Nothing Special   »   [go: up one dir, main page]

CN108347450B - Remote login method and device - Google Patents

Remote login method and device Download PDF

Info

Publication number
CN108347450B
CN108347450B CN201710049458.XA CN201710049458A CN108347450B CN 108347450 B CN108347450 B CN 108347450B CN 201710049458 A CN201710049458 A CN 201710049458A CN 108347450 B CN108347450 B CN 108347450B
Authority
CN
China
Prior art keywords
session
remote
connection
equipment
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710049458.XA
Other languages
Chinese (zh)
Other versions
CN108347450A (en
Inventor
张国良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201710049458.XA priority Critical patent/CN108347450B/en
Publication of CN108347450A publication Critical patent/CN108347450A/en
Application granted granted Critical
Publication of CN108347450B publication Critical patent/CN108347450B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application aims at providing a remote login method, which establishes connection with remote equipment through network equipment; and then, determining the remote equipment to be logged in based on the remote login request of the user side, and creating a session corresponding to the remote equipment to be logged in, so that the life cycle of the remote login of the machine is consistent with that of the session, and therefore the authority of logging in the machine after the session is automatically destroyed is effectively recovered, and the security loophole is avoided. Subsequently, synchronizing the session to a gateway device; and acquiring the remote equipment to be logged which is not connected with the gateway equipment and fed back based on the session from the gateway equipment, and informing the remote equipment to be logged which is not connected with the gateway equipment to perform session connection with the gateway through the connection. After the remote device to be logged in and the gateway device complete session connection establishment, communication between the user side and the remote device can be achieved through the session connection, and remote login is achieved.

Description

Remote login method and device
Technical Field
The present application relates to the field of computers, and in particular, to a method and an apparatus for remote login.
Background
With the development of information technology, the degree of informatization is continuously improved, and information security is more and more concerned, especially security of a server. In the management process of the server, remote management is a commonly adopted mode, at present, the operation of the login server is basically performed in a traditional ssh (secure shell, secure remote login protocol) mode, the login server is a service carried by a linux (an operating system) machine, and the login server belongs to one of basic services of the linux, and remote login is realized through the following steps: the sshd (ssh service program) service is started on the target machine, and used for receiving ssh requests and logging in the machine, the account, the keys and the certificates of ssh are configured on the target machine, and the terminal is used for logging in the machine through ssh. This ssh login requires a port, typically 22, to be opened on the target machine, leaving the hacker with the possibility of hacking, which may occur if the keys of some users are too weak.
In addition, as the number of servers increases, batch operations become a very common requirement, and the certificates are copied to a target machine by using a management user certificate of a certain machine in an ssh manner, and then batch operations are performed by using pscp (batch file copy) and pssh (batch command execution), which results in that the certificates are randomly copied to any machine, so that the method has the capability of log-in avoidance, is inconvenient to manage, and brings great safety hazards, and the target machine must be ported in the ssh manner.
Content of application
An object of the present application is to provide a method and an apparatus for telnet, which solve the problem of hacking caused by the need to open a port on a target machine in the prior art, and the problem of security holes left by batch operations.
According to an aspect of the present application, there is provided a method for telnet at a node device side, the method comprising:
establishing a connection with a remote device;
determining remote equipment to be logged in based on a remote login request of a user side, and creating a session corresponding to the remote equipment to be logged in;
synchronizing the session to a gateway device;
and acquiring the remote equipment to be logged which is not connected with the gateway equipment and fed back based on the session from the gateway equipment, and informing the remote equipment to be logged which is not connected with the gateway equipment to perform session connection with the gateway through the connection.
Further, in establishing a connection with the remote device, the connection is a long connection.
Further, the node device includes a master node, determines a remote device to be logged in based on a remote login request of a user, and creates a session corresponding to the remote device to be logged in, including:
the main node acquires a remote login request of a user side from an application programming interface, determines remote equipment to be logged in according to the remote login request, and creates a session corresponding to the remote equipment to be logged in.
Further, the node device further includes a slave node connected to the master node, and establishes a connection with the remote device, including:
and the master node controls the slave node to establish connection with the corresponding remote equipment.
Further, acquiring, from the gateway device, a remote device to be logged that is not connected to the gateway device and is fed back based on the session, and notifying, through the connection, that the remote device to be logged that is not connected to the gateway device performs session connection with the gateway, the method includes:
the master node receives the remote equipment to be logged which is fed back by the gateway equipment and is not connected with the gateway equipment, and determines a slave node which is not connected with the remote equipment to be logged and is not connected with the gateway equipment;
and the slave node informs the remote equipment to be logged, which is not connected with the gateway equipment, of carrying out session connection with the gateway equipment.
According to another aspect of the present application, there is provided a method for telnet at a remote device side, wherein the method comprises:
establishing connection with node equipment;
receiving a notification of session connection with the gateway device, which is sent by the node device;
establishing session connection with the gateway equipment according to the notification;
and acquiring communication data in the same session from the gateway equipment through the session connection, wherein the communication data is acquired from a user side by the gateway equipment.
Further, in establishing a connection with the node device, the connection is a long connection.
Further, the remote device includes a proxy service that establishes a connection with the node device, including:
the proxy service establishes a connection with the node device.
Further, when the node device includes a master node and a slave node to which the master node is connected,
the proxy service establishes a connection with the slave node.
Further, the remote device includes a session management slave node connected to the proxy service, and the receiving of the notification of the session connection with the gateway device sent by the node device includes:
and the proxy service receives a notification of session connection with the gateway device, which is sent by the node device, and determines a session management slave node corresponding to the session connection.
Further, establishing a session connection with the gateway device according to the notification includes:
and the proxy service controls the session management slave node to perform session connection with the gateway equipment.
According to another aspect of the present application, there is provided a method for telnet at a gateway device, the method comprising:
acquiring remote equipment to be logged which is not connected with the gateway equipment based on a session corresponding to the remote equipment to be logged which is synchronized by the node equipment;
feeding back the remote equipment to be logged in which is not connected with the gateway equipment to the node equipment;
establishing session connection with the remote equipment to be logged in which is not connected with the gateway equipment;
and communication data in the same session are acquired from the user side, and the communication data are sent to corresponding remote equipment through the session connection.
Further, when the remote device includes a proxy service and a session management slave node connected to the proxy service, establishing a session connection with the remote device to be logged in, which is not connected to the gateway device, includes:
and establishing session connection with the session management slave node of the remote device to be logged in which is not connected with the gateway device.
Further, transmitting the communication data to a remote device through the session connection, comprising:
and sending the communication data to the session management slave node through the session connection.
Further, the node device includes a master node, and acquires a remote device to be logged that is not connected to the gateway device based on a session corresponding to the remote device to be logged that is synchronized by the node device, including:
and acquiring the remote equipment to be logged which is not connected with the gateway equipment based on the session corresponding to the remote equipment to be logged which is synchronized from the main node.
Further, feeding back the remote device to be logged that is not connected to the gateway device to the node device, includes:
feeding back the remote equipment to be logged in which is not connected with the gateway equipment to the main node
Further, acquiring communication data in the same session from a user side, and sending the communication data to a remote device through the session connection includes:
starting a container engine of the gateway device for the session connection;
receiving batch processing communication data sent by the user side, and determining remote equipment to be subjected to batch processing in the container engine;
and sending the communication data of batch processing to the remote equipment to be subjected to batch processing through the container engine.
Further, the lifecycle of the container engine coincides with the lifecycle of the session.
According to an aspect of the present application, there is also provided a node apparatus for telnet, the node apparatus including:
a connection device for establishing a connection with a remote device;
the device comprises a creating device and a processing device, wherein the creating device is used for determining remote equipment to be logged in based on a remote login request of a user side and creating a session corresponding to the remote equipment to be logged in;
a synchronization means for synchronizing the session to a gateway device;
and the notification device is used for acquiring the remote equipment to be logged which is not connected with the gateway equipment and fed back based on the session from the gateway equipment, and notifying the remote equipment to be logged which is not connected with the gateway equipment to perform session connection with the gateway through the connection.
Further, the connection device is configured to establish a long connection with the remote device.
Further, the node device includes a master node, and the creating means is configured to:
the main node acquires a remote login request of a user side from an application programming interface, determines remote equipment to be logged in according to the remote login request, and creates a session corresponding to the remote equipment to be logged in.
Further, the node device further includes a slave node connected to the master node, and the connection device is configured to:
and the master node controls the slave node to establish connection with the corresponding remote equipment.
Further, the notification device is configured to:
the master node receives the remote equipment to be logged which is fed back by the gateway equipment and is not connected with the gateway equipment, and determines a slave node which is not connected with the remote equipment to be logged and is not connected with the gateway equipment;
and the slave node informs the remote equipment to be logged, which is not connected with the gateway equipment, of carrying out session connection with the gateway equipment.
According to yet another aspect of the present application, there is also provided a remote device for telnet, the remote device including:
a connection request means for establishing a connection with the node device;
a receiving notification device, configured to receive a notification of session connection with the gateway device sent by the node device;
the session connecting device is used for establishing session connection with the gateway equipment according to the notification;
and the acquisition device is used for acquiring communication data in the same session from the gateway equipment through the session connection, and the communication data is acquired from a user side by the gateway equipment.
Further, the connection request device is configured to establish a connection with the node device, where the connection is a long connection.
Further, the remote device includes a proxy service, and the connection requesting means is configured to:
the proxy service establishes a connection with the node device.
Further, when the node device includes a master node and a slave node to which the master node is connected,
the connection request device is used for establishing connection between the proxy service and the slave node.
Further, the remote device includes a session management slave node connected to the proxy service, and the reception notifying means is configured to:
and the proxy service receives a notification of session connection with the gateway device, which is sent by the node device, and determines a session management slave node corresponding to the session connection.
Further, the session connection device is configured to:
and the proxy service controls the session management slave node to perform session connection with the gateway equipment.
According to yet another aspect of the present application, there is also provided a gateway device for telnet, the gateway device comprising:
the determining device is used for acquiring the remote equipment to be logged which is not connected with the gateway equipment based on the session corresponding to the remote equipment to be logged which is synchronized by the node equipment;
the feedback device is used for feeding back the remote equipment to be logged, which is not connected with the gateway equipment, to the node equipment;
receiving a connection request device, configured to establish session connection with the remote device to be logged in that is not connected to the gateway device;
and the transfer data device is used for acquiring the communication data in the same session from the user side and sending the communication data to the corresponding remote equipment through the session connection.
Further, when the remote device includes a proxy service and a session management slave node connected to the proxy service, the connection request receiving means is configured to:
and establishing session connection with the session management slave node of the remote device to be logged in which is not connected with the gateway device.
Further, the transit data device is configured to:
and sending the communication data to the session management slave node through the session connection.
Further, the node device includes a master node, and the determining means is configured to:
and acquiring the remote equipment to be logged which is not connected with the gateway equipment based on the session corresponding to the remote equipment to be logged which is synchronized from the main node.
Further, the feedback means is adapted to: and feeding back the remote equipment to be logged in which is not connected with the gateway equipment to the main node.
Further, the transit data device is configured to:
starting a container engine of the gateway device for the session connection;
receiving batch processing communication data sent by the user side, and determining remote equipment to be subjected to batch processing in the container engine;
and sending the communication data of batch processing to the remote equipment to be subjected to batch processing through the container engine.
Further, the lifecycle of the container engine coincides with the lifecycle of the session.
According to another aspect of the application, there is provided a computing-based device comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
establishing a connection with a remote device;
determining remote equipment to be logged in based on a remote login request of a user side, and creating a session corresponding to the remote equipment to be logged in;
synchronizing the session to a gateway device;
and acquiring the remote equipment to be logged which is not connected with the gateway equipment and fed back based on the session from the gateway equipment, and informing the remote equipment to be logged which is not connected with the gateway equipment to perform session connection with the gateway through the connection.
According to another aspect of the present application, there is also provided a computing-based device comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
establishing connection with node equipment;
receiving a notification of session connection with the gateway device, which is sent by the node device;
establishing session connection with the gateway equipment according to the notification;
and acquiring communication data in the same session from the gateway equipment through the session connection, wherein the communication data is acquired from a user side by the gateway equipment.
According to another aspect of the present application, there is also provided a computing-based device comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
acquiring remote equipment to be logged which is not connected with the gateway equipment based on a session corresponding to the remote equipment to be logged which is synchronized by the node equipment;
feeding back the remote equipment to be logged in which is not connected with the gateway equipment to the node equipment;
establishing session connection with the remote equipment to be logged in which is not connected with the gateway equipment;
and communication data in the same session are acquired from the user side, and the communication data are sent to corresponding remote equipment through the session connection.
Compared with the prior art, the method for remote login at the network equipment end is used for establishing connection with the remote equipment; and then, determining the remote equipment to be logged in based on the remote login request of the user side, and creating a session corresponding to the remote equipment to be logged in, so that the life cycle of the remote login of the machine is consistent with that of the session, and therefore the authority of logging in the machine after the session is automatically destroyed is effectively recovered, and the security loophole is avoided. Subsequently, synchronizing the session to a gateway device; and acquiring the remote equipment to be logged which is not connected with the gateway equipment and fed back based on the session from the gateway equipment, and informing the remote equipment to be logged which is not connected with the gateway equipment to perform session connection with the gateway through the connection. After the remote equipment to be logged in and the gateway equipment complete session connection establishment, communication between the user side and the remote equipment can be achieved through the session connection, remote login is achieved, and the problem of safety risks caused by opening ports on the remote equipment is solved.
Further, the application also provides a method for remote login at a remote equipment end, which is characterized in that a connection waiting command is established with the node equipment; subsequently, receiving a notification of session connection with the gateway device, which is sent by the node device; establishing session connection with the gateway equipment according to the notification; and then, communication data in the same session are acquired from the gateway equipment through the session connection, and the communication data are acquired from the user side by the gateway equipment. Therefore, the gateway equipment plays a data transfer role, the remote equipment to be logged in obtains communication data in the same session from the gateway equipment, and the gateway equipment obtains the communication data from the user side through the virtual IP address and the authentication webpage, so that indirect communication with the remote equipment to be logged in is realized, and remote login is realized.
Further, the application provides a method for remote login at a gateway device side, which includes acquiring a remote device to be logged in which is not connected with a gateway device through a session corresponding to the remote device to be logged in which is synchronized by a node device; and feeding back the remote equipment to be logged which is not connected with the gateway equipment to the node equipment, so that the gateway equipment establishes session connection with the remote equipment to be logged which is not connected with the gateway equipment, and the access risk to the remote equipment is reduced. And then, communication data in the same session are acquired from the user side, and the communication data are sent to corresponding remote equipment through the session connection. After session connection is established between the remote equipment to be logged in and the gateway equipment, the gateway equipment acquires communication data in the same session through the virtual IP address and the authentication webpage, and sends the communication data to the corresponding remote equipment through connection between the gateway equipment and the remote equipment to be logged in, so that communication between a user side and the remote equipment is realized, and remote login is realized.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 is a schematic diagram illustrating telnet by reverse connection in an embodiment of the present application;
fig. 2 shows a schematic diagram of a system for telnet in an embodiment of the present application.
The same or similar reference numbers in the drawings identify the same or similar elements.
Detailed Description
The present application is described in further detail below with reference to the attached figures.
In an embodiment of the present application, the method for remote login at a node device is applied to a Terminal Service (TS) and provides a capability of machine login of a web page version, where a node device is a management machine in a TS Service cluster, and may be referred to as a tsm (tertiary Service manager) cluster, and the method includes: step S11 to step S14,
in step S11, a connection is established with the remote device; in the embodiment of the application, a port does not need to be opened on the remote device during the remote login, but the remote device and the node device are firstly adopted to establish a connection relationship and wait for a command to perform subsequent session connection, so that the remote login is realized. Here, the remote device refers to a target machine that a user terminal needs to log in remotely.
In step S12, determining a remote device to be logged in based on a remote login request of a user side, and creating a session corresponding to the remote device to be logged in; here, the node device obtains the telnet request of the user side to determine the remote device requested to be logged in, and at this time, a session corresponding to the remote device to be logged in is created, for example, the telnet request of the user side is to log in to the machine 1, the machine 2, and the machine 3, the created session includes specific contents of the machine 1, the machine 2, and the machine 3, such as a machine name (host name) in the identification information, information of what machines the user needs to log in to can be obtained from the session, and the life cycle of the telnet of the machine is consistent with the life cycle of the session, so that the authority of logging in the machine is effectively recycled after the session is automatically destroyed, and a security hole is avoided.
In step S13, synchronizing the session to a gateway device; here, the gateway device generally does not allow sharing and connecting data, such as login, traffic, etc., to be not received, and therefore it is necessary to synchronize a session including specific contents of a remote device to be logged in to the gateway device, notify the gateway device to prepare to receive only data and traffic of a machine within the session, and determine a session connection state of the remote device to be received within the session.
In step S14, the remote device to be logged that is not connected to the gateway device and fed back based on the session is acquired from the gateway device, and the remote device to be logged that is not connected to the gateway device is notified of session connection with the gateway through the connection. Here, whether the remote devices to be logged in the session are all connected with the gateway device is acquired from the gateway device, and if not, the node device notifies the remote devices to be logged in which the connection with the gateway device is not established to establish session connection with the gateway device. After the remote device to be logged in and the gateway device complete session connection establishment, communication between the user side and the remote device can be achieved through the session connection, and remote login is achieved.
In an embodiment of the present application, in step S11, in establishing a connection with the remote device, the connection is a long connection. Here, the node device receives the connection request sent by the remote device, establishes connection with the remote device, and uses a long connection form to log in the remote device without opening any port, so as to ensure the timeliness of data acquisition.
In an embodiment of the present application, the node device includes a master node, and in step S12, the master node obtains a remote login request from an application programming interface, determines a remote device to be logged in according to the remote login request, and creates a session corresponding to the remote device to be logged in. The node device, here comprising a master node (TS MMaster), may be arranged to take care of important tasks like session management and receive long connection requests, wherein, when taking charge of session management task, the remote login request of user terminal is firstly obtained through Application Programming Interface (API), determining the remote device to be logged in according to the remote login request, for example, obtaining that the target machine 1, the target machine 2 and the target machine 3 are machines whose user end needs to be logged in, at this time, the master node creates a session, wherein the session includes the host names of the target machine 1, the target machine 2 and the target machine 3, the master node synchronizes the session to the gateway device, the gateway device may then prepare the target machines in the session accordingly, for example, allow receiving the relevant data and traffic of the target machines in the session, and determine whether the target machines in the session are all connected to the gateway device.
In an embodiment of the present application, the node device further includes a slave node connected to the master node, and in step S11, the master node controls the slave node to establish a connection with a corresponding remote device. Here, if all the remote devices are connected to a certain management machine (master node) in tsm cluster all the time, the master node will be hard to bear, so in order to reduce the stress on the management machine and ensure the stability of the system, the node device further includes a slave node connected to the master node, and the slave node is responsible for receiving the connection request sent by the remote device, establishing long connection relationship with the remote device, and communicating with the master node by connecting to the master node.
In an embodiment of the present application, in step S14, the master node receives a remote device to be logged that is not connected to the gateway device and is fed back by the gateway device, and determines a slave node that is not connected to the remote device to be logged that is connected to the gateway device; and the slave node informs the remote equipment to be logged, which is not connected with the gateway equipment, of carrying out session connection with the gateway equipment. The master node obtains a remote login request of a user end through an application programming interface, determines a remote device to be logged in, and creates a session, the session includes specific content of the remote device to be logged in, after the session is synchronized to the gateway device, the master node receives information of connection state of the remote device to be logged in, which is fed back by the gateway device, for example, the gateway device feeds back connection state information that the remote device 1 and the remote device 2 have not established connection with the gateway device to the master node, the master node informs corresponding slave nodes of the unconnected state information of the remote device 1 and the remote device 2 through connection with the slave nodes, wherein the corresponding slave nodes refer to slave nodes which previously establish long connection relationship with the remote device 1 and the remote device 2, for example, the slave node 1 establishes long connection with the remote device 1, and after receiving the information that the remote device 1 has not established connection with the gateway device master node, the slave node 1 is informed of this information, whereby the slave node 1 informs the remote device 1 to connect the gateway device through the long connection.
According to another aspect of the present application, a method for remote login at a remote device is provided, which is applied to a Terminal Service (TS) and provides a web page version of machine login capability, where a remote device is a target machine that a user in a TS Service cluster needs to log in, and the method includes: step S21 to step S24,
in step S21, a connection is established with the node apparatus; in the embodiment of the application, a port does not need to be opened on the remote device during remote login, but a reverse connection mode that the remote device is actively connected with the node device is adopted to wait for a command so as to perform subsequent session connection, and then remote login is realized, so that the possibility that a hacker attacks services from the port is avoided.
In step S22, receiving a notification of session connection with the gateway device sent by the node device; in an embodiment of the present application, the remote device receives, at any time, a message sent by the node device through a long connection mode, where the message may include connection information indicating which remote devices in the session have not established a connection with the gateway device, and the corresponding remote device receives the connection information sent by the node device, and if the gateway device notifies the node device of the information that the remote device 1 has not established a connection with the gateway device, the node device notifies the remote device 1 to perform step S23.
In step S23, establishing a session connection with the gateway device according to the notification; in the above example, after receiving the notification that the gateway device needs to be connected, the remote device 1 starts a corresponding process to establish session connection with the gateway device, where the started process is a part of session management.
Next, in step S24, communication data in the same session is acquired from the gateway device through the session connection, and the communication data is acquired from the user side by the gateway device. After the remote device to be logged in establishes session connection with the gateway device, the gateway device plays a role in data transfer, and the remote device to be logged in acquires communication data in the same session from the gateway device, wherein the communication data in the same session refers to operation instruction data of the user side in a life cycle of the session, and is acquired from the user side by the gateway device through the virtual IP address and the authentication web page, so that indirect communication with the remote device to be logged in is realized, and remote login is realized.
In an embodiment of the present application, in step S21, in establishing a connection with the node device, the connection is a long connection. The remote device actively sends a connection request to the node device to establish a connection relation with the node device, and the long connection mode is used for connecting the remote device needing to log in without opening any port, so that the timeliness of data acquisition is ensured, and the remote device can be connected with the gateway device at the fastest speed by receiving the notification sent by the node device in time.
Preferably, the remote device includes a proxy service, and the proxy service establishes a connection with the node device in step S21. Here, the remote login method described in an embodiment of the present application is applied to an operation and maintenance deployment company or other organization managed machine groups, and deploys a proxy service (TS agent) on a remote device, without performing any additional operation on the remote device, such as opening a port, so that the access risk to the remote device is effectively reduced, and the problem of invading the privacy of others is avoided.
In an embodiment of the present application, when the node device includes a master node and a slave node to which the master node is connected, in step S21, the proxy service establishes a connection with the slave node. Here, if all the TS agents deployed on the remote device are always connected to one management machine (master node) in the tsm cluster, the master node is hard to bear, and therefore, in order to reduce the bearing pressure of the management machine and ensure the stability of the system, the node device further includes a slave node connected to the master node, and at this time, the TS agents actively establish a long connection relationship with the slave node, and can receive the connection notification sent from the slave node in time.
In an embodiment of the present application, the remote device includes a session management slave node connected to the proxy service, and in step S22, the proxy service receives a notification of session connection with the gateway device sent by the node device, and determines a session management slave node corresponding to the session connection. Wherein, the session management slave node (TS slave) is responsible for being started by the agent when the agent obtains the connection notification, and connecting to the gateway device for managing the session created by the node device. When the connection between the remote equipment and the gateway equipment needs to be established, the agent starts the slave to be connected with the gateway equipment, so that the direct connection between the agent and the gateway equipment is avoided, the robustness of the system is ensured, the agent on each machine in each session starts a corresponding slave for the corresponding machine, the condition that other sessions cannot be performed due to the fact that a certain machine collapses is prevented, the agent starts the slave to separate a data flow process from a session management process, and the system stability during remote login is ensured.
In step S23, the proxy service controls the session management slave node to perform session connection with the gateway device. For example, when the remote devices to be logged in session 1 are machine 1 and machine 2, the remote devices to be logged in session 2 are machine 3, and machines 1 to 3 are not connected to the gateway device, the agent deployed on machines 1 to 3 may start a corresponding slave for each machine, for example, machine 1 starts slave1, machine 2 starts slave2, machine 3 starts slave3, slave1 and slave2 belong to session 1, and each slave performs session connection with the gateway device, thereby implementing communication between the user side and the remote devices through the gateway device.
According to another aspect of the present application, a method for remote login at a gateway device is provided, which is applied to a Terminal Service (TS) and provides a capability of machine login of a web version, wherein a TS gateway is deployed on the gateway device and is used for actually performing data transmission in the TS Service, and the method includes: step S31 to step S34,
in step S31, acquiring a remote device to be logged that is not connected to the gateway device, based on a session corresponding to the remote device to be logged that is synchronized by the node device; in an embodiment of the present application, the gateway device usually does not allow sharing and connecting data, for example, login, traffic, and the like are not received, and only receiving a synchronization session of the node device will correspondingly receive data, traffic, and the like of a machine that needs to login in the session, and for example, receiving that machines 1 and 2 in the session synchronized by the node device need to login, the gateway device will only receive related data and traffic of machines 1 and 2 in the session. After receiving the session synchronized by the node device, it is further determined whether the device in the session is connected to the gateway device, and if not, the process goes to step S32.
In step S32, feeding back the remote device to be logged that is not connected to the gateway device to the node device; here, the remote device in the session synchronized by the node device is judged, it is determined that the remote device to be logged in with which the connection is not established is the remote device to be logged in, for example, the remote device to be logged in the session is the machine 1, the machine 2 and the machine 3, and the gateway device determines that neither the machine 1 nor the machine 2 is connected therewith according to the synchronized session, the unconnected state of the machine 1 and the machine 2 is fed back to the node device, so that the node device notifies the machine 1 and the machine 2 to actively establish the session connection with the gateway device, so that in step S33, the gateway device establishes the session connection with the remote device to be logged in which the gateway device is not connected, that is, the connection request of the machine 1 and the machine 2 is received to establish the connection with them, and the reverse connection of the machine 1 and the machine 2 to the gateway device is completed, thereby reducing the access risk to the machine 1 and the machine 2.
In step S34, the communication data in the same session is obtained from the user side, and the communication data is sent to the corresponding remote device through the session connection. After session connection is established between the remote equipment to be logged in and the gateway equipment, the gateway equipment acquires communication data in the same session through a virtual IP address and an authentication webpage, namely an operation instruction of a user in a session life cycle, and sends the operation instruction to the corresponding remote equipment through connection between the gateway equipment and the remote equipment to be logged in, so that communication between the user side and the remote equipment is realized, and remote login is realized.
In an embodiment of the present application, when the remote device includes a proxy service and a session management slave node connected to the proxy service, in step S33, a session connection is established with the session management slave node of the remote device to be logged in that is not connected to the gateway device. Here, the agent service agent is deployed on the remote device, the agent receives a connection notification sent by a slave node in the node device, and starts a slave, and at this time, the gateway device receives a connection request sent by the slave and establishes session connection with the slave.
Next, in step S34, the communication data is sent to the session management slave node through the session connection. The gateway device sends the operation instruction of the user terminal to the corresponding slave through the established session connection, so that the user terminal indirectly communicates with the slave of the remote device, and the remote login is realized.
In an embodiment of the present application, the node device includes a master node, and in step S31, the remote device to be logged that is not connected to the gateway device is obtained based on a session corresponding to the remote device to be logged that is synchronized from the master node. Here, the master node serves as a session management master in tsm cluster, and is responsible for managing sessions, synchronizing the sessions to the gateway device, and the gateway device determines the remote devices to be logged in which are not connected in the sessions through the received sessions. Then, in step S32, the remote device to be logged that is not connected to the gateway device is fed back to the master node, and the gateway device feeds back the remote device to be logged that has not yet had a connection relationship with the gateway device in the session to the master node, so that the master node finds the corresponding slave node according to the fed-back information and notifies the corresponding remote device to be logged, thereby completing the connection with the gateway device.
In an embodiment of the present application, in step S34, a container engine of the gateway device for the session connection is started; receiving batch processing communication data sent by the user side, and determining remote equipment to be subjected to batch processing in the container engine; and sending the communication data of batch processing to the remote equipment to be subjected to batch processing through the container engine. Here, since the gateway device is connected to the client and the remote device as an intermediate medium, an additional machine (container) may be started to connect to the gateway device according to a preset protocol, where the additional machine is a container engine (virtual AG) virtualized by a gateway image and is deployed on the same machine as the gateway, thereby implementing interconnection between the remote devices, and further using an internal protocol to operate the container to perform batch operations on the remote devices, such as batch copying of files to the remote devices in all sessions, and executing some commands in batch, and if some processes may need to be restarted, the problem of time and labor waste caused by the operation on each machine is solved, and the problem is avoided.
In an embodiment of the present application, a life cycle of the container engine coincides with a life cycle of the session. After the remote login is completed, the operation instruction of the user side is completed, the session is automatically destroyed, the container engine corresponding to each session can be automatically destroyed along with the session, the possibility of leaving over a super trigger is avoided, and the safety is guaranteed.
Fig. 1 is a schematic diagram illustrating remote login performed in a reverse connection manner in an embodiment of the present application, which is applied to a Terminal service (Terminal service) and provides a web-based machine login capability. The node device tsm cluster is a machine management machine, the remote devices host1 and host2 are target machines which need remote login and batch operation, the gateway device tsg host is a gateway (gateway) which really performs data transmission, the main node TS MMaster is a master in session management and is responsible for important tasks such as session management and receiving the connection of agents, and the slave node TS SMaster is responsible for receiving the long connection of Agent and communicates with the master in a manner of being connected to the MMaster; the TJ API is an externally provided application programming interface, and is responsible for authenticating and accessing the ts internal system, operating the session, and accessing through http. The specific implementation steps of the remote login by adopting the connection mode in fig. 1 are as follows:
step S1, deploying TS agents on the managed cluster, wherein the agents can be connected to a certain machine on the tsm cluster in a long connection mode to wait for commands; step S2, when a user needs to log in a certain target machine remotely, the user sends information to inform tsm cluster machine through TJ API, at this time, MMaster creates session, the session includes information of the machine needing to log in, if need to log in host name of three machines 1, 2 and 3; step S3, the MMaster in tsm cluster synchronizes the session including the information of the machine 1 and the machine 2 to gateway, and the gateway makes preparation, because the gateway usually does not allow sharing and connecting data, such as login, flow and the like are not received, only the synchronization session of the MMaster is received, the data, flow and the like which need to log in the machine in the receiving session can play a role in connection; step S4, after gateway receives MMaster' S synchronous conversation, it also needs to judge whether the machine in conversation is connected, if not, it informs MMaster; step S5, after the MMASter receives the gateway notification, the MMASter notifies the corresponding SMASter to notify the Agent on the corresponding machine of the unconnected information, for example, if the gateway does not have the connection information of the machine 1 and the machine 2, the MMASter finds the SMASter1 which establishes long connection with the machine 1 and the machine 2 and gives the SMASter to notify the Agent of the machine 1 and the Agent of the machine 2; step S6, after the TS Agent obtains the connection notice sent by SMaster, the TS Agent starts the session management node TS Slave to connect to the TS gateway of the prepared tsg host; and step S7, the user connects TS gateway through a virtual IP address (VIP) and a verification webpage (TS Portal), thereby indirectly communicating with the TS Slave of the target machine and realizing remote login.
In addition, a virtual AG started by a high-level container engine docker may be used to connect with a local TS Gateway, where the virtual AG is a virtual admin Gateway (virtual admin Gateway) and is used to perform a batch operation on machines in a session, the connection between the virtual AG and the Gateway is connected through an interprocess communication (domain socket) deployed on an tsg cluster, so as to improve security, tools for the batch operation are placed in the virtual AG, and these tools send packets according to an internal protocol of the TS, and a user may connect with the virtual AG to issue a command for the batch operation. When the reverse connection remote login mode in the embodiment of the application is used, sessions can be automatically destroyed, the virtual AG of each session can be automatically destroyed accordingly, and the possibility of leaving behind a trigger is avoided.
In summary, in the above process, since the TS Agent is actively connected to the tsm cluster to wait for the command, there is no need to open any port on the target machine to obtain information, so as to ensure the timeliness of data acquisition, and when the TS Agent receives a connection request, the TS Slave is notified to connect to the gateway to establish a long connection, so that the operation of logging in the shell (system command line) of the machine can be realized; in addition, the virtual AG is used for carrying out batch operation on the target machine, and the automatic destruction of the virtual AG further ensures the safety, so that the authority can be effectively recovered. The remote login method is suitable for operation and maintenance deployment home companies such as cloud computing or machine groups managed by other organizations, for example, a server cluster of a certain service platform, the number of machines is very large, operation and maintenance personnel can log in any machine to operate, only TS agents need to be deployed on a target machine by utilizing the login method, ports do not need to be opened on the target machine, and the access risk to the target machine is effectively reduced.
Fig. 2 shows a schematic diagram of a system for remote login in an embodiment of the present application, the system includes a node device 1, a remote device 2, and a gateway device 3, where the node device 1 includes a connection means 11, a creation means 12, a synchronization means 13, and a notification means 14, the remote device 2 includes a connection request means 21, a reception notification means 22, a session connection means 23, and an acquisition means 24, and the gateway device 3 includes a determination means 31, a feedback means 32, a reception connection request means 33, and a middle data means 34.
Specifically, in an embodiment of the present application, a node device for remote login is applied to a Terminal Service (TS) and provides a capability of machine login of a web page version, where a node device 1 is a management machine in a TS Service cluster, and may be referred to as a tsm (tertiary Service manager) cluster, as shown in fig. 2, the node device 1 includes:
a connection means 11 for establishing a connection with a remote device; in the embodiment of the application, a port does not need to be opened on the remote device during the remote login, but the remote device and the node device are firstly adopted to establish a connection relationship and wait for a command to perform subsequent session connection, so that the remote login is realized. Here, the remote device refers to a target machine that a user terminal needs to log in remotely.
The creating device 12 is configured to determine a remote device to be logged in based on a remote login request of a user side, and create a session corresponding to the remote device to be logged in; here, the node device 1 obtains the telnet request of the user side to determine the remote device 2 requested to be logged in, and at this time, a session corresponding to the remote device to be logged in is created, for example, the telnet request of the user side is to log in the machine 1, the machine 2, and the machine 3, the created session includes specific contents of the machine 1, the machine 2, and the machine 3, such as a machine name (host name) in the identification information, information of which machines the user needs to log in is obtained from the session, and the lifecycle of the telnet of the machine is consistent with the lifecycle of the session, so that the authority of logging in the machine is effectively recovered after the session is automatically destroyed, and a security hole is avoided.
A synchronization means 13 for synchronizing the session to a gateway device; here, the gateway device generally does not allow sharing and connecting data, such as login, traffic, etc., to be not received, and therefore it is necessary to synchronize a session including specific contents of a remote device to be logged in to the gateway device, notify the gateway device to prepare to receive only data and traffic of a machine within the session, and determine a session connection state of the remote device to be received within the session.
And a notification device 14, configured to acquire, from the gateway device, a remote device to be logged that is not connected to the gateway device and is fed back based on the session, and notify, through the connection, that the remote device to be logged that is not connected to the gateway device performs session connection with the gateway. Here, whether the remote devices to be logged in the session are all connected with the gateway device is acquired from the gateway device, and if not, the node device notifies the remote devices to be logged in which the connection with the gateway device is not established to establish session connection with the gateway device. After the remote device to be logged in and the gateway device complete session connection establishment, communication between the user side and the remote device can be achieved through the session connection, and remote login is achieved.
In an embodiment of the present application, in establishing a connection with the remote device, the connection is a long connection. Here, the node device receives the connection request sent by the remote device, establishes connection with the remote device, and uses a long connection form to log in the remote device without opening any port, so as to ensure the timeliness of data acquisition.
In an embodiment of the present application, the node device includes a master node, and the creating device 12 is configured to obtain, by the master node, a remote login request from an application programming interface, determine a remote device to be logged in according to the remote login request, and create a session corresponding to the remote device to be logged in. The node device, here comprising a master node (TS MMaster), may be arranged to take care of important tasks like session management and receive long connection requests, wherein, when taking charge of session management task, the remote login request of user terminal is firstly obtained through Application Programming Interface (API), determining the remote device to be logged in according to the remote login request, for example, obtaining that the target machine 1, the target machine 2 and the target machine 3 are machines whose user end needs to be logged in, at this time, the master node creates a session, wherein the session includes the host names of the target machine 1, the target machine 2 and the target machine 3, the master node synchronizes the session to the gateway device, the gateway device may then prepare the target machines in the session accordingly, for example, allow receiving the relevant data and traffic of the target machines in the session, and determine whether the target machines in the session all have a connection relationship with it.
In an embodiment of the present application, the node device further includes a slave node connected to the master node, and the connection device 11 is configured to control the slave node to establish a connection with a corresponding remote device by the master node. Here, if all the remote devices are connected to a certain management machine (master node) in tsm cluster all the time, the master node will be hard to bear, so in order to reduce the stress on the management machine and ensure the stability of the system, the node device further includes a slave node connected to the master node, and the slave node is responsible for receiving the connection request sent by the remote device, establishing long connection relationship with the remote device, and communicating with the master node by connecting to the master node.
In an embodiment of the present application, the notification device 14 is configured to receive, by the master node, a remote device to be logged that is not connected to the gateway device and is fed back by the gateway device, and determine a slave node that is not connected to the remote device to be logged that is connected to the gateway device; and the slave node informs the remote equipment to be logged, which is not connected with the gateway equipment, of carrying out session connection with the gateway equipment. The master node obtains a remote login request of a user end through an application programming interface, determines a remote device to be logged in, and creates a session, the session includes specific content of the remote device to be logged in, after the session is synchronized to the gateway device, the master node receives information of connection state of the remote device to be logged in, which is fed back by the gateway device, for example, the gateway device feeds back connection state information that the remote device 1 and the remote device 2 have not established connection with the gateway device to the master node, the master node informs corresponding slave nodes of the unconnected state information of the remote device 1 and the remote device 2 through connection with the slave nodes, wherein the corresponding slave nodes refer to slave nodes which previously establish long connection relationship with the remote device 1 and the remote device 2, for example, the slave node 1 establishes long connection with the remote device 1, and after receiving the information that the remote device 1 has not established connection with the gateway device master node, the slave node 1 is informed of this information, whereby the slave node 1 informs the remote device 1 to connect the gateway device through the long connection.
As shown in fig. 2, in an embodiment of the present application, a remote device 2 for remote login is further provided, which is applied to a Terminal Service (TS) and provides a web page version of machine login capability, where the remote device 2 is a target machine that a user in a TS Service cluster needs to log in, and the remote device 2 includes:
a connection request means 21 for establishing a connection with the node device; in the embodiment of the application, a port does not need to be opened on the remote device during remote login, but a reverse connection mode that the remote device is actively connected with the node device is adopted to wait for a command so as to perform subsequent session connection, and then remote login is realized, so that the possibility that a hacker attacks services from the port is avoided.
A receiving notification device 22, configured to receive a notification of session connection with the gateway device sent by the node device; in an embodiment of the present application, a remote device receives, at any time, a message sent by a node device in a long connection manner, where the message may include connection information indicating which remote devices in a session have not established a connection with a gateway device, and the corresponding remote device receives the connection information sent by the node device, and if the gateway device notifies the node device of information indicating that the remote device 1 is not connected with the gateway device, the node device notifies the remote device 1.
A session connection device 23, configured to establish a session connection with the gateway device according to the notification; in the above example, after receiving the notification that the gateway device needs to be connected, the remote device 1 starts a corresponding process to establish session connection with the gateway device, where the started process is a part of session management.
Then, the obtaining device 24 is configured to obtain, from the gateway device through the session connection, communication data in the same session, where the communication data is obtained by the gateway device from the user side. After the remote device to be logged in establishes session connection with the gateway device, the gateway device plays a role in data transfer, and the remote device to be logged in acquires communication data in the same session from the gateway device, wherein the communication data in the same session refers to operation instruction data of the user side in a life cycle of the session, and is acquired from the user side by the gateway device through the virtual IP address and the authentication web page, so that indirect communication with the remote device to be logged in is realized, and remote login is realized.
In an embodiment of the present application, the connection requesting apparatus 21 is configured to establish a connection with the node device, where the connection is a long connection. The remote device actively sends a connection request to the node device to establish a connection relation with the node device, and the long connection mode is used for connecting the remote device needing to log in without opening any port, so that the timeliness of data acquisition is ensured, and the remote device can be connected with the gateway device at the fastest speed by receiving the notification sent by the node device in time.
Preferably, the remote device comprises a proxy service, and the connection requesting means 21 is configured to establish a connection with the node device by the proxy service. Here, the remote login method described in an embodiment of the present application is applied to an operation and maintenance deployment company or other organization managed machine groups, and deploys a proxy service (TS agent) on a remote device, without performing any additional operation on the remote device, such as opening a port, so that the access risk to the remote device is effectively reduced, and the problem of invading the privacy of others is avoided.
In an embodiment of the present application, when the node device includes a master node and a slave node connected to the master node, the connection requesting unit 21 is configured to establish a connection between the proxy service and the slave node. Here, if all the TS agents deployed on the remote device are always connected to one management machine (master node) in the tsm cluster, the master node is hard to bear, and therefore, in order to reduce the bearing pressure of the management machine and ensure the stability of the system, the node device further includes a slave node connected to the master node, and at this time, the TS agents actively establish a long connection relationship with the slave node, and can receive the connection notification sent from the slave node in time.
In an embodiment of the present application, the remote device includes a session management slave node connected to the proxy service, and the receiving notification device 22 is configured to receive, by the proxy service, a notification of session connection with the gateway device sent by the node device, and determine a session management slave node corresponding to the session connection. Wherein, the session management slave node (TS slave) is responsible for being started by the agent when the agent obtains the connection notification, and connecting to the gateway device for managing the session created by the node device. When the connection between the remote equipment and the gateway equipment needs to be established, the agent starts the slave to be connected with the gateway equipment, so that the direct connection between the agent and the gateway equipment is avoided, the robustness of the system is ensured, the agent on each machine in each session starts a corresponding slave for the corresponding machine, the condition that other sessions cannot be performed due to the fact that a certain machine collapses is prevented, the agent starts the slave to separate a data flow process from a session management process, and the system stability during remote login is ensured.
As in the above embodiments, the session connection device 23 is configured to control the session management slave node to perform session connection with the gateway device by using the proxy service. For example, when the remote devices to be logged in session 1 are machine 1 and machine 2, the remote devices to be logged in session 2 are machine 3, and machines 1 to 3 are not connected to the gateway device, the agent deployed on machines 1 to 3 may start a corresponding slave for each machine, for example, machine 1 starts slave1, machine 2 starts slave2, machine 3 starts slave3, slave1 and slave2 belong to session 1, and each slave performs session connection with the gateway device, thereby implementing communication between the user side and the remote devices through the gateway device.
With continued reference to fig. 2, an embodiment of the present application further provides a gateway device 3 for remote login, which is applied to a Terminal Service (TS) and provides a capability of machine login in a web page version, where a TS gateway is deployed on the gateway device 3 and is used for actually performing data transmission in the TS Service, and the gateway device 3 includes:
the determining device 31 is configured to obtain a remote device to be logged that is not connected to the gateway device, based on a session corresponding to the remote device to be logged that is synchronized by the node device; in an embodiment of the present application, the gateway device usually does not allow sharing and connecting data, for example, login, traffic, and the like are not received, and only receiving a synchronization session of the node device will correspondingly receive data, traffic, and the like of a machine that needs to login in the session, and for example, receiving that machines 1 and 2 in the session synchronized by the node device need to login, the gateway device will only receive related data and traffic of machines 1 and 2 in the session. After receiving the synchronous session of the node equipment, judging whether the machine in the session is connected with the gateway equipment, and if not, feeding back the unconnected machine.
A feedback device 32, configured to feed back the remote device to be logged that is not connected to the gateway device to the node device; here, the remote device in the session synchronized by the node device is judged, it is determined that the remote device to be logged in has no connection with the node device, for example, the remote device to be logged in the session is the machine 1, the machine 2 and the machine 3, the gateway device determines that neither the machine 1 nor the machine 2 has a connection with the gateway device according to the synchronized session, the unconnected state of the machine 1 and the machine 2 is fed back to the node device, so that the node device notifies the machine 1 and the machine 2 to actively establish a session connection with the gateway device, and thus the receiving connection requesting device 33 establishes a session connection with the remote device to be logged in which the gateway device is not connected, that is, the receiving connection request of the machine 1 and the machine 2 establishes a connection with them, and the reverse connection of the machine 1 and the machine 2 to the gateway device is completed, thereby reducing the access risk to the machine 1 and the machine 2.
The relay data device 34 is configured to obtain communication data in the same session from a user side, and send the communication data to a corresponding remote device through the session connection. After session connection is established between the remote equipment to be logged in and the gateway equipment, the gateway equipment acquires communication data in the same session through a virtual IP address and an authentication webpage, namely an operation instruction of a user in a session life cycle, and sends the operation instruction to the corresponding remote equipment through connection between the gateway equipment and the remote equipment to be logged in, so that communication between the user side and the remote equipment is realized, and remote login is realized.
In an embodiment of the present application, when the remote device includes a proxy service and a session management slave node connected to the proxy service, the connection requesting device 33 establishes a session connection with the session management slave node of the remote device to be logged in that is not connected to the gateway device. Here, the agent service agent is deployed on the remote device, the agent receives a connection notification sent by a slave node in the node device, and starts a slave, and at this time, the gateway device receives a connection request sent by the slave and establishes session connection with the slave.
The transit data means 34 then sends the communication data to the session management slave node via the session connection. The gateway device sends the operation instruction of the user terminal to the corresponding slave through the established session connection, so that the user terminal indirectly communicates with the slave of the remote device, and the remote login is realized.
In an embodiment of the present application, the node device includes a master node, and the determining device 31 is configured to obtain a remote device to be logged that is not connected to the gateway device, based on a session corresponding to the remote device to be logged that is synchronized from the master node. Here, the master node serves as a session management master in tsm cluster, and is responsible for managing sessions, synchronizing the sessions to the gateway device, and the gateway device determines the remote devices to be logged in which are not connected in the sessions through the received sessions. Then, the feedback device 32 feeds back the remote device to be logged that is not connected to the gateway device to the master node, and the feedback device 32 in the gateway device feeds back the remote device to be logged that is not connected to the remote device to be logged to the master node, so that the master node finds the corresponding slave node according to the feedback information and notifies the corresponding remote device to be logged, thereby completing the connection with the gateway device.
In an embodiment of the present application, the transit data apparatus 34 is configured to start a container engine of the gateway device for session connection; receiving batch processing communication data sent by the user side, and determining remote equipment to be subjected to batch processing in the container engine; and sending the communication data of batch processing to the remote equipment to be subjected to batch processing through the container engine. Here, since the gateway device is connected to the client and the remote device as an intermediate medium, an additional machine (container) may be started to connect to the gateway device according to a preset protocol, where the additional machine is a container engine (virtual AG) virtualized by a gateway image and is deployed on the same machine as the gateway, thereby implementing interconnection between the remote devices, and further using an internal protocol to operate the container to perform batch operations on the remote devices, such as batch copying of files to the remote devices in all sessions, and executing some commands in batch, and if some processes may need to be restarted, the problem of time and labor waste caused by the operation on each machine is solved, and the problem is avoided.
In an embodiment of the present application, a life cycle of the container engine coincides with a life cycle of the session. After the remote login is completed, the operation instruction of the user side is completed, the session is automatically destroyed, the container engine corresponding to each session can be automatically destroyed along with the session, the possibility of leaving over a super trigger is avoided, and the safety is guaranteed.
Fig. 1 is a schematic diagram illustrating remote login performed in a reverse connection manner in an embodiment of the present application, which is applied to a Terminal service (Terminal service) and provides a web-based machine login capability. The node device tsm cluster is a machine management machine, the remote devices host1 and host2 are target machines which need remote login and batch operation, the gateway device tsg host is a gateway (gateway) which really performs data transmission, the main node TS MMaster is a master in session management and is responsible for important tasks such as session management and receiving the connection of agents, and the slave node TS SMaster is responsible for receiving the long connection of Agent and communicates with the master in a manner of being connected to the MMaster; the TJ API is an externally provided application programming interface, and is responsible for authenticating and accessing the ts internal system, operating the session, and accessing through http. The specific implementation steps of the remote login by adopting the connection mode in fig. 1 are as follows:
step S1, deploying TS agents on the managed cluster, wherein the agents can be connected to a certain machine on the tsm cluster in a long connection mode to wait for commands; step S2, when a user needs to log in a certain target machine remotely, the user sends information to inform tsm cluster machine through TJ API, at this time, MMaster creates session, the session includes information of the machine needing to log in, if need to log in host name of three machines 1, 2 and 3; step S3, the MMaster in tsm cluster synchronizes the session including the information of the machine 1 and the machine 2 to gateway, and the gateway makes preparation, because the gateway usually does not allow sharing and connecting data, such as login, flow and the like are not received, only the synchronization session of the MMaster is received, the data, flow and the like which need to log in the machine in the receiving session can play a role in connection; step S4, after gateway receives MMaster' S synchronous conversation, it also needs to judge whether the machine in conversation is connected, if not, it informs MMaster; step S5, after the MMASter receives the gateway notification, the MMASter notifies the corresponding SMASter to notify the Agent on the corresponding machine of the unconnected information, for example, if the gateway does not have the connection information of the machine 1 and the machine 2, the MMASter finds the SMASter1 which establishes long connection with the machine 1 and the machine 2 and gives the SMASter to notify the Agent of the machine 1 and the Agent of the machine 2; step S6, after the TS Agent obtains the connection notice sent by SMaster, the TS Agent starts the session management node TS Slave to connect to the TS gateway of the prepared tsg host; and step S7, the user connects TS gateway through a virtual IP address (VIP) and a verification webpage (TS Portal), thereby indirectly communicating with the TS Slave of the target machine and realizing remote login.
In addition, a virtual AG started by a high-level container engine docker may be used to connect with a local TS Gateway, where the virtual AG is a virtual admin Gateway (virtual admin Gateway) and is used to perform a batch operation on machines in a session, the connection between the virtual AG and the Gateway is connected through an interprocess communication (domain socket) deployed on an tsg cluster, so as to improve security, tools for the batch operation are placed in the virtual AG, and these tools send packets according to an internal protocol of the TS, and a user may connect with the virtual AG to issue a command for the batch operation. When the reverse connection remote login mode in the embodiment of the application is used, sessions can be automatically destroyed, the virtual AG of each session can be automatically destroyed accordingly, and the possibility of leaving behind a trigger is avoided.
In summary, in the above process, since the TS Agent is actively connected to the tsm cluster to wait for the command, there is no need to open any port on the target machine to obtain information, so as to ensure the timeliness of data acquisition, and when the TS Agent receives a connection request, the TS Slave is notified to connect to the gateway to establish a long connection, so that the operation of logging in the shell (system command line) of the machine can be realized; in addition, the virtual AG is used for carrying out batch operation on the target machine, and the automatic destruction of the virtual AG further ensures the safety, so that the authority can be effectively recovered. The remote login system is suitable for operation and maintenance deployment home companies such as cloud computing or machine groups managed by other organizations, for example, a server cluster of a certain service platform, the number of machines is very large, operation and maintenance personnel can log in any machine to operate, only TS agents need to be deployed on a target machine by utilizing the login method of the application, ports do not need to be opened on the target machine, and the access risk to the target machine is effectively reduced.
According to another aspect of the present application, there is also provided a computing-based device, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
establishing a connection with a remote device; determining remote equipment to be logged in based on a remote login request of a user side, and creating a session corresponding to the remote equipment to be logged in; synchronizing the session to a gateway device; and acquiring the remote equipment to be logged which is not connected with the gateway equipment and fed back based on the session from the gateway equipment, and informing the remote equipment to be logged which is not connected with the gateway equipment to perform session connection with the gateway through the connection.
According to another aspect of the present application, there is also provided a computing-based device, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
establishing connection with node equipment; receiving a notification of session connection with the gateway device, which is sent by the node device; establishing session connection with the gateway equipment according to the notification; and acquiring communication data in the same session from the gateway equipment through the session connection, wherein the communication data is acquired from a user side by the gateway equipment.
According to another aspect of the present application, there is also provided a computing-based device, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
acquiring remote equipment to be logged which is not connected with the gateway equipment based on a session corresponding to the remote equipment to be logged which is synchronized by the node equipment; feeding back the remote equipment to be logged in which is not connected with the gateway equipment to the node equipment; establishing session connection with the remote equipment to be logged in which is not connected with the gateway equipment; and communication data in the same session are acquired from the user side, and the communication data are sent to corresponding remote equipment through the session connection.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, implemented using Application Specific Integrated Circuits (ASICs), general purpose computers or any other similar hardware devices. In one embodiment, the software programs of the present application may be executed by a processor to implement the steps or functions described above. Likewise, the software programs (including associated data structures) of the present application may be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Additionally, some of the steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
In addition, some of the present application may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or techniques in accordance with the present application through the operation of the computer. Program instructions which invoke the methods of the present application may be stored on a fixed or removable recording medium and/or transmitted via a data stream on a broadcast or other signal-bearing medium and/or stored within a working memory of a computer device operating in accordance with the program instructions. An embodiment according to the present application comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to perform a method and/or a solution according to the aforementioned embodiments of the present application.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.

Claims (39)

1. A method for telnet at a node device, wherein the method comprises:
establishing a connection with a remote device;
determining remote equipment to be logged in based on a remote login request of a user side, and creating a session corresponding to the remote equipment to be logged in;
synchronizing the session to a gateway device;
and acquiring the remote equipment to be logged which is not connected with the gateway equipment and fed back based on the session from the gateway equipment, and informing the remote equipment to be logged which is not connected with the gateway equipment to perform session connection with the gateway through the connection so as to enable the remote equipment to acquire communication data in the same session from the gateway equipment through the session connection, wherein the communication data is acquired from a user side by the gateway equipment.
2. The method of claim 1, wherein in establishing a connection with the remote device, the connection is a long connection.
3. The method of claim 1, wherein the node device comprises a master node, and determining a remote device to be logged in based on a remote login request of a user, and creating a session corresponding to the remote device to be logged in comprises:
the main node acquires a remote login request of a user side from an application programming interface, determines remote equipment to be logged in according to the remote login request, and creates a session corresponding to the remote equipment to be logged in.
4. The method of claim 3, wherein the node device further comprises a slave node connected to a master node, establishing a connection with the remote device comprising:
and the master node controls the slave node to establish connection with the corresponding remote equipment.
5. The method of claim 4, wherein obtaining, from the gateway device, a remote device to be logged that is not connected to the gateway device and fed back based on the session, and notifying, through the connection, that the remote device to be logged that is not connected to the gateway device performs session connection with the gateway comprises:
the master node receives the remote equipment to be logged which is fed back by the gateway equipment and is not connected with the gateway equipment, and determines a slave node which is not connected with the remote equipment to be logged and is not connected with the gateway equipment;
and the slave node informs the remote equipment to be logged, which is not connected with the gateway equipment, of carrying out session connection with the gateway equipment.
6. A method for telnet at a remote device, wherein the method comprises:
establishing connection with node equipment;
receiving a notification of session connection with a gateway device, which is sent by the node device, through the connection, wherein a session for session connection corresponds to a remote device to be logged in, is created by the node device, and is synchronized to the gateway device;
establishing session connection with the gateway equipment according to the notification;
and acquiring communication data in the same session from the gateway equipment through the session connection, wherein the communication data is acquired from a user side by the gateway equipment.
7. The method of claim 6, wherein in establishing a connection with the node device, the connection is a long connection.
8. The method of claim 6, wherein the remote device comprises a proxy service, establishing a connection with a node device, comprising:
the proxy service establishes a connection with the node device.
9. The method of claim 8, wherein when the node device comprises a master node and a slave node to which the master node is connected,
the proxy service establishes a connection with the slave node.
10. The method of claim 9, wherein the remote device comprises a session management slave node connected to the proxy service, receiving the notification of the session connection with the gateway device sent by the node device comprises:
and the proxy service receives a notification of session connection with the gateway device, which is sent by the node device, and determines a session management slave node corresponding to the session connection.
11. The method of claim 10, wherein establishing a session connection with the gateway device in accordance with the notification comprises:
the proxy service controls the session management slave node so that the session management slave node makes a session connection with the gateway device.
12. A method for telnet at a gateway device, wherein the method comprises:
acquiring remote equipment to be logged which is not connected with the gateway equipment based on a session corresponding to the remote equipment to be logged which is synchronized by the node equipment;
feeding back the remote equipment to be logged in which is not connected with the gateway equipment to the node equipment;
establishing session connection with the remote equipment to be logged in which is not connected with the gateway equipment;
and communication data in the same session are acquired from the user side, and the communication data are sent to corresponding remote equipment through the session connection.
13. The method of claim 12, wherein establishing a session connection with the remote device to be logged in that is not connected with the gateway device when the remote device includes a proxy service and a session management slave node connected with the proxy service comprises:
and establishing session connection with the session management slave node of the remote device to be logged in which is not connected with the gateway device.
14. The method of claim 13, wherein transmitting the communication data to a remote device over the session connection comprises:
and sending the communication data to the session management slave node through the session connection.
15. The method of claim 12, wherein the node device comprises a master node, and acquiring the remote device to be logged that is not connected to the gateway device based on a session corresponding to the remote device to be logged that is synchronized by the node device, comprises:
and acquiring the remote equipment to be logged which is not connected with the gateway equipment based on the session corresponding to the remote equipment to be logged which is synchronized from the main node.
16. The method of claim 15, wherein feeding back the remote device to be logged that is not connected to the gateway device to the node device comprises:
and feeding back the remote equipment to be logged in which is not connected with the gateway equipment to the main node.
17. The method of any one of claims 12 to 16, wherein obtaining the communication data within the same session from the user side, and transmitting the communication data to the remote device through the session connection, comprises:
starting a container engine of the gateway device for the session connection;
receiving batch processing communication data sent by the user side, and determining remote equipment to be subjected to batch processing in the container engine;
and sending the communication data of batch processing to the remote equipment to be subjected to batch processing through the container engine.
18. The method of claim 17, wherein a lifecycle of the container engine coincides with a lifecycle of the session.
19. A node device for telnet, wherein the node device comprises:
a connection device for establishing a connection with a remote device;
the device comprises a creating device and a processing device, wherein the creating device is used for determining remote equipment to be logged in based on a remote login request of a user side and creating a session corresponding to the remote equipment to be logged in;
a synchronization means for synchronizing the session to a gateway device;
and the notification device is used for acquiring the remote equipment to be logged which is not connected with the gateway equipment and fed back based on the session from the gateway equipment, and notifying the remote equipment to be logged which is not connected with the gateway equipment to perform session connection with the gateway through the connection so as to enable the remote equipment to acquire communication data in the same session from the gateway equipment through the session connection, wherein the communication data is acquired from a user side by the gateway equipment.
20. The node device of claim 19, wherein the connection means is configured to establish a long connection in connection with the remote device.
21. The node device of claim 19, wherein the node device comprises a master node, the creating means to:
the main node acquires a remote login request of a user side from an application programming interface, determines remote equipment to be logged in according to the remote login request, and creates a session corresponding to the remote equipment to be logged in.
22. The node device of claim 21, wherein the node device further comprises a slave node connected to the master node, the connecting means being configured to:
and the master node controls the slave node to establish connection with the corresponding remote equipment.
23. The node device of claim 22, wherein the means for notifying is configured to:
the master node receives the remote equipment to be logged which is fed back by the gateway equipment and is not connected with the gateway equipment, and determines a slave node which is not connected with the remote equipment to be logged and is not connected with the gateway equipment;
and the slave node informs the remote equipment to be logged, which is not connected with the gateway equipment, of carrying out session connection with the gateway equipment.
24. A remote device for telnet, wherein the remote device comprises:
a connection request means for establishing a connection with the node device;
a receiving notification device, configured to receive, through the connection, a notification of session connection with a gateway device sent by the node device, where a session for session connection corresponds to a remote device to be logged in, is created by the node device, and is synchronized to the gateway device;
the session connecting device is used for establishing session connection with the gateway equipment according to the notification;
and the acquisition device is used for acquiring communication data in the same session from the gateway equipment through the session connection, and the communication data is acquired from a user side by the gateway equipment.
25. The remote device of claim 24, wherein the connection request means is configured to establish a connection with the node device, the connection being a long connection.
26. The remote device of claim 24, wherein the remote device comprises a proxy service, the connection request means to:
the proxy service establishes a connection with the node device.
27. The remote device of claim 26, wherein when the node device comprises a master node and a slave node to which the master node is connected,
the connection request device is used for establishing connection between the proxy service and the slave node.
28. The remote device of claim 27, wherein the remote device comprises a session management slave node connected to the proxy service, the means for receiving notification is configured to:
and the proxy service receives a notification of session connection with the gateway device, which is sent by the node device, and determines a session management slave node corresponding to the session connection.
29. The remote device of claim 28, wherein the session connection means is for:
the proxy service controls the session management slave node so that the session management slave node makes a session connection with the gateway device.
30. A gateway device for telnet, wherein the gateway device comprises:
the determining device is used for acquiring the remote equipment to be logged which is not connected with the gateway equipment based on the session corresponding to the remote equipment to be logged which is synchronized by the node equipment;
the feedback device is used for feeding back the remote equipment to be logged, which is not connected with the gateway equipment, to the node equipment;
receiving a connection request device, configured to establish session connection with the remote device to be logged in that is not connected to the gateway device;
and the transfer data device is used for acquiring the communication data in the same session from the user side and sending the communication data to the corresponding remote equipment through the session connection.
31. The gateway device of claim 30, wherein when the remote device comprises a proxy service and a session management slave node connected to the proxy service, the receive connection request means is to:
and establishing session connection with the session management slave node of the remote device to be logged in which is not connected with the gateway device.
32. The gateway device of claim 31, wherein the transit data means is configured to:
and sending the communication data to the session management slave node through the session connection.
33. The gateway device of claim 30, wherein the node device comprises a master node, the determining means being configured to:
and acquiring the remote equipment to be logged which is not connected with the gateway equipment based on the session corresponding to the remote equipment to be logged which is synchronized from the main node.
34. The gateway device of claim 33, wherein the feedback means is for:
and feeding back the remote equipment to be logged in which is not connected with the gateway equipment to the main node.
35. The gateway device of any of claims 30 to 34, wherein the transit data means is configured to:
starting a container engine of the gateway device for the session connection;
receiving batch processing communication data sent by the user side, and determining remote equipment to be subjected to batch processing in the container engine;
and sending the communication data of batch processing to the remote equipment to be subjected to batch processing through the container engine.
36. The gateway device of claim 35, wherein a lifecycle of the container engine coincides with a lifecycle of the session.
37. A computing-based device, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
establishing a connection with a remote device;
determining remote equipment to be logged in based on a remote login request of a user side, and creating a session corresponding to the remote equipment to be logged in;
synchronizing the session to a gateway device;
and acquiring the remote equipment to be logged which is not connected with the gateway equipment and fed back based on the session from the gateway equipment, and informing the remote equipment to be logged which is not connected with the gateway equipment to perform session connection with the gateway through the connection so as to enable the remote equipment to acquire communication data in the same session from the gateway equipment through the session connection, wherein the communication data is acquired from a user side by the gateway equipment.
38. A computing-based device, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
establishing connection with node equipment;
receiving a notification of session connection with a gateway device, which is sent by the node device, through the connection, wherein a session for session connection corresponds to a remote device to be logged in, is created by the node device, and is synchronized to the gateway device;
establishing session connection with the gateway equipment according to the notification;
and acquiring communication data in the same session from the gateway equipment through the session connection, wherein the communication data is acquired from a user side by the gateway equipment.
39. A computing-based device, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
acquiring remote equipment to be logged which is not connected with gateway equipment based on a session corresponding to the remote equipment to be logged which is synchronized by the node equipment;
feeding back the remote equipment to be logged in which is not connected with the gateway equipment to the node equipment;
establishing session connection with the remote equipment to be logged in which is not connected with the gateway equipment;
and communication data in the same session are acquired from the user side, and the communication data are sent to corresponding remote equipment through the session connection.
CN201710049458.XA 2017-01-23 2017-01-23 Remote login method and device Active CN108347450B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710049458.XA CN108347450B (en) 2017-01-23 2017-01-23 Remote login method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710049458.XA CN108347450B (en) 2017-01-23 2017-01-23 Remote login method and device

Publications (2)

Publication Number Publication Date
CN108347450A CN108347450A (en) 2018-07-31
CN108347450B true CN108347450B (en) 2021-04-02

Family

ID=62974816

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710049458.XA Active CN108347450B (en) 2017-01-23 2017-01-23 Remote login method and device

Country Status (1)

Country Link
CN (1) CN108347450B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587239B (en) * 2018-12-03 2021-09-07 群蜂信息技术(上海)有限公司 Access request processing method, server and storage medium
CN112688979B (en) 2019-10-17 2022-08-16 阿波罗智能技术(北京)有限公司 Unmanned vehicle remote login processing method, device, equipment and storage medium
CN112182563B (en) * 2020-09-28 2023-04-07 邢韬 Linux system Bash safety protection method
CN114050911B (en) * 2021-09-27 2023-05-16 度小满科技(北京)有限公司 Remote login method and system for container

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1780219A (en) * 2004-11-22 2006-05-31 株式会社东芝 Information terminal remote operation system and method, gateway server, information terminal, information terminal control apparatus, information terminal apparatus
CN101199187A (en) * 2004-07-23 2008-06-11 茨特里克斯系统公司 A method and systems for securing remote access to private networks
CN101977178A (en) * 2010-08-09 2011-02-16 中兴通讯股份有限公司 Relay-based media channel establishing method and system
CN102037684A (en) * 2007-12-20 2011-04-27 海敦桥有限公司 Group communication system using media server having distributed structure and method thereof

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8893248B2 (en) * 2008-12-12 2014-11-18 Tekelec, Inc. Methods, systems, and computer readable media for media session policy compliance auditing and enforcement using a media relay and session initiation protocol (SIP) signaling

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101199187A (en) * 2004-07-23 2008-06-11 茨特里克斯系统公司 A method and systems for securing remote access to private networks
CN1780219A (en) * 2004-11-22 2006-05-31 株式会社东芝 Information terminal remote operation system and method, gateway server, information terminal, information terminal control apparatus, information terminal apparatus
CN102037684A (en) * 2007-12-20 2011-04-27 海敦桥有限公司 Group communication system using media server having distributed structure and method thereof
CN101977178A (en) * 2010-08-09 2011-02-16 中兴通讯股份有限公司 Relay-based media channel establishing method and system

Also Published As

Publication number Publication date
CN108347450A (en) 2018-07-31

Similar Documents

Publication Publication Date Title
CN108347450B (en) Remote login method and device
JP6707153B2 (en) Secure configuration of cloud computing nodes
US11936638B2 (en) Link protocol agents for inter-application communications
CN112035822B (en) Multi-application single sign-on method, device, equipment and storage medium
CN106911648B (en) Environment isolation method and equipment
CN108347449B (en) Method and equipment for managing remote login
JP2003084931A (en) Printing method via network
US11762748B2 (en) Test controller securely controlling a test platform to run test applications
CN103347020B (en) A kind of system and method across application authorization access
CN107070931B (en) Cloud application data uploading/accessing method and system and cloud proxy server
JP2008533784A (en) Method, system, and computer program for communication in a computer system
US9118621B2 (en) Network controller, method, and medium
CN109257392B (en) Command processing method, device, server and storage medium
CN105812406A (en) Information transmission method and device based on WEB simulation terminal system
JP4643596B2 (en) Apparatus, method, program, terminal apparatus for authenticating terminal apparatus, and apparatus for relaying communication of terminal apparatus
CN111726328B (en) Method, system and related device for remotely accessing a first device
CN103685398A (en) Communication connection establishment method and communication system
US20220337664A1 (en) Communication system, information processing apparatus, and information processing method
CN116436671B (en) Method, system, device and medium for Kubernetes cluster access in private network
EP3370396A1 (en) Methods and devices for testing applications
WO2016188172A1 (en) Method and system for implementing remote terminal tool
US11082534B2 (en) Methods and devices for testing applications
CN105471594B (en) The method and apparatus for managing resource
WO2014201933A1 (en) Method for hypertext transfer protocol network and broadband network gateway
CN116032611B (en) Login method, system and storage medium of network equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant