| | 1 | == SSH keys and user accounts |
| | 2 | |
| | 3 | Public ssh keys for our team are stored on our data site |
| | 4 | |
| | 5 | http://data.briccs.org.uk/sshkeys/ |
| | 6 | |
| | 7 | These keys are used by the install scripts to create our user accounts |
| | 8 | and add our keys. |
| | 9 | |
| | 10 | Posting our public keys on a public site does not in itself represetnt a security |
| | 11 | issue. If a black-hat were to use one of these keys, all they could do is grant |
| | 12 | one of us access to one of their servers, not the ther way round. |
| | 13 | |
| | 14 | However, it does mean that write access to the server hosting the data site |
| | 15 | needs to be treated as a security issue. |
| | 16 | |
| | 17 | If a black-hat managed to substitute one of their keys for one of ours, |
| | 18 | then they would be able to use that to gain access to our servers. |
| | 19 | |
| | 20 | == Making ssh easier to use |
| | 21 | |
| | 22 | I have lots of logins accounts on lots of different machines. |
| | 23 | |
| | 24 | Adding host specific settings for each machine to your local |
| | 25 | ssh client config makes it much easier to manage what identity |
| | 26 | to use for which machine. |
| | 27 | |
| | 28 | Note - configuration on your local machine (desktop/laptop) is up to you, |
| | 29 | so consider this as "works for me" advice rather than a recomendation. |
| | 30 | |
| | 31 | For each remote host, I add something like the following to my |
| | 32 | ssh client configuration. |
| | 33 | |
| | 34 | {{{vi ~/.ssh/config}}} |
| | 35 | {{{ |
| | 36 | Host briccs-1 |
| | 37 | HostName briccs-1.rcs.le.ac.uk |
| | 38 | User dm241 |
| | 39 | IdentityFile ~/.ssh/dave.briccs.org.uk.key |
| | 40 | Protocol 2 |
| | 41 | Compression yes |
| | 42 | PasswordAuthentication no |
| | 43 | ForwardAgent yes |
| | 44 | }}} |
| | 45 | |
| | 46 | The host alias means that I can login to briccs-1 with just the following: |
| | 47 | {{{ |
| | 48 | ssh briccs-1 |
| | 49 | }}} |
| | 50 | |
| | 51 | The local client settings are used to fill in the details |
| | 52 | of what user account to use (dm241), what ssh key to use (dave.briccs.org.uk.key) |
| | 53 | |
| | 54 | You can still override all of the settings using command line options |
| | 55 | {{{ |
| | 56 | ssh root@briccs-1 |
| | 57 | }}} |
| | 58 | will ignore the user name in the config and login as root instead. |
| | 59 | |
| | 60 | == Using agent forwarding |
| | 61 | |
| | 62 | The service install scripts need to get data from our svn repository using ssh. |
| | 63 | That means we need a way to authenticate the ssh call from the target machine to the svn repository. |
| | 64 | {{{ |
| | 65 | [desktop] |
| | 66 | | |
| | 67 | \--- ssh ---> [target] |
| | 68 | | |
| | 69 | \- jbossinstall |
| | 70 | | |
| | 71 | \- svn checkout |
| | 72 | | |
| | 73 | \--- ssh ---> [svn repo] |
| | 74 | }}} |
| | 75 | |
| | 76 | On local desktop, the user will be logged in using their normal user account. |
| | 77 | |
| | 78 | On the target machine, the user will need to be logged in as root in order to |
| | 79 | install system packages and create top level directories. |
| | 80 | |
| | 81 | The call to the svn repository needs to be done using a shared 'briccs' account |
| | 82 | so that an install done by one of us can be updated by another. |
| | 83 | {{{ |
| | 84 | [user@desktop] |
| | 85 | | |
| | 86 | \--- ssh ---> [root@target] |
| | 87 | | |
| | 88 | \- jbossinstall |
| | 89 | | |
| | 90 | \- svn checkout |
| | 91 | | |
| | 92 | \--- ssh ---> [briccs@svnrepo] |
| | 93 | }}} |
| | 94 | |
| | 95 | We could use password authentication on the svn repository, |
| | 96 | but that causes some problems. |
| | 97 | |
| | 98 | * Everyone in the team will need to know the password for the shared account |
| | 99 | * The password will get written down on post-it notes and wiki pages |
| | 100 | * If we need to change the password, we need to notify everyone who needs to use that account |
| | 101 | * Once someone is given the password, we can't revoke their access without changing it for everyone |
| | 102 | |
| | 103 | * The install script will need to prompt for the password |
| | 104 | * The scripts can't be run unattended |
| | 105 | |
| | 106 | Using ssh agent forwarding solves some of this, by using ssh keys and a chain of |
| | 107 | agents to authenticate access to the svn repository. |
| | 108 | {{{ |
| | 109 | [user@desktop] |
| | 110 | | |
| | 111 | +- ssh agent <------------------\ |
| | 112 | | | |
| | 113 | \--- ssh ---> [root@target] | |
| | 114 | | | |
| | 115 | | | |
| | 116 | +------- ssh agent <----------------\ |
| | 117 | | | |
| | 118 | | | |
| | 119 | \- jbossinstall | |
| | 120 | | | |
| | 121 | \- svn checkout | |
| | 122 | | | |
| | 123 | \--- ssh ---> [briccs@svnrepo] |
| | 124 | }}} |
| | 125 | |
| | 126 | In order for this to work, the users ssh key needs to be added to the |
| | 127 | list of keys accepted by the shared briccs@svnrepo account. |
| | 128 | |
| | 129 | With that in place, when the install script on the target machine tries to access |
| | 130 | our svn repository via ssh, the authentication request is passed back down the chain of agents |
| | 131 | to the users local machine. |
| | 132 | |
| | 133 | === Problems with agent forwarding |
| | 134 | |
| | 135 | There are issues with using ssh agent forwarding. |
| | 136 | The most well know attack is by subverting the agent running on the intermediate system. |
| | 137 | |
| | 138 | If a black-hat gains root access to the target machine while the one of us is logged in |
| | 139 | then they can use the unix socket created by the ssh agent to authenticate |
| | 140 | themselves as us on another machine. |
