In this post, we will develop a procedure for emergency access to SSH hosts using offline security keys. This is just one approach, and you can adapt it for yourself. We will store the SSH CA for our hosts on a hardware security key. This scheme will work on almost any OpenSSH, including SSH with single sign-on.
Why all this? Well, this is a last resort option. This is a backdoor that will allow you to access your server in the event that for some reason nothing else helps.
Why use certificates instead of public / private keys for emergency access?
- , . , 1 5 . . .
- โโ ยซยป .
- , .
โ , . - PIN-. , โ . , , , USB- Yubikey 5. , . , . - .
- OpenSSH 8.2 , . Ubuntu 20.04 OpenSSH 8.2.
- (optional, but desirable) CLI tool for verifying certificates.
Training
First, you need to create a certification authority that will reside on the hardware security key. Insert the key and run:
$ ssh-keygen -t ecdsa-sk -f sk-user-ca -O resident -C [security key ID]
As a comment (-C), I pointed to yubikey-9-512-742@smallstep.com so that I don't forget which security key this CA belongs to.
Besides adding the key to Yubikey, two files will be generated locally:
- sk-user-ca, a key descriptor that refers to the private key stored in the security key,
- sk-user-ca.pub, which will be the public key for your CA.
But don't worry, Yubikey has another private key that cannot be retrieved. Therefore, everything is reliable here.
On hosts as root, add (if not already added) to your SSHD configuration (/ etc / ssh / sshd_config) the following:
TrustedUserCAKeys /etc/ssh/ca.pub
Then on the host add the public key (sk-user-ca.pub) to /etc/ssh/ca.pub
Restart the daemon:
# /etc/init.d/ssh restart
Now we can try to access the host. But first we need a certificate. Create a key pair to be associated with the certificate:
$ ssh-keygen -t ecdsa -f emergency
Certificates and SSH Pairs
Sometimes it's tempting to use a certificate as a substitute for a public / private key pair. But for user authentication one certificate is not enough. Each certificate also has a private key associated with it. This is why we need to generate this "emergency" key pair before we can issue ourselves a certificate. What is important is that we show the signed certificate to the server, indicating the key pair for which we have a private key.
Thus, public key exchange is still alive and well. It works even with certificates. Certificates simply eliminate the need for the server to store public keys.
Next, create the certificate itself. I need ubuntu user authorization in 10 minute interval. You can do it your way.
$ ssh-keygen -s sk-user-ca -I test-key -n ubuntu -V -5m:+5m emergency
You will be prompted to sign the certificate with your fingerprint. You can add additional usernames separated by commas, for example -n ubuntu, carl, ec2-user
That's it, now you have a certificate! Next, you need to specify the correct permissions:
$ chmod 600 emergency-cert.pub
After that, you can familiarize yourself with the contents of your certificate:
$ step ssh inspect emergency-cert.pub
This is what mine looks like:
emergency-cert.pub
Type: ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate
Public key: ECDSA-CERT SHA256:EJSfzfQv1UK44/LOKhBbuh5oRMqxXGBSr+UAzA7cork
Signing CA: SK-ECDSA SHA256:kLJ7xfTTPQN0G/IF2cq5TB3EitaV4k3XczcBZcLPQ0E
Key ID: "test-key"
Serial: 0
Valid: from 2020-06-24T16:53:03 to 2020-06-24T17:03:03
Principals:
ubuntu
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
Here the public key is the emergency key we created, and the CA is associated with sk-user-ca.
We are finally ready to run the SSH command:
$ ssh -i emergency ubuntu@my-hostname
ubuntu@my-hostname:~$
- You can now create certificates for any user on the host that trusts your CA.
- You can remove emergency. You can keep sk-user-ca, but you don't need that as it is also on the security key. You might also want to remove the original PEM public key from your hosts (for example in ~ / .ssh / authorized_keys for the ubuntu user) if you used it for emergency access.
Emergency Access: Action Plan
Insert the security key and run the command:
$ ssh-add -K
This will add the CA's public key and key descriptor to the SSH agent.
Now export the public key to make the certificate:
$ ssh-add -L | tail -1 > sk-user-ca.pub
Create a certificate with an expiration date of, for example, no more than an hour:
$ ssh-keygen -t ecdsa -f emergency
$ ssh-keygen -Us sk-user-ca.pub -I test-key -n [username] -V -5m:+60m emergency
$ chmod 600 emergency-cert.pub
And now SSH again:
$ ssh -i emergency username@host
If your .ssh / config file is causing any connection problems, you can run ssh with the -F none option to do without it. If you need to send a certificate to a colleague, the easiest and safest option is Magic Wormhole . This requires only two files - in our case, these are emergency and emergency-cert.pub.
What I love about this approach is the hardware support. You can put the security keys in the safe and they won't go anywhere.
Advertising
Epic servers are cheap VPS with powerful processors from AMD, CPU core frequency up to 3.4 GHz. The maximum configuration allows you to solve almost any problem - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Join now!