CN112039851A - Server login method, system and device - Google Patents
Server login method, system and device Download PDFInfo
- Publication number
- CN112039851A CN112039851A CN202010787009.7A CN202010787009A CN112039851A CN 112039851 A CN112039851 A CN 112039851A CN 202010787009 A CN202010787009 A CN 202010787009A CN 112039851 A CN112039851 A CN 112039851A
- Authority
- CN
- China
- Prior art keywords
- user
- server
- login
- target
- target server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 230000000694 effects Effects 0.000 abstract description 21
- 238000013500 data storage Methods 0.000 abstract description 12
- 238000007726 management method Methods 0.000 abstract description 9
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 12
- 230000003993 interaction Effects 0.000 description 10
- 230000008859 change Effects 0.000 description 7
- 230000001960 triggered effect Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000001052 transient effect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
One or more embodiments of the present specification disclose a server login method, system, and apparatus, so as to solve the problems in the prior art that the storage and management of login authority information of a user on a server causes a large data storage pressure in the server and the management and control effect of the login authority information is poor. The method comprises the following steps: the method comprises the steps of receiving a login request, sent by a target server, of a first user for the target server, determining the user type of the first user according to user identification information of the first user, determining target login authority information corresponding to a second user belonging to the user type, authenticating the first authority of the first user for logging in the target server, and returning a second login password corresponding to the target server if the authentication is passed. According to the technical scheme, the user related data of the same user does not need to be repeatedly created in each server, the data storage pressure of the servers can be effectively relieved, and the management and control effect on the login authority of the servers can be improved.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a server login method, system, and apparatus.
Background
Currently, in a process of logging in a server by a user, the user generally interacts with the server, and whether the user can log in the server is verified according to user-related data such as a user identity (uid), a gid (group identity), a home directory path, a login public key, and a server login authority of the user, which are stored in a local file of the server. However, since the servers are independent from each other, when a user needs to log in a plurality of servers, the user-related data of the user needs to be created on each server. When a user wants to log in a certain server, the server verifies whether the user has the right to log in the server according to the user related data, which not only causes information redundancy and causes large data storage pressure of the server, but also is inconvenient for managing the server login right of the user.
In terms of managing the server login authority of the user, in the prior art, since corresponding user-related data is created for each user, if the login authority of the user to the server is to be changed, the server login authority corresponding to the user stored in the corresponding server needs to be changed. If the login authority of the user to the plurality of servers needs to be changed simultaneously, the login authority of the server corresponding to the user needs to be changed in the plurality of servers respectively. Obviously, the method for managing login authority not only consumes manpower, but also has low efficiency, and is more difficult to meet the requirements for application scenes with more users and servers.
Disclosure of Invention
One or more embodiments of the present disclosure provide a server login method, system and device, so as to solve the problems in the prior art that the storage pressure of data in a server is large and the management and control effect of login authority information is poor due to the fact that login authority information of a user is stored and managed on the server.
To solve the above technical problem, one or more embodiments of the present specification are implemented as follows:
in one aspect, one or more embodiments of the present specification provide a server login method applied to an authentication center, including:
receiving a login request of a first user for a target server, which is sent by the target server; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
determining the user category of the first user according to the user identification information of the first user; the user category comprises at least one of user identity, user level and user group to which the user belongs;
determining target login authority information corresponding to a second user belonging to the user category based on the user category of the first user, and authenticating a first authority of the first user for logging in the target server according to the target login authority information;
and if the first authority authentication is passed, returning a second login password corresponding to the target server, so that the target server judges whether the first user is allowed to login the target server or not according to the first login password and the second login password.
In another aspect, one or more embodiments of the present specification provide a server login method, applied to a target server, including:
receiving a login request of a first user for the target server; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
forwarding the login request to an authentication center; the authentication center is used for determining the user category of the first user according to the user identification information of the first user and authenticating the first authority of the first user for logging in the target server based on the user category of the first user;
receiving a second login password which is sent by the authentication center and corresponds to the target server, and judging whether the first login password is matched with the second login password; the second login password is sent to the target server after the authentication center passes the authentication of the first authority;
and determining whether to allow the first user to log in the target server according to the judgment result.
In yet another aspect, one or more embodiments of the present specification provide a server login system, including a target server and an authentication center;
the target server is used for receiving a login request of a first user for the target server; forwarding the login request to the authentication center; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
the authentication center is used for receiving the login request sent by the target server; determining the user category of the first user according to the user identification information of the first user; determining target login authority information corresponding to a second user belonging to the user category based on the user category of the first user, and authenticating a first authority of the first user for logging in the target server according to the target login authority information; if the first authority passes the authentication, returning a second login password corresponding to the target server;
the target server is further used for receiving a second login password which is sent by the authentication center and corresponds to the target server, and judging whether the first login password is matched with the second login password; and determining whether to allow the first user to log in the target server according to the judgment result.
In yet another aspect, one or more embodiments of the present specification provide a server login apparatus, including:
the first receiving module is used for receiving a login request of a first user aiming at a target server, which is sent by the target server; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
the first determining module is used for determining the user category of the first user according to the user identification information of the first user; the user category comprises at least one of user identity, user level and user group to which the user belongs;
the first execution module is used for determining target login authority information corresponding to a second user belonging to the user category based on the user category of the first user, and authenticating a first authority of the first user for logging in the target server according to the target login authority information;
and the returning module is used for returning a second login password corresponding to the target server if the first authority authentication passes, so that the target server judges whether the first user is allowed to log in the target server or not according to the first login password and the second login password.
In yet another aspect, one or more embodiments of the present specification provide a server login apparatus, including:
the third receiving module is used for receiving a login request of a first user for the target server; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
the forwarding module is used for forwarding the login request to an authentication center; the authentication center is used for determining the user category of the first user according to the user identification information of the first user and authenticating the first authority of the first user for logging in the target server based on the user category of the first user;
the fourth execution module is used for receiving a second login password which is sent by the authentication center and corresponds to the target server, and judging whether the first login password is matched with the second login password; the second login password is sent to the target server after the authentication center passes the authentication of the first authority;
and the fourth determining module is used for determining whether to allow the first user to log in the target server according to the judgment result.
In yet another aspect, one or more embodiments of the present specification provide a server login device, including:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
receiving a login request of a first user for a target server, which is sent by the target server; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
determining the user category of the first user according to the user identification information of the first user; the user category comprises at least one of user identity, user level and user group to which the user belongs;
determining target login authority information corresponding to a second user belonging to the user category based on the user category of the first user, and authenticating a first authority of the first user for logging in the target server according to the target login authority information;
and if the first authority authentication is passed, returning a second login password corresponding to the target server, so that the target server judges whether the first user is allowed to login the target server or not according to the first login password and the second login password.
In yet another aspect, one or more embodiments of the present specification provide a server login device, including:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
receiving a login request of a first user for a target server; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
forwarding the login request to an authentication center; the authentication center is used for determining the user category of the first user according to the user identification information of the first user and authenticating the first authority of the first user for logging in the target server based on the user category of the first user;
receiving a second login password which is sent by the authentication center and corresponds to the target server, and judging whether the first login password is matched with the second login password; the second login password is sent to the target server after the authentication center passes the authentication of the first authority;
and determining whether to allow the first user to log in the target server according to the judgment result.
In yet another aspect, an embodiment of the present application provides a storage medium for storing computer-executable instructions, where the computer-executable instructions, when executed, implement the following processes:
receiving a login request of a first user for a target server, which is sent by the target server; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
determining the user category of the first user according to the user identification information of the first user; the user category comprises at least one of user identity, user level and user group to which the user belongs;
determining target login authority information corresponding to a second user belonging to the user category based on the user category of the first user, and authenticating a first authority of the first user for logging in the target server according to the target login authority information;
and if the first authority authentication is passed, returning a second login password corresponding to the target server, so that the target server judges whether the first user is allowed to login the target server or not according to the first login password and the second login password.
In yet another aspect, an embodiment of the present application provides a storage medium for storing computer-executable instructions, where the computer-executable instructions, when executed, implement the following processes:
receiving a login request of a first user for a target server; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
forwarding the login request to an authentication center; the authentication center is used for determining the user category of the first user according to the user identification information of the first user and authenticating the first authority of the first user for logging in the target server based on the user category of the first user;
receiving a second login password which is sent by the authentication center and corresponds to the target server, and judging whether the first login password is matched with the second login password; the second login password is sent to the target server after the authentication center passes the authentication of the first authority;
and determining whether to allow the first user to log in the target server according to the judgment result.
By adopting the technical scheme of one or more embodiments of the present specification, the authentication center determines the user type of the first user according to the login request of the first user to the target server, which is sent by the target server, and authenticates the first authority of the first user to login the target server based on the user type of the first user, and when the first authority authentication passes, returns the second login password corresponding to the target server, so that the target server determines whether to allow the first user to login the target server according to the first login password and the second login password. Therefore, according to the technical scheme, the target server can be logged in by acquiring the second login password corresponding to the target server from the authentication center through interaction between the target server and the authentication center without storing user-related data in each server, compared with a traditional mode of creating and storing the user-related data by the server, the data storage pressure of the server can be effectively relieved, particularly when a user needs to log in a plurality of servers, the user-related data of the same user does not need to be repeatedly created in each server, information redundancy is avoided, and storage resources of the server are saved. Moreover, the authority of the user for logging in the server is authenticated according to the user type, so that the effect of authenticating and controlling the authority of the user for logging in the server according to each user type is achieved, compared with the traditional mode of managing authority information respectively for the user, the technical scheme improves the convenience of controlling the login authority of the server, and the control effect is better.
Furthermore, when the authority information of the user for logging in the server needs to be changed, the user type to which the user belongs is only required to be changed in the user related data, or the authority information corresponding to the user type to which the user belongs is only required to be changed, and the personal information and the authority information of the user do not need to be changed for each user, so that the management and control effect of the login authority of the server is more flexible and faster.
Drawings
In order to more clearly illustrate one or more embodiments or technical solutions in the prior art in the present specification, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in one or more embodiments of the present specification, and other drawings can be obtained by those skilled in the art without inventive exercise.
FIG. 1 is a schematic architecture diagram of a server login system in accordance with one embodiment of the present description;
FIG. 2 is a schematic flow chart diagram of a server login method in accordance with one embodiment of the present description;
FIG. 3 is a schematic flow chart diagram of a server login method in accordance with another embodiment of the present description;
FIG. 4 is a schematic flow chart diagram of a server login method in accordance with another embodiment of the present description;
fig. 5 is a schematic structural diagram of a server login device according to an embodiment of the present specification;
fig. 6 is a schematic structural diagram of a server login device according to another embodiment of the present specification;
fig. 7 is a schematic hardware configuration diagram of a server login device according to an embodiment of the present specification;
fig. 8 is a schematic diagram of a hardware configuration of a server login device according to another embodiment of the present disclosure.
Detailed Description
One or more embodiments of the present disclosure provide a server login method, system, and apparatus, so as to solve the problems that in the prior art, the storage and management of login authority information of a user on a server causes a large data storage pressure in the server, and the management and control effect of the login authority information is poor.
In order to make those skilled in the art better understand the technical solutions in one or more embodiments of the present disclosure, the technical solutions in one or more embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in one or more embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all embodiments. All other embodiments that can be derived by a person skilled in the art from one or more of the embodiments of the present disclosure without making any creative effort shall fall within the protection scope of one or more of the embodiments of the present disclosure.
Fig. 1 is a schematic architecture diagram of a server login system according to an embodiment of the present description. As shown in fig. 1, the server login system includes a server set and an authentication center 120; the server set includes a plurality of servers 110, and each server 110 is connected to the authentication center 120 via a network. The target server 110 that the user wants to log in to may be any server 110 in the server set.
In this embodiment, the target server 110 is configured to receive a login request of a first user for the target server 110, and forward the login request to the authentication center 120.
In this embodiment, the authentication center 120 is configured to receive a login request sent by the target server 110, determine a user category of a first user according to user identification information of the first user, determine, based on the user category of the first user, target login permission information corresponding to a second user belonging to the user category, authenticate a first permission of the first user to log in the target server 110 according to the target login permission information, and return a second login password corresponding to the target server 110 if the first permission passes the authentication.
In this embodiment, the target server 110 is further configured to receive a second login password sent by the authentication center 120 and corresponding to the target server 110, determine whether the first login password and the second login password are matched, and determine whether to allow the first user to log in the target server 110 according to a determination result.
The following describes operations performed specifically by the authentication center 120 and the target server 110 in the server login system in the process of requesting a login to the server by a user.
As shown in fig. 2, which is a schematic flowchart of a server login method according to an embodiment of the present specification, applied to an authentication center shown in fig. 1, the method of fig. 2 may include:
s202, receiving a login request of a first user for a target server, which is sent by the target server.
The login request comprises user identification information of a first user, server identification information of a target server and a first login password for logging in the target server.
In this embodiment, the user identification information of the first user may be information for identifying the user, for example, the uid, gid, user name, and the like of the first user. The server identification information of the target server may be a server name of the target server, e.g., server X, server Y, etc. The first login password for logging in the target server may be a unique password corresponding to the target server issued by the authentication center, and the first login passwords corresponding to different servers are different.
S204, determining the user category of the first user according to the user identification information of the first user.
The user category includes user identity, user level, belonging user group, etc.
In this embodiment, the user identity may include a social identity of the user, such as a student, an employee, a teacher, and so forth. The user level may include a user's privilege level, e.g., primary, advanced, etc. The affiliated user groups may include affiliated work groups, affiliated learning groups, affiliated home groups, and the like.
S206, based on the user category of the first user, determining target login authority information corresponding to the second user belonging to the user category, and authenticating the first authority of the first user for logging in the target server according to the target login authority information.
The second user includes all users belonging to a certain user category, that is, the second user is used for identifying a category of users.
The target login authority information comprises server identification information of at least one first server which the second user has authority to login, authority time corresponding to each first server, a first login password and a second login password corresponding to each first server, and the like.
For example, the server identification information of the at least one first server to which the second user has authority to log in includes server X, server Y, server Z, and the like. The authority time corresponding to each first server may include an authority time corresponding to server X (e.g., authority expiration time: 5 month 2020), an authority time corresponding to server Y (e.g., authority expiration time: 12 month 2020), and an authority time corresponding to server Z (e.g., authority expiration time: 11 month 2020).
In this embodiment, the login authority information corresponding to different user categories may be the same or different. For example, different user identities have different login right information, different user classes have different login right information, and different user groups have the same or different login right information.
And the second login password is a password which is issued by the authentication center and corresponds to the target server. The first login password and the second login password may be the same password or may be a key pair matching each other. For example, if the target server is securely logged in using an asymmetric encryption algorithm, the first login password may be a private key and the second login password may be a public key matching the first login password.
And S208, if the first authority passes the authentication, returning a second login password corresponding to the target server so that the target server judges whether the first user is allowed to login the target server according to the first login password and the second login password.
By adopting the technical scheme of one or more embodiments of the present specification, the authentication center determines the user type of the first user according to the login request of the first user to the target server, which is sent by the target server, and authenticates the first authority of the first user to login the target server based on the user type of the first user, and when the first authority authentication passes, returns the second login password corresponding to the target server, so that the target server determines whether to allow the first user to login the target server according to the first login password and the second login password. Therefore, according to the technical scheme, the target server can be logged in by acquiring the second login password corresponding to the target server from the authentication center through interaction between the target server and the authentication center without storing user-related data in each server, compared with a traditional mode of creating and storing the user-related data by the server, the data storage pressure of the server can be effectively relieved, particularly when a user needs to log in a plurality of servers, the user-related data of the same user does not need to be repeatedly created in each server, information redundancy is avoided, and storage resources of the server are saved. Moreover, the authority of the user for logging in the server is authenticated according to the user type, so that the effect of authenticating and controlling the authority of the user for logging in the server according to each user type is achieved, compared with the traditional mode of managing authority information respectively for the user, the technical scheme improves the convenience of controlling the login authority of the server, and the control effect is better.
Before receiving a login request of a first user for a target server, which is sent by the target server, the authentication center can create and store a corresponding relation between user-related data and user identification information in advance, and update the user-related data according to actual conditions. The specific implementation is as follows.
In one embodiment, before receiving a login request of a first user to a target server, which is sent by a target server, an authentication center may obtain user-related data corresponding to the first user, create and store a first corresponding relationship between the user-related data and user identification information, and after creating the first corresponding relationship, may send the user identification information and a first login password respectively corresponding to each first server to the first user, so that the first user initiates the login request to the corresponding server based on the user identification information and the first login password.
The user related data may include a user category of the first user and target login authority information corresponding to the second user belonging to the user category. In one embodiment, the user-related data may further include home directory path information corresponding to the first user, so that the target server creates a home directory of the first user according to the home directory path information.
Since the first login password corresponds to the server one to one, the first user needs to initiate a login request to the server based on the user identification information and the first login password corresponding to the server. Correspondingly, after the authentication center receives a login request of a first user for the target server, which is sent by the target server, the authentication center can determine which server the first user requests to login to according to a first login password carried in the login request.
In this embodiment, when creating and storing the first corresponding relationship between the user-related data and the user identification information, the authentication center may actively create and store the corresponding relationship between the user-related data and the user identification information based on the preset frequency, or create and store the corresponding relationship between the user-related data and the user identification information triggered by a creation request initiated by a user.
In one embodiment, the authentication center may include a plurality of data interfaces, and accordingly, the first corresponding relationship between part of the user-related data and the user identification information may be respectively created and stored in different data interfaces of the authentication center, so that the target server calls the different data interfaces of the authentication center through the user identification information to obtain the user-related data defined in the data interfaces. The user-related data created by each data interface is detailed below.
In one embodiment, the authentication center comprises at least 4 data interfaces of a query user interface, a query user group interface, a query user password interface and a query user login public key interface. In 4 RESTFUL (a software architecture style) data interfaces provided by an authentication center and accessed based on an HTTPS protocol, first correspondence between respective corresponding partial user-related data and user identification information may be created and stored, respectively.
Wherein a first correspondence between user identification information (e.g., name: user name) and data identifying the user in the user-related data may be defined in the query user interface. For example, the data for identifying the user in the user-related data includes: name: username/password: password/uid: monotonically increasing user ID (identity document)/gid: monotonically increasing group ID/geocs: user description/dir: user home directory path/shell: the default Shell path.
A first correspondence between user identification information (e.g., name: username) and data identifying the user's affiliation group in the user-related data may be defined in the query user affiliation group interface. For example, the data for identifying the user's affiliation group in the user-related data includes: name: group name/passswd: group password/gid: monotonically increasing group ID/members: users in the group.
A first correspondence between user identification information (e.g., name: username) and user password related data in the user related data may be defined in the query user password interface. For example, data related to a user password includes: name: username/password: encrypted password/last _ change: last modified crypto time/change _ min _ days: minimum modified crypto interval/change _ max _ days: cryptoperiod/change _ wan _ days: number of days to warn of password change/change _ inactive _ days: grace number of days after password expiration/expire _ date: account expiration time/reserved: fields are reserved.
A first correspondence between user identification information (e.g., name: username) and a user login public key (e.g., public _ key: login public key) in the user-related data may be defined in the query user login public key interface.
In this embodiment, when the user-related data is obtained from the authentication center, the user-related data defined in each data interface may be obtained by calling different data interfaces of the authentication center.
In the above embodiment, the authentication center respectively creates and stores the first corresponding relationship between part of the user-related data and the user identification information in different data interfaces, so that the target server calls the different data interfaces of the authentication center through the user identification information, that is, the user-related data defined in the data interfaces can be acquired, and the accuracy of data interaction between the target server and the authentication center is improved.
In one embodiment, after the first corresponding relationship between the user-related data and the user identification information is created and stored, an update request for performing an update operation on the target login permission information in the user identification information may be received, and a corresponding update operation may be performed on the target login permission information according to the update request.
The updating operation comprises adding operation to the server identification information of the second server, deleting operation to the server identification information of the first server, modifying operation to the authority time, modifying operation to the first login password and the second login password, and the like.
In this embodiment, by receiving an update request for executing an update operation on the target login permission information and executing a corresponding update operation on the target login permission information according to the update request, management and control of user-related data are realized, and accuracy of the user-related data stored in the authentication center is effectively ensured.
In one embodiment, after the first corresponding relationship between the user-related data and the user identification information is created and stored, if it is monitored that the user category in the user-related data changes, the changed user category may be determined, login authority information corresponding to a third user belonging to the changed user category may be determined, and the target login authority information in the user-related data may be updated to the login authority information corresponding to the third user.
Wherein the third user includes all users belonging to the changed user category.
In this embodiment, whether the user category in the user-related data changes can be monitored in real time, and the target login authority information in the user-related data is updated correspondingly when the user category changes, so that accurate control over login authority information of users of different categories is ensured, and the situation that the user logs in the server due to the fact that the corresponding login authority information of the users of different categories changes mistakenly is prevented.
After receiving a login request of a first user for a target server, which is sent by the target server, the authentication center can authenticate the first user to login the target server according to information carried by the login request. The specific implementation is as follows.
In one embodiment, pre-created user-related data corresponding to the user identification information may be obtained according to the user identification information of the first user, and the user category of the first user may be determined based on the user-related data.
After the user type of the first user is determined, a second authority of the target server for obtaining the user related data can be authenticated based on a login request of the first user for the target server and target login authority information corresponding to the user type of the first user, and if the second authority authentication is passed, the user related data is sent to the target server.
And if the server identification information of at least one first server in the target login authority information corresponding to the user category of the first user comprises the server identification information of the target server and the receiving time of the login request is within the authority time, determining that the second authority authentication is passed.
If it is monitored that the right time corresponding to the target server in the login right information is expired, for example, the server identification information of the target server is server X, the right expiration time corresponding to the server X is 5 months in 2020, and the current authentication time is 6 months in 2020, it is determined that the second right authentication is not passed. Therefore, the authority time is set in the login authority information, so that the functions of automatically recovering the authority of the user for logging in the server and granting the user the authority for temporarily logging in the server are realized.
In this embodiment, after the authentication center sends the user-related data to the target server, the target server may determine whether the first user is a valid user based on the user-related data, and if the target server determines that the first user is a valid user, the determination result may be fed back to the authentication center, so that the authentication center performs the step of authenticating the first right of the first user to log in the target server.
The method for feeding back the determination result to the authentication center by the target server may include: and only feeding back the judgment result to the authentication center, or sending a login request of the first user for the target server to the authentication center through an interface which is preset by the authentication center and used for receiving legal user data. The interface preset by the authentication center for receiving the legal user data may be an interface for querying a user login public key listed in the above embodiments.
When the appointed data interface of the authentication center receives a login request of a first user for the target server, which is sent by the target server, the authentication center can be triggered to authenticate the second authority of the target server for obtaining the user related data.
In one embodiment, the designated data interface of the authentication center may include the query user interface, the query user affiliate group interface, and the query user password interface listed in the above embodiments. If the first user and the target server adopt ssh (Secure Shell, Secure Shell protocol) for data transmission, when the target server receives a login request of the first user, the target server triggers a sshd process to call a name resolution nss service to query user related data such as uid, gid, home directory path and the like of the first user in a local file of the target server, when the query is not successful, the login request of the first user for the target server is respectively sent to a query user interface, a query user group interface and a query user password interface of an authentication center through a dynamic link library (creation/user/lib 64/libns _ https.so) based on an HTTPS protocol so as to trigger the authentication center to authenticate a second right of the target server for obtaining the user related data, and when the authentication is successful, the user related data defined in each interface is returned.
When another appointed data interface of the authentication center receives a login request of a first user for the target server, which is sent by the target server, the authentication center can be triggered to authenticate a first authority of the first user for logging in the target server, and if the first authority passes the authentication, a second login password corresponding to the target server is returned to the target server.
In one embodiment, the other specified data interface of the authentication center may include the querying user login public key interface listed in the above embodiments, and the first user and the target server may perform data transmission by using ssh protocol. When a target server receives a login request of a first user, triggering a sshd process to call a shell script through an authored Keys Command, writing the login request of the first user in the shell script, transmitting the login request to a login public key interface of a query user of an authentication center through an HTTPS protocol so as to trigger the authentication center to authenticate a first authority of the first user to login the target server, and returning a second login password defined in the login public key interface of the query user when the authentication is passed.
The following configuration may be added to the configuration file/etc/ssh/sshd _ config of the target server in advance: and (3) the authorized KeysCommand/bin/sh/user/libexec/opennsh/get _ keys.sh% u, so that when the target server receives a login request of a first user, the target server triggers the sshd process to call the shell script by utilizing the authorized KeysCommand and accesses a login public key interface of a query user of the authentication center through the shell script.
In the above embodiment, the authentication center authenticates a second authority of the target server for obtaining the user-related data according to the login request of the first user to the target server and the target login authority information corresponding to the user category of the first user, and sends the user-related data to the target server when the second authority authentication is passed, so that the target server determines whether the first user is a legal user based on the user-related data, and if the target server determines that the first user is a legal user, the authentication center performs the step of authenticating the first authority of the first user for logging in the target server. Therefore, the embodiment can authenticate the authority of the user for logging in the server according to the user type, achieves the effects of authenticating and controlling the authority of the user for logging in the server according to the user type, improves the convenience of controlling the login authority of the server compared with the traditional mode of managing the authority information respectively for the user, and has better control effect.
Further, according to the embodiment, when the authority information of the user for logging in the server needs to be changed, only the user category to which the user belongs needs to be changed in the user related data, or only the authority information corresponding to the user category to which the user belongs needs to be changed, and the personal information and the authority information of the user do not need to be changed for each user, so that the management and control effect of the login authority of the server is more flexible and faster.
In one embodiment, when target login permission information corresponding to a second user belonging to a user category is determined based on the user category of a first user, target login permission information matched with the user category of the first user in user-related data can be acquired; or the target login authority information matched with the user category of the first user can be determined according to a second corresponding relation between each user category and the login authority information which is pre-established in the authentication center.
Optionally, the authentication center may obtain, based on the user category of the first user, user-related data corresponding to the user category, so as to obtain target login permission information that is recorded in the user-related data and matches with the user category of the first user.
Optionally, the authentication center may determine the target login authority information matched with the user category of the first user according to the user category of the first user and a second corresponding relationship between each user category and the login authority information, which is pre-created in the authentication center.
In the embodiment, the login authority information of the user can be determined in various ways, so that the flexibility of determining the login authority information is improved.
In an embodiment, whether the server identification information of the at least one first server includes the server identification information of the target server and whether the receiving time of the login request is within the authority time may be determined according to the login request of the first user for the target server and the target login authority information corresponding to the user category of the first user, and if the server identification information of the at least one first server includes the server identification information of the target server and the receiving time of the login request is within the authority time, it is determined that the first authority authentication passes.
In the embodiment, when the first authority of the first user for logging in the target server is authenticated, the authority authentication result can be obtained according to various factors, so that the accuracy of the authentication result is effectively improved.
As shown in fig. 3, which is a schematic flowchart of a server login method according to another embodiment of the present specification, applied to a target server as shown in fig. 1, the method of fig. 3 may include:
s302, a login request of a first user for a target server is received.
The login request comprises user identification information of a first user, server identification information of a target server and a first login password for logging in the target server.
The specific content of the login request in this step is described in detail in S202, and is not described herein again.
S304, the login request is forwarded to the authentication center.
The authentication center is used for determining the user category of the first user according to the user identification information of the first user and authenticating the first authority of the first user for logging in the target server based on the user category of the first user.
S306, receiving a second login password which is sent by the authentication center and corresponds to the target server, and judging whether the first login password is matched with the second login password.
And the second login password is sent to the target server after the authentication center passes the authentication of the first authority.
And S308, determining whether to allow the first user to log in the target server according to the judgment result.
If the first login password is matched with the second login password, allowing the first user to login the target server; and if the first login password is not matched with the second login password, the first user is not allowed to login the target server.
If the first login password and the second login password corresponding to the target server are the same, determining that the first login password is matched with the second login password when the first login password is the same as the second login password; and when the first login password is different from the second login password, determining that the first login password is not matched with the second login password.
If the first login password and the second login password corresponding to the target server are matched key pairs, the matching relationship of the key pairs can be preset, and when the first login password and the second login password meet the matching relationship, the first login password and the second login password are determined to be matched; and when the first login password and the second login password do not meet the matching relationship, determining that the first login password and the second login password are not matched.
In one embodiment, the target server may support the ssh protocol. When the target server determines that the first user is allowed to log in, the sshd process may be triggered to call a session module of the target server PAM module, and the session module creates a home directory of the first user based on home directory path information corresponding to the first user in the user-related data, so as to store the data of the first user.
By adopting the technical scheme of one or more embodiments of the specification, the target server receives a login request of a first user for the target server, forwards the login request to the authentication center, receives a second login password which is sent by the authentication center and corresponds to the target server, judges whether the first login password is matched with the second login password, and determines whether the first user is allowed to login the target server according to the judgment result. Therefore, according to the technical scheme, the target server can be logged in by acquiring the second login password corresponding to the target server from the authentication center through interaction between the target server and the authentication center without storing user-related data in each server, compared with a traditional mode of creating and storing the user-related data by the server, the data storage pressure of the server can be effectively relieved, particularly when a user needs to log in a plurality of servers, the user-related data of the same user does not need to be repeatedly created in each server, information redundancy is avoided, and storage resources of the server are saved.
In one embodiment, before receiving the second login password corresponding to the target server sent by the authentication center, the user-related data sent by the authentication center may be received, whether the first user is a valid user is determined based on the login request of the first user for the target server and the user-related data, and if the first user is a valid user, the step of receiving the second login password corresponding to the target server sent by the authentication center is performed.
In one embodiment, the target server may support the ssh protocol, and when the target server receives the user-related data sent by the authentication center, the sshd process may be triggered to invoke an auth interface of the PAM module of the target server, so as to verify the validity of the first user account, for example, whether the user identification information and the first login password of the first user are accurate. And calling an account interface of a PAM module of the target server to verify the server which the first user has the right to log in and the corresponding authority time of each server.
In this embodiment, by receiving the user-related data sent by the authentication center, based on the login request of the first user to the target server and the user-related data, it is determined whether the first user is a valid user, and when it is determined that the first user is a valid user, the step of receiving the second login password sent by the authentication center and corresponding to the target server is performed.
In one embodiment, when determining whether the first user is a valid user based on the login request of the first user to the target server and the user-related data, it may be determined whether the server identification information of the at least one first server includes the server identification information of the target server and whether the receiving time of the login request is within the permission time, and if the server identification information of the at least one first server includes the server identification information of the target server and the receiving time of the login request is within the permission time, it is determined that the first user is a valid user.
In this embodiment, the validity of the user is determined according to multiple factors (whether the server identification information of the target server is included in the server identification information of the at least one first server, and whether the receiving time of the login request is within the permission time), and when the server identification information of the at least one first server includes the server identification information of the target server and the receiving time of the login request is within the permission time, the first user is determined to be a valid user, so that the accuracy of the determination result is effectively improved.
Fig. 4 is a schematic flow chart diagram of a server login method according to another embodiment of the present description. In this embodiment, the server login method is applied to the server login system shown in fig. 1, and the effect of enabling the user to safely log in the server is achieved through interaction between the authentication center and the target server. The method of FIG. 4 may include:
s401, the authentication center obtains the user related data corresponding to the first user, and creates and stores a first corresponding relation between the user related data and the user identification information.
In one embodiment, after the first corresponding relationship between the user-related data and the user identification information is created and stored, an update request for performing an update operation on the target login permission information may be received, and a corresponding update operation may be performed on the target login permission information according to the update request.
The updating operation comprises adding operation to the server identification information of the second server, deleting operation to the server identification information of the first server, modifying operation to the authority time, modifying operation to the first login password and the second login password, and the like.
In one embodiment, after the first corresponding relationship between the user-related data and the user identification information is created and stored, if it is monitored that the user category in the user-related data changes, the changed user category may be determined, login authority information corresponding to a third user belonging to the changed user category may be determined, and the target login authority information in the user-related data may be updated to login authority information corresponding to the third user.
The above embodiments are described in detail in the corresponding embodiment of fig. 2, and are not described herein again.
S402, the authentication center sends the user identification information and the first login password respectively corresponding to each first server to the first user, so that the first user initiates a login request to the corresponding server based on the user identification information and the first login password.
S403, the target server receives a login request of the first user for the target server, and forwards the login request to the authentication center.
The login request comprises user identification information of a first user, server identification information of a target server and a first login password for logging in the target server.
S404, the authentication center obtains pre-created user related data corresponding to the user identification information according to the user identification information of the first user in the received login request, and determines the user category of the first user based on the user related data.
The user category includes user identity, user level, belonging user group, etc.
S405, the authentication center determines target login authority information corresponding to a second user belonging to the user category based on the user category of the first user.
Optionally, the authentication center may obtain, based on the user category of the first user, user-related data corresponding to the user category, so as to obtain target login permission information that is recorded in the user-related data and matches with the user category of the first user.
Optionally, the authentication center may determine the target login authority information matched with the user category of the first user according to the user category of the first user and a second corresponding relationship between each user category and the login authority information, which is pre-created in the authentication center.
The target login authority information comprises server identification information of at least one first server which the second user has authority to login, authority time corresponding to each first server, a first login password and a second login password corresponding to each first server, and the like.
S406, the authentication center authenticates a second authority of the target server for acquiring the user related data according to the target login authority information corresponding to the user category of the first user; if the second authority passes the authentication, executing S407; if the second authority authentication does not pass, S414 is executed.
S407, the authentication center sends the user related data to the target server.
S408, the target server determines whether the first user is a legal user according to the received user related data; if yes, executing S409; if not, S415 is executed.
The target server determines whether the first user is a legal user by judging whether the server identification information of the target server is contained in the server identification information of at least one first server and whether the receiving time of the login request is within the authority time.
If the server identification information of at least one first server comprises the server identification information of the target server and the receiving time of the login request is within the authority time, the target server determines that the first user is a legal user; and if the server identification information of the at least one first server does not contain the server identification information of the target server and the receiving time of the login request is not within the authority time, the target server determines that the first user is an illegal user.
S409, the target server determines that the first user is a legal user.
S410, the authentication center authenticates the first authority of the first user for logging in the target server according to the target login authority information corresponding to the user category of the first user; if the first authority passes the authentication, executing S411; if the first authority authentication does not pass, S414 is executed.
S411, the authentication center returns a second login password corresponding to the target server.
S412, the target server receives a second login password sent by the authentication center and judges whether the first login password is matched with the second login password; if so, go to S413; if not, go to S416.
In this step, the method for determining whether the first login password and the second login password are matched is the same as the determination method described in S308, and details thereof are not repeated here.
The target server allows the first user to log in to the target server S413.
S414, the authentication center sends null data to the target server, and then executes S416.
S415, the target server determines that the first user is an illegal user, and then executes S416.
The target server does not allow the first user to log in to the target server S416.
The server login method provided by the embodiment of the application can be applied to various scenes, such as a teacher and a student in a school requesting to login to the server, a common staff member and an administrator in a company requesting to login to the server, and the like. The following describes a specific procedure of the server login method, taking a scenario in which the employee a in the company requests login to the server X using the user identification information a as an example.
In a certain company, a server login system is assumed to realize the secure login of a target server by adopting an asymmetric encryption algorithm, a first login password is a private key, a second login password is a public key matched with the first login password, and user categories in the company are preset to comprise common employees and administrators, wherein the common employees and the administrators respectively correspond to respective login authority information. For example, the login authority information corresponding to the general staff member includes server identification information of a server that the general staff member has authority to log in, such as server X and server Y. The authority time corresponding to each server can comprise the authority time corresponding to the server X (such as the authority expiration time: 5 months 2020) and the authority time corresponding to the server Y (such as the authority expiration time: 12 months 2020). The first login password and the second login password respectively corresponding to each server may include a public key and a private key corresponding to the server X and a public key and a private key corresponding to the server Y.
For another example, the login authority information corresponding to the administrator includes server identification information of a server that the administrator has authority to log in, such as server X, server Y, server Z, and the like. The authority time corresponding to each server can include the authority time corresponding to server X (e.g. authority expiration time: 5 month 2020), the authority time corresponding to server Y (e.g. authority expiration time: 12 month 2020), and the authority time corresponding to server Z (e.g. authority expiration time: 11 month 2020). The first login password and the second login password respectively corresponding to each server may include a public key and a private key corresponding to the server X, a public key and a private key corresponding to the server Y, and a public key and a private key corresponding to the server Z.
In this embodiment, it is assumed that the user category corresponding to the employee a is a general employee. If the user category change in the user-related data is monitored to be an administrator after the first corresponding relationship between the user-related data and the user identification information a is created and stored, login authority information corresponding to the administrator can be determined, and the login authority information in the user-related data is updated to be login authority information corresponding to the administrator.
Because the authentication center authenticates and controls the authority of the user to log in the server according to each user type, if the authority information of the employee A to log in the server is required to be changed, the user type of the employee A only belongs to the user related data of the employee A, or the authority information corresponding to the user type of the employee A only belongs to the user type.
When staff member A requests to log in to server X by using user identification information a and a first login password, the server X receives a login request of staff member A for server X and forwards the login request to an authentication center. The authentication center receives a login request of a staff member A for a server X, and determines the user category of the staff member A according to user identification information a carried in the login request. If the authentication center determines that the user category is a common employee, login authority information corresponding to the common employee can be further determined, and whether the employee A has the authority to log in the server X is determined according to the login authority information corresponding to the common employee. If yes, the authentication center sends the second login password corresponding to the server X. If the server X determines that the first login password and the second login password match, the employee A is allowed to login. In addition, for the employees in the company to log in the server according to the authority, the user categories can be further divided according to the departments to which the employees belong, for example, employee A belongs to XX department, and employee B belongs to YY department. Moreover, the authentication center is pre-configured with login authority information corresponding to employees in different departments and used for restricting the login authority of each employee to the server in the company. When a certain employee wants to log in a certain server, the authentication center can determine whether the employee has the authority to log in the server according to the department to which the employee belongs. The specific authority determination method has been described in detail in the above embodiments, and is not repeated here.
It can be seen that, by adopting the technical scheme of the above embodiment, the target server can be logged in by acquiring the second login password corresponding to the target server from the authentication center through interaction between the target server and the authentication center without storing user-related data in each server, and compared with the traditional mode of creating and storing user-related data by a server, the data storage pressure of the server can be effectively relieved, and especially when a user needs to log in a plurality of servers, the user-related data of the same user does not need to be repeatedly created in each server, so that information redundancy is avoided, and the storage resource of the server is saved. Moreover, the authority of the user for logging in the server is authenticated according to the user type, so that the effect of authenticating and controlling the authority of the user for logging in the server according to each user type is achieved, compared with the traditional mode of managing authority information respectively for the user, the technical scheme improves the convenience of controlling the login authority of the server, and the control effect is better.
In summary, particular embodiments of the present subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may be advantageous.
Based on the same idea, the server login method provided in one or more embodiments of the present specification further provides a server login device.
Fig. 5 is a schematic structural diagram of a server login device according to an embodiment of the present specification, and as shown in fig. 5, the server login device includes:
a first receiving module 510, configured to receive a login request, sent by a target server, of a first user for the target server; the login request comprises user identification information of a first user, server identification information of a target server and a first login password for logging in the target server;
a first determining module 520, configured to determine a user category of the first user according to the user identification information of the first user; the user category comprises at least one of user identity, user level and a user group to which the user belongs;
a first executing module 530, configured to determine, based on a user category of a first user, target login permission information corresponding to a second user belonging to the user category, and authenticate a first permission of the first user to log in a target server according to the target login permission information;
and a returning module 540, configured to return a second login password corresponding to the target server if the first authority authentication passes, so that the target server determines whether to allow the first user to log in the target server according to the first login password and the second login password.
In one embodiment, the first determination module 520 includes:
the device comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring pre-created user related data corresponding to user identification information according to the user identification information of a first user; the user related data at least comprises user category and target login authority information; the target login permission information includes at least one of: server identification information of at least one first server which a second user has the right to log in, authority time corresponding to each first server, and a first login password and a second login password corresponding to each first server;
a first determining unit for determining a user category of the first user based on the user related data.
In one embodiment, the server login means further comprises:
the acquisition module is used for acquiring user related data corresponding to a first user;
the system comprises a creating and storing module, a first mapping module and a second mapping module, wherein the creating and storing module is used for creating and storing a first corresponding relation between user related data and user identification information;
the first sending module is used for sending the user identification information and the first login password respectively corresponding to each first server to the first user, so that the first user initiates a login request to the corresponding server based on the user identification information and the first login password.
In one embodiment, the first execution module 530 includes:
the execution unit is used for acquiring target login authority information matched with the user category of the first user in the user related data;
or,
and determining target login authority information matched with the user category of the first user according to a second corresponding relation between each user category and the login authority information which is pre-established in the authentication center.
In one embodiment, the server login means further comprises:
the second receiving module is used for receiving an updating request for executing updating operation on the target login authority information; the update operation includes at least one of: adding operation to the server identification information of the second server, deleting operation to the server identification information of the first server, modifying operation to the authority time, and modifying operation to the first login password and the second login password;
and the second execution module is used for executing corresponding updating operation on the target login authority information according to the updating request.
In one embodiment, the server login means further comprises:
the second determination module is used for determining the changed user type if the user type in the user related data is monitored to be changed;
the third determining module is used for determining login authority information corresponding to a third user belonging to the changed user category;
and the updating module is used for updating the target login authority information in the user related data into the login authority information corresponding to the third user.
In one embodiment, the first execution module 530 includes:
a first judgment unit configured to judge whether the following condition is satisfied: the server identification information of at least one first server comprises the server identification information of a target server, and the receiving time of the login request is positioned in the authority time;
and the second determining unit is used for determining that the first authority passes the authentication if the first authority passes the authentication.
In one embodiment, the server login means further comprises:
the authentication module is used for authenticating a second authority of the target server for acquiring the user related data based on the user identification information and the corresponding user related data;
the second sending module is used for sending the user related data to the target server if the second authority authentication is passed so that the target server judges whether the first user is a legal user or not based on the user related data;
and the third execution module is used for executing the step of authenticating the first authority of the first user for logging in the target server if the first user is judged to be a legal user.
By adopting the device in one or more embodiments of the present specification, the authentication center determines the user type of the first user according to a login request of the first user to the target server, which is sent by the target server, authenticates a first authority of the first user to login the target server based on the user type of the first user, and returns a second login password corresponding to the target server when the first authority authentication passes, so that the target server determines whether to allow the first user to login the target server according to the first login password and the second login password. Therefore, the device can realize the login of the target server by acquiring the second login password corresponding to the target server from the authentication center through the interaction between the target server and the authentication center without storing user-related data in each server, and compared with the traditional mode of creating and storing the user-related data by the server, the device can effectively relieve the data storage pressure of the server, and particularly when a user needs to log in a plurality of servers, the device does not need to repeatedly create the user-related data of the same user in each server, thereby avoiding information redundancy and saving the storage resources of the server. Moreover, the authority of the user for logging in the server is authenticated according to the user type, so that the effect of authenticating and controlling the authority of the user for logging in the server according to each user type is achieved, compared with the traditional mode of individually managing authority information for the user, the device improves the convenience of controlling the login authority of the server, and the control effect is better.
It should be understood by those skilled in the art that the above-mentioned server login device can be used to implement the server login method executed by the above-mentioned authentication center, and the detailed description thereof should be similar to the above-mentioned method, and in order to avoid the complexity, it is not described herein again.
Fig. 6 is a schematic structural diagram of a server login device according to an embodiment of the present specification, and as shown in fig. 6, the server login device includes:
a third receiving module 610, configured to receive a login request of a first user for a target server; the login request comprises user identification information of a first user, server identification information of a target server and a first login password for logging in the target server;
a forwarding module 620, configured to forward the login request to the authentication center; the authentication center is used for determining the user category of the first user according to the user identification information of the first user and authenticating the first authority of the first user for logging in the target server based on the user category of the first user;
a fourth executing module 630, configured to receive a second login password sent by the authentication center and corresponding to the target server, and determine whether the first login password and the second login password are matched; the second login password is sent to the target server after the authentication center passes the authentication of the first authority;
and a fourth determining module 640, configured to determine whether to allow the first user to log in the target server according to the determination result.
In one embodiment, the server login means further comprises:
the fourth receiving module is used for receiving the user related data sent by the authentication center; the user related data comprises a user category of a first user and target login authority information corresponding to a second user belonging to the user category; the target login permission information includes at least one of: server identification information of at least one first server which a second user has the right to log in, authority time corresponding to each first server, and a first login password and a second login password corresponding to each first server;
the judging module is used for judging whether the first user is a legal user or not based on the login request and the user related data;
and the fifth execution module is used for executing the step of receiving a second login password which is sent by the authentication center and corresponds to the target server if the first user is a legal user.
In one embodiment, the determining module comprises:
a second judging unit configured to judge whether the following condition is satisfied: the server identification information of at least one first server comprises the server identification information of a target server, and the receiving time of the login request is positioned in the authority time;
and the third determining unit is used for determining that the first user is a legal user if the first user is the legal user.
By adopting the device in one or more embodiments of the present specification, the target server receives a login request of a first user to the target server, forwards the login request to the authentication center, receives a second login password sent by the authentication center and corresponding to the target server, determines whether the first login password and the second login password are matched, and determines whether to allow the first user to login the target server according to the determination result. Therefore, the device can realize the login of the target server by acquiring the second login password corresponding to the target server from the authentication center through the interaction between the target server and the authentication center without storing user-related data in each server, and compared with the traditional mode of creating and storing the user-related data by the server, the device can effectively relieve the data storage pressure of the server, and particularly when a user needs to log in a plurality of servers, the device does not need to repeatedly create the user-related data of the same user in each server, thereby avoiding information redundancy and saving the storage resources of the server.
It should be understood by those skilled in the art that the above-mentioned server login device can be used to implement the server login method executed by the above-mentioned target server, and the detailed description thereof should be similar to the above-mentioned method, and in order to avoid complexity, it is not described herein again.
Along the same lines, one or more embodiments of the present specification further provide a server login device, as shown in fig. 7. The server login device may have a large difference due to different configurations or performances, and may include one or more processors 701 and a memory 702, where the memory 702 may store one or more stored applications or data. Memory 702 may be, among other things, transient storage or persistent storage. The application program stored in memory 702 may include one or more modules (not shown), each of which may include a series of computer-executable instructions for logging into the device at the server. Still further, the processor 701 may be configured to communicate with the memory 702 to execute a series of computer-executable instructions in the memory 702 on the server login device. The server login apparatus may also include one or more power supplies 703, one or more wired or wireless network interfaces 704, one or more input-output interfaces 705, one or more keyboards 706.
In particular, in this embodiment, the server login device includes a memory, and one or more programs, where the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the server login device, and the one or more programs configured to be executed by the one or more processors include computer-executable instructions for:
receiving a login request of a first user for a target server, which is sent by the target server; the login request comprises user identification information of a first user, server identification information of a target server and a first login password for logging in the target server;
determining the user category of the first user according to the user identification information of the first user; the user category comprises at least one of user identity, user level and a user group to which the user belongs;
determining target login authority information corresponding to a second user belonging to the user category based on the user category of the first user, and authenticating a first authority of the first user for logging in a target server according to the target login authority information;
and if the first authority passes the authentication, returning a second login password corresponding to the target server so that the target server judges whether the first user is allowed to login the target server or not according to the first login password and the second login password.
Optionally, the computer executable instructions, when executed, may further cause the processor to:
acquiring pre-created user related data corresponding to the user identification information according to the user identification information of the first user; the user related data at least comprises user category and target login authority information; the target login permission information includes at least one of: server identification information of at least one first server which a second user has the right to log in, authority time corresponding to each first server, and a first login password and a second login password corresponding to each first server;
based on the user-related data, a user category of the first user is determined.
Optionally, the computer executable instructions, when executed, may further cause the processor to:
acquiring user related data corresponding to a first user;
creating and storing a first corresponding relationship between user-related data and user identification information;
and sending the user identification information and the first login password respectively corresponding to each first server to the first user, so that the first user initiates a login request to the corresponding server based on the user identification information and the first login password.
Optionally, the computer executable instructions, when executed, may further cause the processor to:
acquiring target login authority information matched with the user category of the first user in the user related data;
or,
and determining target login authority information matched with the user category of the first user according to a second corresponding relation between each user category and the login authority information which is pre-established in the authentication center.
Optionally, the computer executable instructions, when executed, may further cause the processor to:
receiving an update request for executing update operation on target login authority information; the update operation includes at least one of: adding operation to the server identification information of the second server, deleting operation to the server identification information of the first server, modifying operation to the authority time, and modifying operation to the first login password and the second login password;
and executing corresponding updating operation on the target login authority information according to the updating request.
Optionally, the computer executable instructions, when executed, may further cause the processor to:
if the user category in the user related data is monitored to be changed, determining the changed user category;
determining login authority information corresponding to a third user belonging to the changed user category;
and updating the target login authority information in the user related data into login authority information corresponding to a third user.
Optionally, the computer executable instructions, when executed, may further cause the processor to:
judging whether the following conditions are met: the server identification information of at least one first server comprises the server identification information of a target server, and the receiving time of the login request is positioned in the authority time;
if so, determining that the first authority authentication passes.
Optionally, the computer executable instructions, when executed, may further cause the processor to:
based on the user identification information and the corresponding user related data, authenticating a second authority of the target server for acquiring the user related data;
if the second authority authentication is passed, the user related data is sent to the target server, so that the target server judges whether the first user is a legal user or not based on the user related data;
and if the first user is judged to be a legal user, executing a step of authenticating a first authority of the first user for logging in the target server.
By adopting the device in one or more embodiments of the present specification, the authentication center determines the user type of the first user according to a login request of the first user to the target server, which is sent by the target server, authenticates a first authority of the first user to login the target server based on the user type of the first user, and returns a second login password corresponding to the target server when the first authority authentication passes, so that the target server determines whether to allow the first user to login the target server according to the first login password and the second login password. Therefore, the device can realize the login of the target server by acquiring the second login password corresponding to the target server from the authentication center through the interaction between the target server and the authentication center without storing user-related data in each server, and compared with the traditional mode of creating and storing the user-related data by the server, the device can effectively relieve the data storage pressure of the server, and particularly when a user needs to log in a plurality of servers, the device does not need to repeatedly create the user-related data of the same user in each server, so that the information redundancy is avoided, and the storage resource of the server is saved. Moreover, the authority of the user for logging in the server is authenticated according to the user type, so that the effect of authenticating and controlling the authority of the user for logging in the server according to each user type is achieved, compared with the traditional mode of managing authority information respectively for the user, the equipment improves the convenience of controlling the login authority of the server, and the control effect is better.
Along the same lines, one or more embodiments of the present specification further provide a server login device, as shown in fig. 8. The server login device may have a large difference due to different configurations or performances, and may include one or more processors 801 and a memory 802, and one or more stored applications or data may be stored in the memory 802. Wherein the memory 802 may be a transient storage or a persistent storage. The application program stored in memory 802 may include one or more modules (not shown), each of which may include a series of computer-executable instructions for a server logging device. Still further, the processor 801 may be configured to communicate with the memory 802 to execute a series of computer-executable instructions in the memory 802 on the server login device. The server login apparatus may also include one or more power supplies 803, one or more wired or wireless network interfaces 804, one or more input output interfaces 805, one or more keyboards 806.
In particular, in this embodiment, the server login device includes a memory, and one or more programs, where the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the server login device, and the one or more programs configured to be executed by the one or more processors include computer-executable instructions for:
receiving a login request of a first user for a target server; the login request comprises user identification information of a first user, server identification information of a target server and a first login password for logging in the target server;
forwarding the login request to an authentication center; the authentication center is used for determining the user category of the first user according to the user identification information of the first user and authenticating the first authority of the first user for logging in the target server based on the user category of the first user;
receiving a second login password which is sent by the authentication center and corresponds to the target server, and judging whether the first login password is matched with the second login password; the second login password is sent to the target server after the authentication center passes the authentication of the first authority;
and determining whether to allow the first user to log in the target server according to the judgment result.
Optionally, the computer executable instructions, when executed, may further cause the processor to:
receiving user related data sent by an authentication center; the user related data comprises a user category of a first user and target login authority information corresponding to a second user belonging to the user category; the target login permission information includes at least one of: server identification information of at least one first server which a second user has the right to log in, authority time corresponding to each first server, and a first login password and a second login password corresponding to each first server;
judging whether the first user is a legal user or not based on the login request and the user related data;
and if the first user is a legal user, executing a step of receiving a second login password which is sent by the authentication center and corresponds to the target server.
Optionally, the computer executable instructions, when executed, may further cause the processor to:
judging whether the following conditions are met: the server identification information of at least one first server comprises the server identification information of a target server, and the receiving time of the login request is positioned in the authority time;
if so, determining that the first user is a legal user.
By adopting the device in one or more embodiments of the present specification, the target server receives a login request of a first user to the target server, forwards the login request to the authentication center, receives a second login password sent by the authentication center and corresponding to the target server, determines whether the first login password and the second login password are matched, and determines whether to allow the first user to login the target server according to the determination result. Therefore, the device can realize the login of the target server by acquiring the second login password corresponding to the target server from the authentication center through the interaction between the target server and the authentication center without storing user-related data in each server, and compared with the traditional mode of creating and storing the user-related data by the server, the device can effectively relieve the data storage pressure of the server, and particularly when a user needs to log in a plurality of servers, the device does not need to repeatedly create the user-related data of the same user in each server, so that the information redundancy is avoided, and the storage resource of the server is saved.
One or more embodiments of the present specification further provide a computer-readable storage medium, where the computer-readable storage medium stores one or more programs, where the one or more programs include instructions, and when the instructions are executed by a server login device including multiple application programs, the server login device can execute each process of the server login method embodiment, and can achieve the same technical effect, and details are not described here to avoid repetition.
One or more embodiments of the present specification further provide a computer-readable storage medium, where the computer-readable storage medium stores one or more programs, where the one or more programs include instructions, and when the instructions are executed by a server login device including multiple application programs, the server login device can execute each process of the server login method embodiment, and can achieve the same technical effect, and details are not described here to avoid repetition.
The above description is only one or more embodiments of the present disclosure, and is not intended to limit the present disclosure. Various modifications and alterations to one or more embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of one or more embodiments of the present specification should be included in the scope of claims of one or more embodiments of the present specification.
Claims (14)
1. A server login method is applied to an authentication center and comprises the following steps:
receiving a login request of a first user for a target server, which is sent by the target server; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
determining the user category of the first user according to the user identification information of the first user; the user category comprises at least one of user identity, user level and user group to which the user belongs;
determining target login authority information corresponding to a second user belonging to the user category based on the user category of the first user, and authenticating a first authority of the first user for logging in the target server according to the target login authority information;
and if the first authority authentication is passed, returning a second login password corresponding to the target server, so that the target server judges whether the first user is allowed to login the target server or not according to the first login password and the second login password.
2. The method of claim 1, wherein the determining the user category of the first user according to the user identification information of the first user comprises:
according to the user identification information of the first user, obtaining pre-created user related data corresponding to the user identification information; the user related data at least comprises the user category and the target login authority information; the target login authority information comprises at least one of the following items: server identification information of at least one first server which the second user has the right to log in, authority time corresponding to each first server, and the first login password and the second login password corresponding to each first server;
determining a user category of the first user based on the user-related data.
3. The method of claim 2, wherein prior to receiving a login request from a target server for a first user, the login request sent by the target server, the method further comprises:
acquiring the user related data corresponding to the first user;
creating and storing a first correspondence between the user-related data and the user identification information;
and sending the user identification information and the first login password respectively corresponding to each first server to the first user, so that the first user initiates the login request to the corresponding server based on the user identification information and the first login password.
4. The method according to claim 2, wherein the determining target login permission information corresponding to a second user belonging to the user category based on the user category of the first user comprises:
acquiring the target login authority information matched with the user category of the first user in the user related data;
or,
and determining the target login authority information matched with the user category of the first user according to a second corresponding relation between each user category and login authority information which is pre-established in the authentication center.
5. The method of claim 3, wherein after creating and storing the first correspondence between the user-related data and the user identification information, further comprising:
receiving an updating request for executing updating operation on the target login authority information; the update operation includes at least one of: adding operation to server identification information of a second server, deleting operation to the server identification information of the first server, modifying operation to the permission time, and modifying operation to the first login password and the second login password;
and executing corresponding updating operation on the target login authority information according to the updating request.
6. The method of claim 3, wherein after creating and storing the first correspondence between the user-related data and the user identification information, the method further comprises:
if the user type in the user related data is monitored to be changed, determining the changed user type;
determining login authority information corresponding to a third user belonging to the changed user category;
and updating the target login authority information in the user related data into login authority information corresponding to the third user.
7. The method of claim 2, wherein the authenticating the first right of the first user to log in to the target server according to the target login right information comprises:
judging whether the following conditions are met: the server identification information of the at least one first server comprises the server identification information of the target server, and the receiving time of the login request is positioned in the authority time;
and if so, determining that the first authority passes the authentication.
8. The method according to claim 2, wherein after determining the user category of the first user according to the user identification information of the first user, further comprising:
based on the user identification information and the corresponding user related data, authenticating a second authority of the target server for acquiring the user related data;
if the second authority authentication is passed, the user related data is sent to the target server, so that the target server judges whether the first user is a legal user or not based on the user related data;
and if the first user is judged to be a legal user, executing a step of authenticating a first authority of the first user for logging in the target server.
9. A server login method is applied to a target server and comprises the following steps:
receiving a login request of a first user for the target server; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
forwarding the login request to an authentication center; the authentication center is used for determining the user category of the first user according to the user identification information of the first user and authenticating the first authority of the first user for logging in the target server based on the user category of the first user;
receiving a second login password which is sent by the authentication center and corresponds to the target server, and judging whether the first login password is matched with the second login password; the second login password is sent to the target server after the authentication center passes the authentication of the first authority;
and determining whether to allow the first user to log in the target server according to the judgment result.
10. The method of claim 9, wherein before receiving the second login password corresponding to the target server sent by the authentication center, the method further comprises:
receiving user related data sent by the authentication center; the user related data comprises a user category of the first user and target login authority information corresponding to a second user belonging to the user category; the target login authority information comprises at least one of the following items: server identification information of at least one first server which the second user has the right to log in, authority time corresponding to each first server, and the first login password and the second login password corresponding to each first server;
judging whether the first user is a legal user or not based on the login request and the user related data;
and if the first user is the legal user, executing the step of receiving a second login password which is sent by the authentication center and corresponds to the target server.
11. The method of claim 10, wherein said determining whether the first user is a valid user based on the login request and the user-related data comprises:
judging whether the following conditions are met: the server identification information of the at least one first server comprises the server identification information of the target server, and the receiving time of the login request is positioned in the authority time;
and if so, determining that the first user is the legal user.
12. A server login system is characterized by comprising a target server and an authentication center;
the target server is used for receiving a login request of a first user for the target server; forwarding the login request to the authentication center; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
the authentication center is used for receiving the login request sent by the target server; determining the user category of the first user according to the user identification information of the first user; determining target login authority information corresponding to a second user belonging to the user category based on the user category of the first user, and authenticating a first authority of the first user for logging in the target server according to the target login authority information; if the first authority passes the authentication, returning a second login password corresponding to the target server;
the target server is further used for receiving a second login password which is sent by the authentication center and corresponds to the target server, and judging whether the first login password is matched with the second login password; and determining whether to allow the first user to log in the target server according to the judgment result.
13. A server login apparatus, comprising:
the first receiving module is used for receiving a login request of a first user aiming at a target server, which is sent by the target server; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
the first determining module is used for determining the user category of the first user according to the user identification information of the first user; the user category comprises at least one of user identity, user level and user group to which the user belongs;
the first execution module is used for determining target login authority information corresponding to a second user belonging to the user category based on the user category of the first user, and authenticating a first authority of the first user for logging in the target server according to the target login authority information;
and the returning module is used for returning a second login password corresponding to the target server if the first authority authentication passes, so that the target server judges whether the first user is allowed to log in the target server or not according to the first login password and the second login password.
14. A server login apparatus, comprising:
the third receiving module is used for receiving a login request of a first user for the target server; the login request comprises user identification information of the first user, server identification information of the target server and a first login password for logging in the target server;
the forwarding module is used for forwarding the login request to an authentication center; the authentication center is used for determining the user category of the first user according to the user identification information of the first user and authenticating the first authority of the first user for logging in the target server based on the user category of the first user;
the fourth execution module is used for receiving a second login password which is sent by the authentication center and corresponds to the target server, and judging whether the first login password is matched with the second login password; the second login password is sent to the target server after the authentication center passes the authentication of the first authority;
and the fourth determining module is used for determining whether to allow the first user to log in the target server according to the judgment result.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010787009.7A CN112039851B (en) | 2020-08-07 | 2020-08-07 | Server login method, system and device |
PCT/CN2020/138588 WO2022027904A1 (en) | 2020-08-07 | 2020-12-23 | Server login method, system and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010787009.7A CN112039851B (en) | 2020-08-07 | 2020-08-07 | Server login method, system and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112039851A true CN112039851A (en) | 2020-12-04 |
CN112039851B CN112039851B (en) | 2021-09-21 |
Family
ID=73582669
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010787009.7A Active CN112039851B (en) | 2020-08-07 | 2020-08-07 | Server login method, system and device |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN112039851B (en) |
WO (1) | WO2022027904A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113536290A (en) * | 2021-07-26 | 2021-10-22 | 未鲲(上海)科技服务有限公司 | Server login method, device, terminal equipment and medium |
CN113536289A (en) * | 2021-07-26 | 2021-10-22 | 未鲲(上海)科技服务有限公司 | Server login method, device, terminal equipment and medium |
WO2022027904A1 (en) * | 2020-08-07 | 2022-02-10 | 郑州阿帕斯数云信息科技有限公司 | Server login method, system and device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101018155A (en) * | 2007-02-08 | 2007-08-15 | 华为技术有限公司 | Network element management method, system and network element |
WO2014092534A1 (en) * | 2012-12-11 | 2014-06-19 | Mimos Berhad | A system and method for peer-to-peer entity authentication with nearest neighbours credential delegation |
CN104240351A (en) * | 2014-09-18 | 2014-12-24 | 广东建邦计算机软件有限公司 | User interaction method and device based on access control system |
CN104753677A (en) * | 2013-12-31 | 2015-07-01 | 腾讯科技(深圳)有限公司 | Password hierarchical control method and system |
US20170104591A1 (en) * | 2015-10-07 | 2017-04-13 | Go Daddy Operating Company, LLC | Account asset protection via an encoded physical mechanism |
CN107196914A (en) * | 2017-04-25 | 2017-09-22 | 北京潘达互娱科技有限公司 | Identity identifying method and device |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104243154B (en) * | 2013-06-07 | 2018-07-06 | 腾讯科技(深圳)有限公司 | Server user's permission centralized control system and method |
CN109190341B (en) * | 2018-07-26 | 2024-03-15 | 平安科技(深圳)有限公司 | Login management system and method |
CN112039851B (en) * | 2020-08-07 | 2021-09-21 | 郑州阿帕斯数云信息科技有限公司 | Server login method, system and device |
-
2020
- 2020-08-07 CN CN202010787009.7A patent/CN112039851B/en active Active
- 2020-12-23 WO PCT/CN2020/138588 patent/WO2022027904A1/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101018155A (en) * | 2007-02-08 | 2007-08-15 | 华为技术有限公司 | Network element management method, system and network element |
WO2014092534A1 (en) * | 2012-12-11 | 2014-06-19 | Mimos Berhad | A system and method for peer-to-peer entity authentication with nearest neighbours credential delegation |
CN104753677A (en) * | 2013-12-31 | 2015-07-01 | 腾讯科技(深圳)有限公司 | Password hierarchical control method and system |
CN104240351A (en) * | 2014-09-18 | 2014-12-24 | 广东建邦计算机软件有限公司 | User interaction method and device based on access control system |
US20170104591A1 (en) * | 2015-10-07 | 2017-04-13 | Go Daddy Operating Company, LLC | Account asset protection via an encoded physical mechanism |
CN107196914A (en) * | 2017-04-25 | 2017-09-22 | 北京潘达互娱科技有限公司 | Identity identifying method and device |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022027904A1 (en) * | 2020-08-07 | 2022-02-10 | 郑州阿帕斯数云信息科技有限公司 | Server login method, system and device |
CN113536290A (en) * | 2021-07-26 | 2021-10-22 | 未鲲(上海)科技服务有限公司 | Server login method, device, terminal equipment and medium |
CN113536289A (en) * | 2021-07-26 | 2021-10-22 | 未鲲(上海)科技服务有限公司 | Server login method, device, terminal equipment and medium |
Also Published As
Publication number | Publication date |
---|---|
WO2022027904A1 (en) | 2022-02-10 |
CN112039851B (en) | 2021-09-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111488598B (en) | Access control method, device, computer equipment and storage medium | |
US12010248B2 (en) | Systems and methods for providing authentication to a plurality of devices | |
CN112039851B (en) | Server login method, system and device | |
US10749854B2 (en) | Single sign-on identity management between local and remote systems | |
US8387137B2 (en) | Role-based access control utilizing token profiles having predefined roles | |
US8782757B2 (en) | Session sharing in secure web service conversations | |
US8387136B2 (en) | Role-based access control utilizing token profiles | |
US5586260A (en) | Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms | |
CN108964885B (en) | Authentication method, device, system and storage medium | |
Chadwick et al. | Adding federated identity management to openstack | |
US8281374B2 (en) | Attested identities | |
CN113316783A (en) | Two-factor identity authentication using a combination of active directory and one-time password token | |
US20140109179A1 (en) | Multiple server access management | |
KR102189554B1 (en) | Teriminal apparatus, server apparatus, blockchain and method for fido universal authentication using the same | |
US9081982B2 (en) | Authorized data access based on the rights of a user and a location | |
JP7189856B2 (en) | Systems and methods for securely enabling users with mobile devices to access the capabilities of stand-alone computing devices | |
US7428748B2 (en) | Method and system for authentication in a business intelligence system | |
US11977620B2 (en) | Attestation of application identity for inter-app communications | |
US20030163707A1 (en) | Information management apparatus and method | |
US11177958B2 (en) | Protection of authentication tokens | |
US11095436B2 (en) | Key-based security for cloud services | |
US10756899B2 (en) | Access to software applications | |
CN109598114B (en) | Cross-platform unified user account management method and system | |
Basu et al. | Strengthening Authentication within OpenStack Cloud Computing System through Federation with ADDS System | |
US20240152599A1 (en) | Systems and methods for managing multiple valid one time password (otp) for a single identity |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |