Secure passwordless SSH keys? Surely some infosec policy auditor is crying right now. Here’s how to pacify them with a couple of options you may or may not have heard of in
So here’s the skinny. You’ll need two things to get this done.
- A dedicated SSH key for each batch log pull.
- A simple shell script.
Take a look at the sshd(8) man page, and scroll down to the
AUTHORIZED_KEYS FILE FORMAT section. There’s a section on options there, where you can tell the SSH server to restrict clients connecting in with that key. One of them is to force a command via
command="command here". So that’s how to explicitly force a command to be run when an SSH client connects using that key. It completely forbids you from trying to run anything else. Sweet, huh?
About that simple shell script. The SSH daemon on the remote server puts the original command info an environment variable,
SSH_ORIGINAL_COMMAND. So here’s what you do. Put the below script in /tmp/saveme.sh,
chmod a+rx it to make it executable, and put
command="/tmp/saveme.sh" in your
1 2 3 4 5
So run your command using the SSH key you have dedicated to the log pull, extract the arguments of what that program wants to run on the remote host by looking at /tmp/command.txt, and edit the
command="stuff" line in your
Now. This is all about segmentation, least privilege, etc right? So lets REALLY lock this down. Other options you want to pay attention to:
- from=”pattern-list” (go read man ssh_config1 for details)
So set up your rsync or whathaveyou in cron and begin pulling logs. If you want to do log pulls say every 5 minutes, you could have multiple copies of the cron job running at once. Prevent that with lockrun. Really this blog post is about SSH keys, but lockrun is where it really makes things shine. Lockrun is a wrapper around a command to be run, which prevent concurrent copies of that program running via a simple lockfile. You use this via cron. It’s dead simple.
from=”pattern-list” - the ssh_config(5) man page contains details on how to use this to restrict what host and/or IP address is permitted to connect in using this key.↩