Technical Generalism

Work-in-progress projects, ideas, how-tos, and rants from a guy in the InfoSec industry

Passwordless and Secure SSH Keys for Log Pulls

| Comments

Secure passwordless SSH keys? Surely some infosec policy auditor is crying right now. Here’s how to pacify them with a couple of options you may or may not have heard of in ~/.ssh/authorized_keys.

So here’s the skinny. You’ll need two things to get this done.

  1. A dedicated SSH key for each batch log pull.
  2. A simple shell script.

Take a look at the sshd(8) man page, and scroll down to the AUTHORIZED_KEYS FILE FORMAT section. There’s a section on options there, where you can tell the SSH server to restrict clients connecting in with that key. One of them is to force a command via command="command here". So that’s how to explicitly force a command to be run when an SSH client connects using that key. It completely forbids you from trying to run anything else. Sweet, huh?

About that simple shell script. The SSH daemon on the remote server puts the original command info an environment variable, SSH_ORIGINAL_COMMAND. So here’s what you do. Put the below script in /tmp/saveme.sh, chmod a+rx it to make it executable, and put command="/tmp/saveme.sh" in your authorized_keys file.

simple shell script to save off the original command
1
2
3
4
5
#!/bin/bash
echo "Environment:" >> /tmp/command.txt
set >> /tmp/command.txt
echo "Arguments:" >> /tmp/command.txt
echo $* >> /tmp/command.txt

So run your command using the SSH key you have dedicated to the log pull, extract the arguments of what that program wants to run on the remote host by looking at /tmp/command.txt, and edit the command="stuff" line in your authorized_keys file.

Now. This is all about segmentation, least privilege, etc right? So lets REALLY lock this down. Other options you want to pay attention to:

  • from=”pattern-list” (go read man ssh_config1 for details)
  • no-agent-forwarding
  • no-pty
  • no-port-forwarding
  • no-X11-forwarding

So set up your rsync or whathaveyou in cron and begin pulling logs. If you want to do log pulls say every 5 minutes, you could have multiple copies of the cron job running at once. Prevent that with lockrun. Really this blog post is about SSH keys, but lockrun is where it really makes things shine. Lockrun is a wrapper around a command to be run, which prevent concurrent copies of that program running via a simple lockfile. You use this via cron. It’s dead simple.

  1. from=”pattern-list” - the ssh_config(5) man page contains details on how to use this to restrict what host and/or IP address is permitted to connect in using this key.

Comments