Following guidelines should be followed to initially set up a target when introducing SSH controls:
Add a dedicated OS group & user - for example sshadmin - who will be the owner of the repository. The administrative account does not a password (so lock it) but does require a valid shell:
Pre-populate the the SSH Controls *local repository. *You can use following shell script for this:
Copy & add the SSH public key of the sshadmin account to the authorized_keys on the client. The key in THIS location IS ONLY required for the initial client push:
Test that you can connect as the sshadmin user from the SSH master onto the client host WITHOUT specifying a passphrase (think of the required SSH agent):
Update the master configuration files so that the client host is referenced in each of the files. You should have at least one entry for the sshadmin account in the access file and one for the client host in the targets file:
Perform an initial distribution from the SSH Controls master using the sshadmin account & key and specifying a manual list of targets. Make sure the sync finishes without errors:
At this point you should have a working set of SSH controls on the target client host, ready to be activated but not yet active. In the next couple of steps we will activate the SSH Controls:
Add the necessary SUDO rules on the client host so that update_ssh.pl script can be executed with root privileges. You can use SUDO Controls for this purpose.
Either add a snippet for the sshadmin user:
-OR- for the sshadmin *group *(if you are managing SSH Controls with multiple people and individual accounts):
Perform an initial activation of the SSH Controls, locally on the client host:
-or- with preview first:
Adaptsshd_config on the client host by adding/changing following directives and restartsshd:
Add the client host to the targets file on the SSH Controls master:
Do a second, remote distribute & apply from the SSH Controls master (as a double-check):
You now have SSH Controls fully configured and active on your client host. As a final step, you may optionally remove all oldauthorized_keys files on the client host. You could use following shell script for this purpose:
Example repository
Following is a listing of what a SSH client repository may look like:
The files contained in the keys.d directory must be WORLD-READABLE or you will get Permission denied errors when trying to connect via SSH to client host.
Leave a comment