticate the first authority of the first user to log in to the target server according to the target login authority information.

The second user includes all users belonging to a certain user category, that is, the second user is used to identify a category of users.

The target login authority information includes server identification information of at least one first server to which the second user has the right to log in, authority time corresponding to each first server, first login password and second login password corresponding to each first server respectively Wait.

For example, the server identification information of at least one first server to which the second user is authorized to log in includes server X, server Y, server Z, and the like. The authorization time corresponding to each first server may include the authorization time corresponding to the server X (such as the authorization expiration time: May 2020), the authorization time corresponding to the server Y (such as the authorization expiration time: December 2020), the server The permission time corresponding to Z (such as permission expiration time: November 2020).

In this embodiment, the login authority information corresponding to different user categories may be the same or different. For example, different user identities have different login authority information, different user levels have different login authority information, and different user groups have the same or different login authority information.

The second login password is a password issued by the authentication center and corresponding to the target server. The first login password and the second login password may be the same password, or may be a key pair that matches each other. For example, if an asymmetric encryption algorithm is used to implement secure login of the target server, the first login password may be a private key, and the second login password may be a public key matching the first login password.

S208, if the first authority authentication is passed, return the second login password corresponding to the target server to the target server, so that the target server determines whether to allow the first user to log in to the target server according to the first login password and the second login password.

Before receiving the login request of the first user for the target server sent by the target server, the authentication center may pre-create and store the corresponding relationship between the user-related data and the user identification information, and update the user-related data according to the actual situation. The specific implementation is as follows.

In one embodiment, before receiving the first user's login request for the target server sent by the target server, the authentication center may obtain user-related data corresponding to the first user, and create and store the first user-related data and user identification information. A corresponding relationship. After the first corresponding relationship is created, the user identification information and the first login passwords corresponding to each first server can be sent to the first user, so that the first user can send the user identification information and the first login password to the first user based on the user identification information and the first login password. The corresponding server initiates a login request.

The user-related data may include the user category of the first user and target login authority information corresponding to the second user belonging to the user category. In one embodiment, the user-related data may further include home directory path information corresponding to the first user, so that the target server creates the first user's home directory according to the home directory path information.

Since the first login password and the server are in one-to-one correspondence, which server the first user wants to log in to, needs to initiate a login request to the server based on the user identification information and the first login password corresponding to the server. Correspondingly, after receiving the login request of the first user for the target server sent by the target server, the authentication center can determine which server the first user requests to log in to according to the first login password carried in the login request.

In this embodiment, when creating and storing the first correspondence between the user-related data and the user identification information, the authentication center may actively create and store the corresponding relationship between the user-related data and the user identification information based on a preset frequency, Or, based on the creation request initiated by the user, the corresponding relationship between the user-related data and the user identification information is created and stored under the trigger of the creation request.

In one embodiment, the authentication center may include multiple data interfaces, and accordingly, the first correspondence between some user-related data and user identification information may be created and stored in different data interfaces of the authentication center, so that the target The server calls different data interfaces of the authentication center through the user identification information to obtain the user-related data defined in the data interface. The user-related data created by each data interface is described in detail below.

In one embodiment, the authentication center at least includes four data interfaces, namely, an interface for querying users, an interface for querying user groups, an interface for querying user passwords, and an interface for querying user login public keys. In the four RESTFUL (a software architecture style) data interface based on HTTPS protocol access provided by the certification center, the first correspondence between the corresponding part of the user-related data and the user identification information can be created and stored respectively.

The first correspondence between user identification information (eg, name: user name) and data used to identify the user in the user-related data may be defined in the query user interface. For example, the data used to identify the user in the user-related data includes: name: username/passwd: password/uid: monotonically increasing user ID (Identity document, identity certificate)/gid: monotonically increasing group ID/gecos: user description/dir : User home directory path/shell: Default Shell path.

A first correspondence between user identification information (eg, name: user name) and data used to identify a user's group in the user-related data can be defined in the user group query interface. For example, the data used to identify the user's group in the user-related data includes: name: group name/passwd: group password/gid: monotonically increasing group ID/members: users in the group.

A first correspondence between user identification information (eg, name: user name) and data related to the user password in the user-related data can be defined in the interface for querying the user password. For example, data related to a user's password includes: name: username/passwd: encrypted password/last_change: last password change time/change_min_days: minimum password change interval/change_max_days: password validity period/change_warn_days: number of days to warn before a password needs to be changed /change_inactive_days: The grace days after the password expires/expire_date: Account expiration time/reserved: Reserved field.

A first correspondence between user identification information (eg, name: user name) and the user's login public key (eg, public_key: login public key) in the user-related data can be defined in the interface for querying the user login public key.

In this embodiment, when acquiring user-related data from the authentication center, the user-related data defined in each data interface can be acquired by calling different data interfaces of the authentication center.

In the above embodiment, the authentication center creates and stores the first correspondence between some user-related data and user identification information in different data interfaces, so that the target server calls different data interfaces of the authentication center through the user identification information, The user-related data defined in the data interface can be obtained, and the accuracy of data interaction between the target server and the authentication center is improved.

In one embodiment, after creating and storing the first correspondence between the user-related data and the user identification information, an update request for performing an update operation on the target login authority information in the user identification information can be received, and the target login information can be updated according to the update request. Permission information performs the corresponding update operation.

Wherein, the update operation includes an operation of adding the server identification information of the second server, an operation of deleting the server identification information of the first server, an operation of modifying the authority time, an operation of modifying the first login password and the second login password, etc. .

In this embodiment, by receiving an update request for performing an update operation on the target login authority information, and performing a corresponding update operation on the target login authority information according to the update request, the management and control of the user-related data is realized, and the storage in the authentication center is effectively guaranteed. accuracy of user-related data.

In one embodiment, after the first correspondence between the user-related data and the user identification information is created and stored, if a change in the user category in the user-related data is monitored, the changed user category can be determined, and it is determined that the user category belongs to the user category. The login authority information corresponding to the third user of the changed user category is updated, and the target login authority information in the user-related data is updated to the login authority information corresponding to the third user.

Wherein, the third user includes all users belonging to the changed user category.

In this embodiment, whether the user category in the user-related data changes can be monitored in real time, and when the user category changes, the target login authority information in the user-related data is updated accordingly, so as to ensure that users of different categories are Accurate management and control of the login authority information it has to prevent users from logging into the server due to incorrect login authority information after the user category is changed.

After receiving the login request of the first user for the target server sent by the target server, the authentication center may authenticate the login of the first user to the target server according to the information carried in the login request. The specific implementation is as follows.

In one embodiment, pre-created user-related data corresponding to the user identification information may be acquired according to the user identification information of the first user, and the user category of the first user may be determined based on the user-related data.

After the user category of the first user is determined, based on the first user's login request to the target server and the target login authority information corresponding to the user category of the first user, the second authority of the target server to obtain the user-related data may be authenticated. If the authorization authentication is passed, the user-related data will be sent to the target server.

If the server identification information of at least one first server in the target login authority information corresponding to the user category of the first user includes the server identification information of the target server, and the reception time of the login request is within the authority time, it is determined that the second Permission authentication passed.

If it is detected that the authorization time corresponding to the target server in the login authorization information has expired, for example, the server identification information of the target server is server X, the authorization expiry time corresponding to server X is May 2020, and the current authentication time is June 2020. Then it is determined that the second authority authentication fails. It can be seen that by setting the authority time in the login authority information, the functions of automatically reclaiming the user's authority to log in to the server and granting the user the authority to temporarily log in to the server are realized.

In this embodiment, after the authentication center sends the user-related data to the target server, the target server can determine whether the first user is a legal user based on the user-related data, and if the target server determines that the first user is a legal user, the determination result can be fed back an authentication center, so that the authentication center performs the step of authenticating the first authority of the first user to log in to the target server.

The manner in which the target server feeds back the judgment result to the authentication center may include: feeding back only the judgment result to the authentication center, or, through an interface preset by the authentication center for receiving legal user data, sending the first user to the target server's data. The login request is sent to the authentication center. The interface preset by the authentication center for receiving legal user data may be the public key interface for querying user login listed in the above embodiment.

When the designated data interface of the authentication center receives the first user's login request for the target server sent by the target server, the authentication center can be triggered to authenticate the second authority of the target server to obtain user-related data.

In one embodiment, the designated data interface of the authentication center may include the query user interface, the user group query interface, and the user password query interface listed in the above embodiment. If the first user and the target server use ssh (Secure Shell, secure shell protocol) for data transmission, the target server will trigger the sshd process to call the name resolution nss service in the local file of the target server when receiving the login request of the first user. Query the user-related data such as the uid, gid, and home directory path of the first user. If the query is not available, the first user is separated based on the HTTPS protocol through the dynamic link library (create /usr/lib64/libnss_https.so dynamic link library). The login request of the target server is sent to the query user interface, user group query interface and user password query interface of the authentication center, so as to trigger the authentication center to authenticate the second authority of the target server to obtain user-related data, and when the authentication is passed, Returns the user-related data defined in each interface.

When another designated data interface of the authentication center receives the login request of the first user for the target server sent by the target server, the authentication center can be triggered to authenticate the first authority of the first user to log in to the target server. If passed, the second login password corresponding to the target server is returned to the target server.

In one embodiment, another designated data interface of the authentication center may include the public key interface for querying user login listed in the above embodiment, and the first user and the target server may use ssh protocol for data transmission. When the target server receives the login request of the first user, trigger the sshd process to call the shell script through AuthorizedKeysCommand, write the login request of the first user in the shell script, and pass it to the authentication center's public key interface for querying user login through the HTTPS protocol , to trigger the authentication center to authenticate the first authority of the first user to log in to the target server, and when the authentication is passed, return the second login password defined in the interface for querying the user's login public key.

Among them, the following configuration can be added to the configuration file /etc/ssh/sshd_config of the target server in advance: AuthorizedKeysCommand/bin/sh/usr/libexec/openssh/get_keys.sh%u, so that the target server receives the login of the first user When the request is made, the sshd process is triggered to use the AuthorizedKeysCommand to call the shell script, and the shell script accesses the authentication center's query user login public key interface.

In the above embodiment, the authentication center authenticates the second authority of the target server to obtain the user-related data according to the first user's login request to the target server and the target login authority information corresponding to the user category of the first user, and in the second When the authority authentication is passed, the user-related data is sent to the target server, so that the target server can determine whether the first user is a legal user based on the user-related data. The first authority to log in to the target server is authenticated. It can be seen that the above embodiment can authenticate the user's authority to log in to the server according to the user category, and realize the effect of authenticating and managing the user's authority to log in to the server according to each user category. In terms of method, the convenience of management and control of server login permissions is improved, and the management and control effect is better.

According to the above embodiment, when it is necessary to change the permission information of a user to log in to the server, it is only necessary to change the user category to which the user belongs in the user-related data, or only to change the permission information corresponding to the user category to which the user belongs. Each user can change the user's personal information and authority information respectively, so that the control effect of server login authority is more flexible and fast.

In one embodiment, when the target login authority information corresponding to the second user belonging to the user category is determined based on the user category of the first user, the target login in the user-related data that matches the user category of the first user can be obtained authority information; or the target login authority information that matches the user category of the first user may be determined according to the second correspondence between each user category and the login authority information pre-created in the authentication center.

In one embodiment, the authentication center may acquire user-related data corresponding to the user category based on the user category of the first user, thereby obtaining target login authority information recorded in the user-related data that matches the user category of the first user.

In one embodiment, the authentication center may determine that the user category of the first user matches the user category of the first user according to the user category of the first user and the second correspondence between each user category and login authority information pre-created in the authentication center target login permission information.

In this embodiment, the user's login authority information can be determined in various ways, which improves the flexibility of determining the login authority information.

In one embodiment, it may be determined whether the server identification information of the at least one first server includes the server identification information of the target server according to the first user's login request for the target server and the target login authority information corresponding to the user category of the first user. , and whether the reception time of the login request is within the authority time, if the server identification information of at least one first server contains the server identification information of the target server, and the reception time of the login request is within the authority time, then it is determined that the first authority authentication passes .

In this embodiment, when authenticating the first authority of the first user to log in to the target server, the authority authentication result can be obtained according to various factors, thus effectively improving the accuracy of the authentication result.

As shown in FIG. 3 , it is a schematic flowchart of a server login method according to another embodiment of the present application, which is applied to the target server as shown in FIG. 1 , and the method in FIG. 3 may include:

S302: Receive a login request from the first user for the target server.

The specific content of the login request in this step has been described in detail in S202, and will not be repeated here.

S304, forward the login request to the authentication center.

The authentication center is configured to determine the user category of the first user according to the user identification information of the first user, and authenticate the first permission of the first user to log in to the target server based on the user category of the first user.

S306: Receive a second login password corresponding to the target server sent by the authentication center, and determine whether the first login password and the second login password match.

The second login password is sent to the target server by the authentication center after passing the authentication of the first authority.

S308, according to the judgment result, determine whether to allow the first user to log in to the target server.

Wherein, if the first login password and the second login password match, the first user is allowed to log in to the target server; if the first login password and the second login password do not match, the first user is not allowed to log in to the target server.

If the first login password and the second login password corresponding to the target server are the same password, then when the first login password and the second login password are the same, it is determined that the first login password and the second login password match; When the password and the second login password are different, it is determined that the first login password and the second login password do not match.

If the first login password and the second login password corresponding to the target server are key pairs that match each other, the matching relationship of the key pair can be preset. When the first login password and the second login password satisfy the above matching relationship, determine The first login password and the second login password match; when the first login password and the second login password do not satisfy the above matching relationship, it is determined that the first login password and the second login password do not match.

In one embodiment, the target server may support the ssh protocol. When the target server determines to allow the first user to log in, the sshd process can be triggered to call the session module of the PAM module of the target server, and the session module creates the first user's home directory based on the home directory path information corresponding to the first user in the user-related data, in order to store the data of the first user.

By adopting the technical solutions of the embodiments of the present application, the target server receives the login request from the first user to the target server, forwards the login request to the authentication center, receives the second login password corresponding to the target server sent by the authentication center, and judges the first Whether the login password matches the second login password, it is determined whether the first user is allowed to log in to the target server according to the judgment result. It can be seen that in this technical solution, through the interaction between the target server and the authentication center, the login of the target server can be realized by obtaining the second login password corresponding to the target server from the authentication center, without storing user-related data in each server. Compared with the traditional way of creating and storing user-related data by the server, it can effectively relieve the data storage pressure of the server, especially when the user needs to log in to multiple servers, and there is no need to repeatedly create the user-related data of the same user in each server. data, thereby avoiding information redundancy and saving server storage resources.

In one embodiment, before receiving the second login password corresponding to the target server sent by the authentication center, the user-related data sent by the authentication center may be received, and based on the first user's login request for the target server and the user-related data, determine the first Whether the user is a legal user, if the first user is a legal user, the step of receiving the second login password corresponding to the target server sent by the authentication center is performed.

In one embodiment, the target server can support the ssh protocol, and when the target server receives the user-related data sent by the authentication center, the sshd process can be triggered to call the auth interface of the PAM module of the target server to verify the legitimacy of the first user account, for example Verify whether the user identification information of the first user and the first login password are accurate. And call the account interface of the PAM module of the target server to verify the server to which the first user has the right to log in and the authorization time corresponding to each server.

In this embodiment, by receiving the user-related data sent by the authentication center, based on the first user's login request to the target server and the user-related data, it is determined whether the first user is a legal user, and when it is determined that the first user is a legal user , and execute the step of receiving the second login password corresponding to the target server sent by the authentication center. Since multiple verifications are performed, the security of data interaction in the process of user login to the server is effectively ensured.

In one embodiment, when determining whether the first user is a legitimate user based on the first user's login request to the target server and user-related data, it may be determined whether the server identification information of at least one first server includes the server identification of the target server. information, and whether the reception time of the login request is within the authority time, if the server identification information of at least one first server contains the server identification information of the target server, and the reception time of the login request is within the authority time, it is determined that the first user is legitimate user.

In this embodiment, the legitimacy of the user is judged according to various factors (whether the server identification information of the at least one first server includes the server identification information of the target server, and whether the login request is received within the authorized time period), When the server identification information of at least one first server includes the server identification information of the target server and the receiving time of the login request is within the authority time, it is determined that the first user is a legitimate user, which effectively improves the accuracy of the judgment result.

FIG. 4 is a schematic flowchart of a server login method according to another embodiment of the present application. In this embodiment, the server login method is applied to the server login system shown in FIG. 1 , and through the interaction between the authentication center and the target server, the effect of the user safely logging in to the server is realized. The method of Figure 4 may include:

S401, an authentication center acquires user-related data corresponding to a first user, and creates and stores a first correspondence between the user-related data and user identification information.

In one embodiment, after the first correspondence between the user-related data and the user identification information is created and stored, an update request for performing an update operation on the target login authority information may be received, and a corresponding update operation may be performed on the target login authority information according to the update request. update operation.

In one embodiment, after the first correspondence between the user-related data and the user identification information is created and stored, if a change in the user category in the user-related data is monitored, the changed user category can be determined, and it is determined that the user category belongs to the user category. For the login authority information corresponding to the third user of the changed user category, the target login authority information in the user-related data is updated to the login authority information corresponding to the third user.

The above embodiments have been described in detail in the embodiment corresponding to FIG. 2 , and are not repeated here.

S402, the authentication center sends the user identification information and the first login password corresponding to each first server to the first user, so that the first user initiates a login request to the corresponding server based on the user identification information and the first login password.

S403, the target server receives a login request from the first user to the target server, and forwards the login request to the authentication center.

The login request includes user identification information of the first user, server identification information of the target server, and a first login password for logging in to the target server.

S404, the authentication center obtains pre-created user-related data corresponding to the user identification information according to the user identification information of the first user in the received login request, and determines the user category of the first user based on the user-related data.

S405, the authentication center determines, based on the user category of the first user, target login authority information corresponding to the second user belonging to the user category.

S406, the authentication center authenticates the second authority of the target server to obtain the user-related data according to the target login authority information corresponding to the user category to which the first user belongs; if the second authority authentication passes, execute S407; if the second authority authentication fails , then execute S414.

S407, the authentication center sends the user-related data to the target server.

S408, the target server determines whether the first user is a legitimate user according to the received user-related data; if yes, executes S409; if not, executes S415.

The target server determines whether the first user is a legal user by judging whether the server identification information of the at least one first server includes the server identification information of the target server and whether the login request is received within the authority time.

If the server identification information of the at least one first server includes the server identification information of the target server, and the receiving time of the login request is within the authority time, the target server determines that the first user is a legitimate user; if the server identification information of the at least one first server If the information does not include the server identification information of the target server, and the receiving time of the login request is not within the authority time, the target server determines that the first user is an illegal user.

S409, the target server determines that the first user is a legitimate user.

S410, the authentication center authenticates the first authority of the first user to log in to the target server according to the target login authority information corresponding to the user category to which the first user belongs; if the first authority authentication passes, execute S411; if the first authority authentication fails , then execute S414.

S411, the authentication center returns the second login password corresponding to the target server to the target server.

S412, the target server receives the second login password sent by the authentication center, and judges whether the first login password and the second login password match; if they match, execute S413; if they do not match, execute S416.

In this step, the method of judging whether the first login password and the second login password match is the same as the determination method described in S308, and will not be repeated here.

S413, the target server allows the first user to log in to the target server.

S414, the authentication center sends empty data to the target server, and then executes S416.

S415, the target server determines that the first user is an illegal user, and then executes S416.

S416, the target server does not allow the first user to log in to the target server.

The server login method provided by the embodiments of the present application can be applied in various scenarios, such as requests from teachers and students in schools to log in to the server, and requests from ordinary staff and administrators in companies to log in to the server. The following describes the specific process of the server login method by taking the scenario where employee A in the company requests to log in to server X using user identification information a as an example.

In a company, it is assumed that the server login system adopts an asymmetric encryption algorithm to realize the secure login of the target server, the first login password is the private key, and the second login password is the public key matching the first login password. The user categories include ordinary staff and administrators, and ordinary staff and administrators correspond to their respective login authority information. For example, the login authority information corresponding to an ordinary employee includes server identification information of a server to which the ordinary employee has the right to log in, such as server X and server Y. The permission time corresponding to each server may include the permission time corresponding to server X (eg, permission expiration time: May 2020) and the permission time corresponding to server Y (eg, permission expiration time: December 2020). The first login password and the second login password corresponding to each server may include the public key and private key corresponding to server X, and the public key and private key corresponding to server Y.

For another example, the login authority information corresponding to the administrator includes server identification information of servers to which the administrator has the right to log in, such as server X, server Y, server Z, and the like. The permission time corresponding to each server may include the permission time corresponding to server X (such as permission expiration time: May 2020), the permission time corresponding to server Y (such as permission expiration time: December 2020), and the corresponding permission time of server Z. Permission time (such as permission expiration time: November 2020). The first login password and the second login password corresponding to each server may include the public key and private key corresponding to server X, the public key and private key corresponding to server Y, and the public key and private key corresponding to server Z.

In this embodiment, it is assumed that the user category corresponding to employee A is an ordinary employee. If after the first correspondence between the user-related data and the user identification information a is created and stored, it is detected that the user category in the user-related data is changed to an administrator, the login authority information corresponding to the administrator can be determined, and the user The login permission information in the related data is updated to the login permission information corresponding to the administrator.

Since the authentication center authenticates and controls the permissions of users to log in to the server according to each user category, if you want to change the permission information of employee A to log in to the server, you can only change the user category to which employee A belongs in the user-related data of employee A, or Only the permission information corresponding to the user category to which employee A belongs is changed.

When employee A requests to log in to server X using the user identification information a and the first login password, server X receives the login request from employee A to server X, and forwards the login request to the authentication center. The authentication center receives the login request of the employee A to the server X, and determines the user category to which the employee A belongs according to the user identification information a carried in the login request. Assuming that the authentication center determines that the user category is an ordinary employee, it can further determine the login authority information corresponding to the ordinary employee, and determine whether employee A has the right to log in to the server X according to the login authority information corresponding to the ordinary employee. If so, the authentication center sends the second login password corresponding to the server X to the server X. If the server X determines that the first login password and the second login password match, the employee A is allowed to log in. In addition, for employees in the company to log in to the server according to their authority, the user category can also be divided according to the department to which the employee belongs. For example, employee A belongs to the XX department, and employee B belongs to the YY department. In addition, the authentication center preconfigures the login authority information corresponding to the employees in different departments, so as to restrict the login authority of each employee to the server in the company. When an employee wants to log in to a server, the authentication center will determine whether the employee has the right to log in to the server according to the department to which the employee belongs. The specific authority judgment method has been described in detail in the above embodiments, and will not be repeated here.

It can be seen that by adopting the technical solutions of the above-mentioned embodiments, the login of the target server can be realized by obtaining the second login password corresponding to the target server from the authentication center through the interaction between the target server and the authentication center, without needing to log in to each server. Compared with the traditional way of creating and storing user-related data by the server, it can effectively relieve the data storage pressure of the server, especially when the user needs to log in to multiple servers, it does not need to be repeated in each server. Create user-related data of the same user, thereby avoiding information redundancy and saving server storage resources. In addition, by authenticating the user's authority to log in to the server according to the user category, the effect of authenticating and controlling the authority of the user to log in to the server according to each user category is realized, compared with the traditional way of individually managing authority information for users. , the technical solution improves the convenience of management and control of the server login authority, and the management and control effect is better.

In conclusion, specific embodiments of the present subject matter have been described. Other embodiments are within the scope of the appended claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. Additionally, the processes depicted in the figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In certain embodiments, multitasking and parallel processing may be advantageous.

The server login method provided by the embodiment of the present application is described above. Based on the same idea, the embodiment of the present application also provides a server login device.

FIG. 5 is a schematic structural diagram of a server login device according to an embodiment of the present application. As shown in FIG. 5 , the server login device includes: a first receiving module 510, configured to receive a message sent by a target server and sent by the first user to the target server The login request includes the user identification information of the first user, the server identification information of the target server and the first login password used to log in to the target server; the first determination module 520 is used for, according to the user identification information of the first user, Determine the user category of the first user; the user category includes at least one of user identity, user level, and user group to which he belongs; the first execution module 530 is configured to determine, based on the user category of the first user, a second user belonging to the user category The corresponding target login authority information, and according to the target login authority information, the first authority of the first user to log in to the target server is authenticated; the return module 540 is used to return the target server corresponding to the target server if the first authority authentication is passed. The second login password, so that the target server determines whether to allow the first user to log in to the target server according to the first login password and the second login password.

In one embodiment, the first determining module 520 includes: an acquiring unit, configured to acquire pre-created user-related data corresponding to the user identification information according to the user identification information of the first user; the user-related data at least include a user category and a target Login authority information; target login authority information includes at least one of the following: server identification information of at least one first server to which the second user has the right to log in, authority time corresponding to each first server, first server corresponding to each first server a login password and a second login password; and a first determination unit, configured to determine the user category of the first user based on user-related data.

In one embodiment, the server login apparatus further includes: an acquisition module for acquiring user-related data corresponding to the first user; a creation and storage module for creating and storing the first correspondence between the user-related data and the user identification information relationship; the first sending module is used to send the user identification information and the first login password corresponding to each first server to the first user, so that the first user initiates the corresponding server based on the user identification information and the first login password. Login request.

In one embodiment, the first execution module 530 includes: an execution unit configured to acquire target login permission information in the user-related data that matches the user category of the first user; or,

According to the second correspondence between each user category and the login authority information pre-created in the authentication center, the target login authority information matching the user category of the first user is determined.

In one embodiment, the server login apparatus further includes: a second receiving module configured to receive an update request for performing an update operation on the target login authority information; the update operation includes at least one of the following: adding server identification information of the second server operation, deletion operation of the server identification information of the first server, modification operation of the authority time, modification operation of the first login password and the second login password; the second execution module is used for the target login authority according to the update request. The information is updated accordingly.

In one embodiment, the server login device further includes: a second determining module, configured to determine the changed user category if the user category in the user-related data is monitored; The login authority information corresponding to the third user of the latter user category;

The updating module is used for updating the target login authority information in the user-related data to the login authority information corresponding to the third user.

In one embodiment, the first execution module 530 includes: a first judging unit, configured to judge whether the following conditions are met: the server identification information of at least one first server includes the server identification information of the target server, and the time when the login request is received within the authority time; the second determining unit is configured to, if yes, determine that the first authority authentication is passed.

In one embodiment, the server login device further includes: an authentication module, configured to authenticate the second authority of the target server to obtain the user-related data based on the user identification information and the corresponding user-related data; a second sending module, used for if After the second authority authentication is passed, the user-related data is sent to the target server, so that the target server can determine whether the first user is a legal user based on the user-related data; the third execution module is used for determining whether the first user is a legal user, then The step of authenticating the first authority of the first user to log in to the target server is performed.

Using the device of the embodiment of the present application, the authentication center determines the user category of the first user according to the login request of the first user to the target server sent by the target server, and logs the first user into the target server based on the user category of the first user. The first authority is authenticated, and when the first authority authentication is passed, the second login password corresponding to the target server is returned to the target server, so that the target server judges whether to allow the first user to log in according to the first login password and the second login password. target server. It can be seen that through the interaction between the target server and the authentication center, the device can obtain the second login password corresponding to the target server from the authentication center to log in to the target server without storing user-related data in each server. In the traditional way of creating and storing user-related data by the server, it can effectively relieve the data storage pressure of the server, especially when the user needs to log in to multiple servers, and there is no need to repeatedly create the user-related data of the same user in each server. , thereby avoiding information redundancy and saving server storage resources. In addition, by authenticating the user's authority to log in to the server according to the user category, the effect of authenticating and controlling the authority of the user to log in to the server according to each user category is realized, compared with the traditional way of individually managing authority information for users. , the device improves the convenience of management and control of the server login authority, and the management and control effect is better.

Those skilled in the art should understand that the above server login device can be used to implement the server login method performed by the above authentication center, and the detailed description thereof should be similar to that described in the foregoing method part, and will not be repeated here to avoid tediousness.

FIG. 6 is a schematic structural diagram of a server login device according to an embodiment of the present application. As shown in FIG. 6 , the server login device includes: a third receiving module 610 for receiving a login request from a first user to a target server; login The request includes the user identification information of the first user, the server identification information of the target server and the first login password used to log in to the target server; the forwarding module 620 is used to forward the login request to the authentication center; the authentication center is used for according to the first user The user identification information of the first user is determined, and based on the user category of the first user, the first authority of the first user to log in to the target server is authenticated; the fourth execution module 630 is used for receiving the information sent by the authentication center and the target server. The second login password corresponding to the server, and determine whether the first login password and the second login password match; the second login password is sent to the target server by the authentication center after passing the first authority authentication; the fourth determination module 640 is used for Whether to allow the first user to log in to the target server is determined according to the judgment result.

In one embodiment, the server login apparatus further includes: a fourth receiving module, configured to receive user-related data sent by the authentication center; the user-related data includes the user category of the first user and the target login corresponding to the second user belonging to the user category Authority information; target login authority information includes at least one of the following: server identification information of at least one first server to which the second user has the right to log in, authority time corresponding to each first server, first login corresponding to each first server password and the second login password; the judgment module is used to judge whether the first user is a legal user based on the login request and user-related data; the fifth execution module is used to receive the authentication center sending if the first user is a legal user the second login password corresponding to the target server.

In one embodiment, the judging module includes: a second judging unit for judging whether the following conditions are met: the server identification information of at least one first server includes the server identification information of the target server, and the receiving time of the login request is within the authority time inside; a third determining unit, configured to determine if the first user is a legitimate user.

Using the device of the embodiment of the present application, the target server receives the login request from the first user to the target server, forwards the login request to the authentication center, receives the second login password corresponding to the target server sent by the authentication center, and determines the first login request. Whether the password matches the second login password, it is determined whether the first user is allowed to log in to the target server according to the judgment result. It can be seen that through the interaction between the target server and the authentication center, the device can obtain the second login password corresponding to the target server from the authentication center to log in to the target server without storing user-related data in each server. In the traditional way of creating and storing user-related data by the server, it can effectively relieve the data storage pressure of the server, especially when the user needs to log in to multiple servers, and there is no need to repeatedly create the user-related data of the same user in each server. , thereby avoiding information redundancy and saving server storage resources.

Those skilled in the art should understand that the above server login device can be used to implement the server login method executed by the above target server, and the detailed description thereof should be similar to that described in the foregoing method section, and will not be repeated here to avoid tediousness.

Based on the same idea, an embodiment of the present application further provides a server login device, as shown in FIG. 7 . The server login device may vary greatly due to different configurations or performances, and may include one or more processors 701 and a memory 702, and the memory 702 may store one or more storage applications or data. Among them, the memory 702 may be short-lived storage or persistent storage. The application program stored in memory 702 may include one or more modules (not shown), each module may include a series of computer-executable instructions for logging into the device to the server. Still further, the processor 701 may be arranged to communicate with the memory 702 to execute a series of computer-executable instructions in the memory 702 on the server login device. The server login device may also include one or more power supplies 703 , one or more wired or wireless network interfaces 704 , one or more input and output interfaces 705 , and one or more keyboards 706 .

In this embodiment, the server login device includes a memory and one or more programs, wherein one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module A series of computer-executable instructions in the device may include logging into the server, and the one or more programs configured to be executed by the one or more processors include computer-executable instructions for performing the following: A user's login request for the target server; the login request includes the user identification information of the first user, the server identification information of the target server, and the first login password used to log in to the target server; according to the user identification information of the first user, determine the first login User category of the user; the user category includes at least one of user identity, user level, and user group to which he belongs; based on the user category of the first user, determine the target login authority information corresponding to the second user belonging to the user category, and log in according to the target Authority information, to authenticate the first authority of the first user to log in to the target server; if the first authority authentication is passed, return the second login password corresponding to the target server to the target server, so that the target server can log in to the target server according to the first login password and the second login password. 2. The login password determines whether the first user is allowed to log in to the target server.

In one embodiment, when the computer-executable instructions are executed, the processor may further: obtain pre-created user-related data corresponding to the user identification information according to the user identification information of the first user; the user-related data at least Including user category and target login authority information; target login authority information includes at least one of the following: server identification information of at least one first server to which the second user has the right to log in, authority time corresponding to each first server, each first server The corresponding first login password and the second login password respectively; based on the user-related data, the user category of the first user is determined.

In one embodiment, when the computer-executable instructions are executed, the processor may further: acquire user-related data corresponding to the first user; create and store a first correspondence between the user-related data and the user identification information ; Send the user identification information and the first login password corresponding to each first server to the first user, so that the first user initiates a login request to the corresponding server based on the user identification information and the first login password.

In one embodiment, when the computer-executable instructions are executed, the processor may further: acquire target login authority information in the user-related data that matches the user category of the first user; or, according to the authentication center The second corresponding relationship between each user category and the login authority information pre-created in the device determines the target login authority information that matches the user category of the first user.

In one embodiment, when the computer-executable instructions are executed, the processor may further cause the processor to: receive an update request for performing an update operation on the target login authority information; the update operation includes at least one of the following: The addition operation of identification information, the deletion operation of the server identification information of the first server, the modification operation of the authority time, the modification operation of the first login password and the second login password; according to the update request, perform corresponding operations on the target login authority information. update operation.

In one embodiment, when the computer-executable instructions are executed, the processor can further cause the processor to: if the user category in the user-related data is detected to change, determine the changed user category; determine that the user belongs to the changed user category The login authority information corresponding to the third user of the category; the target login authority information in the user-related data is updated to the login authority information corresponding to the third user.

In one embodiment, when the computer-executable instructions are executed, the processor may further: determine whether the following conditions are met: the server identification information of at least one first server includes the server identification information of the target server, and the login request The receiving time is within the authority time; if it is, it is determined that the first authority authentication is passed.

In one embodiment, when the computer-executable instructions are executed, the processor can further cause the processor to: based on the user identification information and the corresponding user-related data, authenticate the second authority of the target server to obtain the user-related data; If the second authority authentication is passed, the user-related data is sent to the target server, so that the target server can determine whether the first user is a legal user based on the user-related data; The first authority to authenticate the steps.

Using the device of the embodiment of the present application, the authentication center determines the user category of the first user according to the login request of the first user to the target server sent by the target server, and logs the first user into the target server based on the user category of the first user. The first authority is authenticated, and when the first authority authentication is passed, the second login password corresponding to the target server is returned to the target server, so that the target server judges whether to allow the first user to log in according to the first login password and the second login password. target server. It can be seen that through the interaction between the target server and the authentication center, the device can obtain the second login password corresponding to the target server from the authentication center to log in to the target server without storing user-related data in each server. In the traditional way of creating and storing user-related data by the server, it can effectively relieve the data storage pressure of the server, especially when the user needs to log in to multiple servers, and there is no need to repeatedly create the user-related data of the same user in each server. , thereby avoiding information redundancy and saving server storage resources. In addition, by authenticating the user's authority to log in to the server according to the user category, the effect of authenticating and controlling the authority of the user to log in to the server according to each user category is realized, compared with the traditional way of individually managing authority information for users. , the device improves the convenience of management and control of server login permissions, and the management and control effect is better.

Based on the same idea, an embodiment of the present application further provides a server login device, as shown in FIG. 8 . The server login device may vary greatly due to different configurations or performances, and may include one or more processors 801 and a memory 802, and the memory 802 may store one or more storage applications or data. Among them, the memory 802 may be short-term storage or persistent storage. The application program stored in memory 802 may include one or more modules (not shown), each module may include a series of computer-executable instructions for logging into the device to the server. Still further, the processor 801 may be arranged to communicate with the memory 802 to execute a series of computer-executable instructions in the memory 802 on the server login device. The server login device may also include one or more power supplies 803 , one or more wired or wireless network interfaces 804 , one or more input and output interfaces 805 , and one or more keyboards 806 .

In this embodiment, the server login device includes a memory and one or more programs, wherein one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module A series of computer-executable instructions in the device may include logging into the server, and the one or more programs configured to be executed by the one or more processors include computer-executable instructions for performing the following: receiving a target server from a first user The login request includes the user identification information of the first user, the server identification information of the target server and the first login password used to log in to the target server; the login request is forwarded to the authentication center; the authentication center is used to User identification information, determine the user category of the first user, and authenticate the first authority of the first user to log in to the target server based on the user category of the first user; receive the second login password sent by the authentication center and correspond to the target server, and Determine whether the first login password and the second login password match; the second login password is sent to the target server by the authentication center after passing the first authority authentication; and whether the first user is allowed to log in to the target server is determined according to the judgment result.

In one embodiment, the computer-executable instructions, when executed, can further cause the processor to: receive user-related data sent by the authentication center; the user-related data includes the user category of the first user and the second user belonging to the user category Corresponding target login authority information; the target login authority information includes at least one of the following: server identification information of at least one first server to which the second user has the right to log in, the authority time corresponding to each first server, and the corresponding authorization time of each first server. Based on the login request and user-related data, determine whether the first user is a legal user; if the first user is a legal user, then execute the second request sent by the authentication center and corresponding to the target server. Steps to log in password.

In one embodiment, when the computer-executable instructions are executed, the processor may further: determine whether the following conditions are met: the server identification information of at least one first server includes the server identification information of the target server, and the login request The receiving time is within the authorized time; if so, the first user is determined to be a legitimate user.

Using the device of the embodiment of the present application, the target server receives the login request from the first user to the target server, forwards the login request to the authentication center, receives the second login password corresponding to the target server sent by the authentication center, and determines the first login Whether the password matches the second login password, it is determined whether the first user is allowed to log in to the target server according to the judgment result. It can be seen that through the interaction between the target server and the authentication center, the device can obtain the second login password corresponding to the target server from the authentication center to log in to the target server without storing user-related data in each server. In the traditional way of creating and storing user-related data by the server, it can effectively relieve the data storage pressure of the server, especially when the user needs to log in to multiple servers, and there is no need to repeatedly create the user-related data of the same user in each server. , thereby avoiding information redundancy and saving server storage resources.

An embodiment of the present application also provides a computer-readable storage medium, where the computer-readable storage medium stores one or more programs, and the one or more programs include instructions, and the instructions are logged into a device by a server including multiple application programs During execution, the server login device can be made to execute each process of the foregoing server login method embodiments, and the same technical effect can be achieved. In order to avoid repetition, details are not described here.

The above descriptions are merely embodiments of the present application, and are not intended to limit the present specification. For those skilled in the art, various modifications and changes may be made to the embodiments of the present application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principle of the embodiments of the present application shall be included within the scope of the claims of the embodiments of the present application.

Claims

A server login method, characterized in that it is applied to an authentication center, the method comprising:

receiving a login request from a first user for the target server sent by a target server; the login request includes the user identification information of the first user and a first login password for logging in to the target server;

determining the user category of the first user according to the user identification information of the first user;

Based on the user category of the first user, target login authority information corresponding to a second user belonging to the user category is determined, and according to the target login authority information, the first user logging in to the target server is performed. Permission to authenticate;

If the first authority authentication is passed, the second login password corresponding to the target server is returned to the target server, so that the target server can determine whether or not to use the first login password and the second login password. The first user is allowed to log in to the target server.
The method according to claim 1, wherein the login request further includes server identification information of the target server, and the user category of the first user is determined according to the user identification information of the first user ,include:

Acquire pre-created user-related data corresponding to the user identification information according to the user identification information of the first user; the user-related data at least include the user category and the target login authority information;

Based on the user-related data, a user category of the first user is determined.
The method according to claim 2, wherein the target login authority information includes at least one of the following: server identification information of at least one first server to which the second user is authorized to log in, each of the first servers The corresponding authorization time, the first login password and the second login password respectively corresponding to each of the first servers.
The method according to claim 3, characterized in that, before the first user's login request to the target server sent by the receiving target server, the method further comprises:

obtaining user-related data corresponding to the first user;

creating and storing a first correspondence between the user-related data and the user identification information;

Sending the user identification information and the first login password corresponding to each of the first servers to the first user.
The method according to claim 2, wherein the determining, based on the user category of the first user, the target login authority information corresponding to the second user belonging to the user category comprises:

acquiring target login authority information in the user-related data that matches the user category of the first user;

or,

According to the second correspondence between each user category and login authority information pre-created in the authentication center, target login authority information matching the user category of the first user is determined.
The method according to claim 4, wherein after the creating and storing the first correspondence between the user-related data and the user identification information, the method further comprises:

receiving an update request for performing an update operation on the target login authority information;

According to the update request, a corresponding update operation is performed on the target login authority information.
The method according to claim 6, wherein the update operation comprises at least one of the following: an operation of adding server identification information of the second server, an operation of deleting server identification information of the first server, The modification operation of the permission time, and the modification operation of the first login password and the second login password.
The method according to claim 4, wherein after the creating and storing the first correspondence between the user-related data and the user identification information, the method further comprises:

If it is detected that the user category in the user-related data changes, determining the changed user category;

determining the login authority information corresponding to the third user belonging to the changed user category;

The target login authority information in the user-related data is updated to the login authority information corresponding to the third user.
The method according to claim 3, wherein the authenticating the first authority of the first user to log in to the target server according to the target login authority information comprises:

Judging whether it is satisfied: the server identification information of the at least one first server includes the server identification information of the target server, and the reception time of the login request is within the authority time;

If yes, it is determined that the first authority authentication is passed.
The method according to claim 2, wherein after determining the user category of the first user according to the user identification information of the first user, the method further comprises:

Authenticating, based on the user identification information and the corresponding user-related data, the second authority of the target server to obtain the user-related data;

If the second authority authentication is passed, sending the user-related data to the target server, so that the target server determines whether the first user is a legitimate user based on the user-related data;

If it is determined that the first user is a legitimate user, the step of authenticating the first authority of the first user to log in to the target server is performed.
The method according to any one of claims 1-10, wherein the user category includes at least one of a user identity, a user level, and a user group to which they belong.
A server login method, characterized in that, applied to a target server, comprising:

Receive a login request for the target server from the first user; the login request includes the user identification information of the first user, the server identification information of the target server and the first login password for logging in to the target server;

Forward the login request to an authentication center; the authentication center is configured to determine the user category of the first user according to the user identification information of the first user, and based on the user category of the first user The first authority of the first user to log in to the target server is authenticated;

Receive the second login password corresponding to the target server sent by the authentication center, and determine whether the first login password and the second login password match; the second login password is verified by the authentication center. After the first authority authentication is passed, it is sent to the target server;

Whether to allow the first user to log in to the target server is determined according to the judgment result.
The method according to claim 12, wherein the login request further includes server identification information of the target server, and before receiving the second login password corresponding to the target server sent by the authentication center, The method also includes:

receiving user-related data sent by the authentication center;

Determine whether the first user is a legitimate user based on the login request and the user-related data;

If the first user is the legal user, the step of receiving the second login password corresponding to the target server sent by the authentication center is performed.
The method according to claim 13, wherein the user-related data comprises a user category of the first user and target login authority information corresponding to a second user belonging to the user category; the target login authority information It includes at least one of the following: server identification information of at least one first server to which the second user has the right to log in, authorization time corresponding to each of the first servers, and the first server corresponding to each of the first servers. The login password and the second login password.
The method according to claim 14, wherein the determining whether the first user is a legitimate user based on the login request and the user-related data comprises:

Judging whether it is satisfied: the server identification information of the at least one first server includes the server identification information of the target server, and the reception time of the login request is within the authority time;

If yes, then it is determined that the first user is the legal user.
A server login system, characterized in that it includes a target server and an authentication center;

The target server is configured to receive a login request from a first user to the target server; forward the login request to the authentication center; the login request includes the user identification information of the first user and the information used for login the first login password of the target server;

The authentication center is configured to receive the login request sent by the target server; determine the user category of the first user according to the user identification information of the first user; based on the user category of the first user, Determine the target login authority information corresponding to the second user belonging to the user category, and authenticate the first authority of the first user to log in to the target server according to the target login authority information; if the first authority If the authentication is passed, return the second login password corresponding to the target server to the target server;

The target server is further configured to receive the second login password corresponding to the target server sent by the authentication center, and determine whether the first login password and the second login password match; determine according to the judgment result Whether to allow the first user to log in to the target server.
A server login device, characterized in that it includes:

The first receiving module is configured to receive a login request from a first user for the target server sent by the target server; the login request includes the user identification information of the first user and the first user ID used to log in to the target server. login password;

a first determining module, configured to determine the user category of the first user according to the user identification information of the first user; the user category includes at least one of a user identity, a user level, and a user group to which he belongs;

A first execution module, configured to determine target login authority information corresponding to a second user belonging to the user category based on the user category of the first user, and log in to the first user according to the target login authority information The first authority of the target server is authenticated;

A return module, configured to return a second login password corresponding to the target server to the target server if the first authority authentication is passed, so that the target server can make the first login password and the first login password according to the The second login password determines whether the first user is allowed to log in to the target server.
A server login device, characterized in that it includes:

a third receiving module, configured to receive a login request from a first user to a target server; the login request includes the user identification information of the first user and a first login password for logging in to the target server;

A forwarding module, configured to forward the login request to an authentication center; the authentication center is configured to determine the user category of the first user according to the user identification information of the first user, and based on the user identification information of the first user The user category authenticates the first authority of the first user to log in to the target server;

a fourth execution module, configured to receive a second login password corresponding to the target server sent by the authentication center, and determine whether the first login password and the second login password match; the second login password The password is sent to the target server by the authentication center after passing the authentication of the first authority;

The fourth determination module is configured to determine whether to allow the first user to log in to the target server according to the determination result.
A storage medium for storing computer-executable instructions that, when executed, implement the steps of the method of any one of claims 1-15.