Auditors want more security with root to root access via ssh keys | Unix Linux Forums | SuSE

  Go Back    


SuSE SUSE Linux is a major operating system. The developer rights are owned by Novell, Inc.

Auditors want more security with root to root access via ssh keys

SuSE


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 07-11-2013
dvbell dvbell is offline
Registered User
 
Join Date: Oct 2012
Last Activity: 12 July 2013, 9:44 AM EDT
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Wrench Auditors want more security with root to root access via ssh keys

I access over 100 SUSE SLES servers as root from my admin server, via ssh sessions using ssh keys, so I don't have to enter a password. My SUSE Admin server is setup in the following manner:

1) Remote root access is turned off in the sshd_config file.

2) I am the only user of this admin server.

3) My user account is not allowed sudo access, so I must use su and know the root password.

4) ssh keys are setup to the remote servers root accounts.

What I need, in order to satisfy the auditors is a password being required when I use ssh. However, the ssh passphrase will not work since it will require a login password at each server. I need something that will require a password once, so I can do a script to hit all servers without having to enter a password at each server the script hits.

Any ideas? Thanks in advance.
Sponsored Links
    #2  
Old 07-11-2013
hergp hergp is offline Forum Advisor  
Problem Eliminator
 
Join Date: Jan 2010
Last Activity: 19 October 2014, 3:31 PM EDT
Location: Vienna, Austria
Posts: 802
Thanks: 18
Thanked 168 Times in 150 Posts
Have a look at ssh-agent , it might provide just what you need.
Sponsored Links
    #3  
Old 07-11-2013
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 18 October 2014, 9:20 PM EDT
Location: Saskatchewan
Posts: 19,614
Thanks: 811
Thanked 3,329 Times in 3,118 Posts
Quote:
Originally Posted by dvbell View Post
I access over 100 SUSE SLES servers as root from my admin server, via ssh sessions using ssh keys, so I don't have to enter a password. My SUSE Admin server is setup in the following manner:

1) Remote root access is turned off in the sshd_config file.

2) I am the only user of this admin server.

3) My user account is not allowed sudo access, so I must use su and know the root password.

4) ssh keys are setup to the remote servers root accounts.
So, you have explicitly disabled direct root logins -- then banned the other safe automatic login tool. Do you truly need root?

If you allowed direct root login, you could create an ssh key that has its own password, so you must provide the password to your ssh client to use the key. And you could use ssh-agent to hold the key around temporarily for convenience (or not, to just be asked for the password every time.)

If you allowed sudo instead, you could disable direct root logins and use the same scheme to login to a non-root account with sudo access. It could be a special account for this purpose and no other, so you could flag it and only it in sudoers. This is what I do.

Last edited by Corona688; 07-11-2013 at 02:55 PM..
    #4  
Old 07-11-2013
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 18 October 2014, 9:20 PM EDT
Location: Saskatchewan
Posts: 19,614
Thanks: 811
Thanked 3,329 Times in 3,118 Posts
I have this in my ~/.bashrc


Code:
# If ssh agent strings already set, and the PID is valid,
# no further work is needed.
[ ! -z "${SSH_AGENT_PID}" ]             &&
        [ -d "/proc/${SSH_AGENT_PID}" ] &&
        return

function ssh_agent_kill
{
        [ -z "$SSH_AGENT_PID" ] && return

        if flock -w 0 -x 200
        then
                echo "We are the last.  Killing $SSH_AGENT_PID"
                kill "$SSH_AGENT_PID" ||
                        echo "WARNING, ssh-agent $SSH_AGENT_PID not killed" >&2
                : > ~/.ssh_agent
                chmod 600 ~/.ssh_agent
                flock -u 200
        fi
}

[ ! -f ~/.ssh-agent ] && touch ~/.ssh-agent && chmod 600 ~/.ssh_agent

# Open file so we can play with locks
exec 200<~/.ssh-agent

NEW_AGENT=0

if flock -w 1 -x 200
then
        echo "Creating new ssh-agent instance" >&2
        :>~/.ssh-agent
        chmod 600 ~/.ssh-agent
        ssh-agent -s > ~/.ssh-agent
        NEW_AGENT=1
elif [ ! -d "/proc/${SSH_AGENT_PID}" ]
then
        cat <<EOF >&2
PID ${SSH_AGENT_PID} no longer exists, but you still have sessions open.
Please close these sessions, then source $0 again to create a new
instance.
EOF

fi

# Make it a shared lock, to signify its readable
if ! flock -w 1 -s 200
then
        echo "We cannot share-lock"
        return 2>/dev/null || exit 1
fi

source ~/.ssh-agent

[ "${NEW_AGENT}" == 1 ] && ssh-add

trap "ssh_agent_kill" EXIT

So when I login to my local account, it loads ssh-agent which adds my keys (asking once for my passwords). Further simultaneous logins do not get asked.

If my shell sessions are hard-killed for some reason, that might leave ssh-agent hanging, so I added this to my own (not root's!) crontab:


Code:
* 1 * * *       /usr/bin/killall ssh-agent ; true

...which means in the morning, I login and ssh-agent loads my keys for the duration of the workday, and I can 'ssh -t servername exec sudo bash' to get passwordless root prompts if I really need to.

At the end of the day, the last logout kills ssh-agent automatically. And if it should happen to be missed because of a hard-kill or other problem, it will be killed automatically at 1am.

Last edited by Corona688; 07-11-2013 at 02:54 PM..
Sponsored Links
    #5  
Old 07-11-2013
dvbell dvbell is offline
Registered User
 
Join Date: Oct 2012
Last Activity: 12 July 2013, 9:44 AM EDT
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
I have only disabled remote root login from my admin server. All the servers I access from my admin server still have remote login turned on. However, security is asking that I disable all remote root logins.

---------- Post updated at 05:46 PM ---------- Previous update was at 05:45 PM ----------

I am not familiar with ssh-agent. I will take a look at that. Thanks.
Sponsored Links
    #6  
Old 07-11-2013
Just Ice's Avatar
Just Ice Just Ice is offline Forum Advisor  
Lights on, brain off.
 
Join Date: Mar 2005
Last Activity: 20 September 2013, 10:59 AM EDT
Location: Philadelphia metro
Posts: 958
Thanks: 3
Thanked 67 Times in 60 Posts
you should disable all remote root logins including your access to your admin server ... all root access should only be at the local terminal, a secure terminal server or through su/sudo ... root logins at the terminal or terminal server should only be for emergencies (i.e., recovering a server that is not booting) and not done as standard practice so everybody gets used to su/sudo which gets logged ... auditors like logs ...

btw, you can still run remote commands with ssh with keys with that setup -- you just cannot login directly as root ...
Sponsored Links
    #7  
Old 07-12-2013
dvbell dvbell is offline
Registered User
 
Join Date: Oct 2012
Last Activity: 12 July 2013, 9:44 AM EDT
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Yes, that is where we are headed.
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
How to give root access to non root user? adisky123 Shell Programming and Scripting 4 04-30-2013 04:09 PM
Migration of system having UFS root FS with zones root to ZFS root FS sb200 Solaris 2 06-27-2012 02:35 PM
How to allow access to some commands having root privleges to be run bu non root user suryashikha UNIX for Dummies Questions & Answers 5 10-30-2009 05:46 AM
Security of root access falcon16 Solaris 3 03-11-2008 09:18 PM
how to access root priveliges if root password is lost wojtyla Linux 1 02-18-2005 05:24 AM



All times are GMT -4. The time now is 12:26 AM.