We register the procedure for emergency access to SSH hosts with hardware keys

In this post, we will develop a procedure for emergency access to SSH hosts using offline security keys. This is just one approach, and you can adapt it for yourself. We will store the SSH CA for our hosts on a hardware security key. This scheme will work on almost any OpenSSH, including SSH with single sign-on.



Why all this? Well, this is a last resort option. This is a backdoor that will allow you to access your server in the event that for some reason nothing else helps.



Why use certificates instead of public / private keys for emergency access?

• , . , 1 5 . . .
• ​​ «» .

• , .
  
  — , . - PIN-. , — . , , , USB- Yubikey 5. , . , .
• .
• OpenSSH 8.2 , . Ubuntu 20.04 OpenSSH 8.2.
• (optional, but desirable) CLI tool for verifying certificates.

Training

First, you need to create a certification authority that will reside on the hardware security key. Insert the key and run:

$ ssh-keygen -t ecdsa-sk -f sk-user-ca -O resident -C [security key ID]

As a comment (-C), I pointed to yubikey-9-512-742@smallstep.com so that I don't forget which security key this CA belongs to.



Besides adding the key to Yubikey, two files will be generated locally:

1. sk-user-ca, a key descriptor that refers to the private key stored in the security key,
2. sk-user-ca.pub, which will be the public key for your CA.

But don't worry, Yubikey has another private key that cannot be retrieved. Therefore, everything is reliable here.



On hosts as root, add (if not already added) to your SSHD configuration (/ etc / ssh / sshd_config) the following:

TrustedUserCAKeys /etc/ssh/ca.pub

Then on the host add the public key (sk-user-ca.pub) to /etc/ssh/ca.pub



Restart the daemon:

# /etc/init.d/ssh restart

Now we can try to access the host. But first we need a certificate. Create a key pair to be associated with the certificate:

$ ssh-keygen -t ecdsa -f emergency

Certificates and SSH Pairs

Sometimes it's tempting to use a certificate as a substitute for a public / private key pair. But for user authentication one certificate is not enough. Each certificate also has a private key associated with it. This is why we need to generate this "emergency" key pair before we can issue ourselves a certificate. What is important is that we show the signed certificate to the server, indicating the key pair for which we have a private key.



Thus, public key exchange is still alive and well. It works even with certificates. Certificates simply eliminate the need for the server to store public keys.

Next, create the certificate itself. I need ubuntu user authorization in 10 minute interval. You can do it your way.

$ ssh-keygen -s sk-user-ca -I test-key -n ubuntu -V -5m:+5m emergency

You will be prompted to sign the certificate with your fingerprint. You can add additional usernames separated by commas, for example -n ubuntu, carl, ec2-user



That's it, now you have a certificate! Next, you need to specify the correct permissions:

$ chmod 600 emergency-cert.pub

After that, you can familiarize yourself with the contents of your certificate:

$ step ssh inspect emergency-cert.pub

This is what mine looks like:

emergency-cert.pub
        Type: ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate
        Public key: ECDSA-CERT SHA256:EJSfzfQv1UK44/LOKhBbuh5oRMqxXGBSr+UAzA7cork
        Signing CA: SK-ECDSA SHA256:kLJ7xfTTPQN0G/IF2cq5TB3EitaV4k3XczcBZcLPQ0E
        Key ID: "test-key"
        Serial: 0
        Valid: from 2020-06-24T16:53:03 to 2020-06-24T17:03:03
        Principals:
                ubuntu
        Critical Options: (none)
        Extensions:
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc

Here the public key is the emergency key we created, and the CA is associated with sk-user-ca.



We are finally ready to run the SSH command:

$ ssh -i emergency ubuntu@my-hostname
ubuntu@my-hostname:~$

1. You can now create certificates for any user on the host that trusts your CA.
2. You can remove emergency. You can keep sk-user-ca, but you don't need that as it is also on the security key. You might also want to remove the original PEM public key from your hosts (for example in ~ / .ssh / authorized_keys for the ubuntu user) if you used it for emergency access.

Emergency Access: Action Plan

Insert the security key and run the command:

$ ssh-add -K

This will add the CA's public key and key descriptor to the SSH agent.



Now export the public key to make the certificate:

$ ssh-add -L | tail -1 > sk-user-ca.pub

Create a certificate with an expiration date of, for example, no more than an hour:

$ ssh-keygen -t ecdsa -f emergency
$ ssh-keygen -Us sk-user-ca.pub -I test-key -n [username] -V -5m:+60m emergency
$ chmod 600 emergency-cert.pub

And now SSH again:

$ ssh -i emergency username@host

If your .ssh / config file is causing any connection problems, you can run ssh with the -F none option to do without it. If you need to send a certificate to a colleague, the easiest and safest option is Magic Wormhole . This requires only two files - in our case, these are emergency and emergency-cert.pub.



What I love about this approach is the hardware support. You can put the security keys in the safe and they won't go anywhere.

---

Advertising

Epic servers are cheap VPS with powerful processors from AMD, CPU core frequency up to 3.4 GHz. The maximum configuration allows you to solve almost any problem - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Join now!