Procedure

Following guidelines should be followed to initially set up a target when introducing SSH controls:

  1. Add a dedicated OS group & user - for example sshadmin - who will be the owner of the repository. The administrative account does not a password (so lock it) but does require a valid shell:
[client]$ groupadd sshadmin
[client]$ useradd -g sshadmin sshadmin
  1. Pre-populate the the SSH Controls *local repository. *You can use following shell script for this:
#!/bin/sh
mkdir -p /etc/ssh_controls/holding
mkdir -p /etc/ssh_controls/keys.d
chown root:sys /etc/ssh_controls
chmod 755 /etc/ssh_controls
chown root:sshadmin /etc/ssh_controls/holding
chmod 2775 /etc/ssh_controls/holding
chown root:sys /etc/ssh_controls/keys.d
chmod 755 /etc/ssh_controls/keys.d
touch /etc/ssh_controls/holding/access
touch /etc/ssh_controls/holding/alias
touch /etc/ssh_controls/holding/keys
touch /etc/ssh_controls/holding/manage_ssh.conf
touch /etc/ssh_controls/holding/update_ssh.conf
touch /etc/ssh_controls/holding/manage_ssh.sh
touch /etc/ssh_controls/holding/update_ssh.pl
chown root:sshadmin /etc/ssh_controls/holding/access
chown root:sshadmin /etc/ssh_controls/holding/alias
chown root:sshadmin /etc/ssh_controls/holding/keys
chown root:sshadmin /etc/ssh_controls/holding/manage_ssh.conf
chown root:sshadmin /etc/ssh_controls/holding/update_ssh.conf
chmod 660 /etc/ssh_controls/holding/access
chmod 660 /etc/ssh_controls/holding/alias
chmod 660 /etc/ssh_controls/holding/keys
chmod 660 /etc/ssh_controls/holding/manage_ssh.conf
chmod 660 /etc/ssh_controls/holding/update_ssh.conf
chown root:sshadmin /etc/ssh_controls/holding/manage_ssh.sh
chown root:sshadmin /etc/ssh_controls/holding/update_ssh.pl
chmod 770 /etc/ssh_controls/holding/manage_ssh.sh
chmod 770 /etc/ssh_controls/holding/update_ssh.pl
touch /var/log/manage_ssh.sh.log
chown root:sshadmin /var/log/manage_ssh.sh.log
chmod 664 /var/log/manage_ssh.sh.log
  1. Copy & add the SSH public key of the sshadmin account to the authorized_keys on the client. The key in THIS location IS ONLY required for the initial client push:
[client]$ cat sshadmin.pub >> /home/sshadmin/.ssh/authorized_keys
  1. Test that you can connect as the sshadmin user from the SSH master onto the client host WITHOUT specifying a passphrase (think of the required SSH agent):
[master]$ ssh sshadmin@client
  1. Update the master configuration files so that the client host is referenced in each of the files. You should have at least one entry for the sshadmin account in the access file and one for the client host in the targets file:
[master]$ vi /etc/ssh_master/access

sshadmin        : 	client		:	sshadmin
  1. Perform an initial distribution from the SSH Controls master using the sshadmin account & key and specifying a manual list of targets. Make sure the sync finishes without errors:
[master]$ /etc/ssh_controls/manage_ssh.sh --copy --targets=<client>

At this point you should have a working set of SSH controls on the target client host, ready to be activated but not yet active. In the next couple of steps we will activate the SSH Controls:

  1. Add the necessary SUDO rules on the client host so that update_ssh.pl script can be executed with root privileges. You can use SUDO Controls for this purpose.
[client]# visudo -f /etc/sudoers

Either add a snippet for the sshadmin user:

# ssh_controls
SSH_CONTROLS_C=/etc/ssh_controls/holding/update_ssh.pl, /etc/ssh_controls/holding/manage_ssh.sh
sshadmin ALL=(root) NOPASSWD: SSH_CONTROLS_C

-OR- for the sshadmin *group *(if you are managing SSH Controls with multiple people and individual accounts):

# ssh_controls
SSH_CONTROLS_C=/etc/ssh_controls/holding/update_ssh.pl, /etc/ssh_controls/holding/manage_ssh.sh
%sshadmin ALL=(root) NOPASSWD: SSH_CONTROLS_C

Please also read the FAQ on DAC considerations.

  1. Perform an initial activation of the SSH Controls, locally on the client host:
[client]$ sudo /etc/ssh_controls/holding/manage_ssh.sh --update

-or- with preview first:

[client]$ sudo /etc/ssh_controls/update_ssh.pl --verbose --preview

[client]$ sudo /etc/ssh_controls/update_ssh.pl --verbose
  1. Adapt sshd_config on the client host by adding/changing following directives and restart sshd:
[client]$ vi /etc/ssh/shd_config

# ssh_controls
AuthorizedKeysFile /etc/ssh_controls/keys.d/%u

[client]# kill -HUP <sshd_pid>
  1. Add the client host to the targets file on the SSH Controls master:
[master]$ echo "<client>" >>/etc/ssh_master/targets
  1. Do a second, remote distribute & apply from the SSH Controls master (as a double-check):
[master]$ /etc/ssh_master/manage_ssh.sh --copy --targets=<client>

[master]$ /etc/ssh_master/manage_ssh.sh --apply --targets=<client>

You now have SSH Controls fully configured and active on your client host. As a final step, you may optionally remove all old authorized_keys files on the client host. You could use following shell script for this purpose:

# read /etc/passwd for user accounts
while read PW_ENTRY
do
	PW_USER="$(print ${PW_ENTRY} | cut -f1 -d':')"
	PW_HOME="$(print ${PW_ENTRY} | cut -f6 -d':')"

	# inspect $HOME for user
	if [[ -d ${PW_HOME} ]]
	then
		# authorized_keys2
		rm -f ${PW_HOME}/.ssh/authorized_keys2		
		# authorized_keys
		rm -f ${PW_HOME}/.ssh/authorized_keys
	else
		print -u2 "no home directory found for ${PW_USER}"
	fi
done < /etc/passwd

Example repository

Following is a listing of what a SSH client repository may look like:

[client]# ls -lR /etc/ssh_controls

drwxr-xr-x   2 sshadmin       sshadmin      1024 Jan 17 13:24 holding
drwxr-xr-x   2 sshadmin       sshadmin      1024 Mar  5 12:32 keys.d

./holding:

-rw-r-----   1 sshadmin       sshadmin     27034 May  1 10:59 access
-rw-r-----   1 sshadmin       sshadmin     19484 May  1 10:59 alias
-rw-r-----   1 sshadmin       sshadmin     63859 May  1 10:59 keys
-rw-r-----   1 sshadmin       sshadmin       979 May  1 10:59 manage_ssh.conf
-rwxr-x---   1 sshadmin       sshad{: .notice}min     40511 May  1 10:59 manage_ssh.sh
-rw-r-----   1 sshadmin       sshadmin       686 May  1 10:59 update_ssh.conf
-rwxr-x---   1 sshadmin       sshadmin     25833 May  1 10:59 update_ssh.pl

./keys.d:

-rw-r--r--   1 sshadmin       sshadmin           491 May  1 12:49 johndoe
-rw-r--r--   1 sshadmin       sshadmin           378 May  1 12:49 janedoe
-rw-r--r--   1 sshadmin       sshadmin           395 May  1 12:49 foobar

:pushpin: The files contained in the keys.d directory must be WORLD-READABLE or you will get Permission denied errors when trying to connect via SSH to client host.

Updated:

Leave a comment