Score:0

Non copy/paste public key based SSH authentication

cn flag

I want to remove the process of manually copying the public keys to each one of the servers for granting access.

The main problem that I'm trying to solve here is:

  • There are multiple servers across multiple cloud providers.
  • Whenever a new person joins the team we've to copy their public keys to all the servers so that they can log in.
  • This process is repetitive and cumbersome and I wanted to remove this copy-paste part with some kind of custom authentication mechanism.

I've looked into:

  • Google authenticator based ssh authentication

    • This requires setting up the environment on all the servers so that it can work which is fine but all the servers will have their own keys and the users will have to register themselves for all the servers one by one.
    • Also there will be multiple TOTPs present in the Google Authenticator app, one for each server, that may cause confusion and this experience does not look good.
    • If the token matching part can somehow be offloaded to a central server and the ssh servers just have to pass the token to that server then this method can work.
  • I've seen this with Azure servers: For an Azure server, if the Azure-based login is enabled then whenever a user tries to log in to a server(after executing ssh command into the terminal), a browser opens up and the user is asked to enter the email and password there and with successful login they are provided with a token. The user has to then enter the token into the terminal to access the server.

    • I'm trying to find what this technology is called and if there's is a free version available?
  • Creating a Linux user with a password and then sharing the username/password across the team so that they can use it. It can be then be shared on Lastpass with the username and IP. This approach doesn't help with the audit but it can work and I've kept it as the last resort.

Thanks!

Score:1
us flag
  1. Hi there, if i understood your problem, i think it can be solved by creating a simple script using the OpenSSH secure file copy scp command.

  2. If all the team needs the same permissions to the same servers then my recommendation is:

    • create an authorized_keys file in your own computer.
    • update that file by the teams needs manually. (can use a script for that two).
  3. Create a script to auto copy the updated authorized_keys from your computer to your servers:

    • scp needs permissions to the servers to work out, that's why the script should run from your or any other manager computer.
  4. Locate the script in /usr/local/sbin/. on your machine, for the option to run the script from any directory on your pc.

  5. Give the script an execute permissions by the command chmod a+x /usr/local/sbin/scriptName.

    • The script:
#/bin/bash!

read -p "Please Enter Path:" -r r1

scp  $r1 username@serverip:/home/username/.ssh/authorized_keys
#scp $r1 username@serverip:/home/username/.ssh/authorized_keys
#scp $r1 username@serverip:/home/username/.ssh/authorized_keys
#add more servers if needed....
#you could also use a switch to use which servers are relavent for the new user.

Note that if you are running your ssh service on other ports from security or other reasons you should run the scp command with -P option.

scp -P sshPort $r1 username@serverip:/home/username/.ssh/authorized_keys.

Example picture of the script running on my own server: enter image description here

  1. As i said before you can make the script better and add some filters by "switch" to choose which servers you wanna add the keys to.
  2. If the situation is simple as you said, and each team member that joins need permissions to all the servers, this solution should work out.

Hope that will help you out mate.

Please comment if anything is not understood or need any more help on this case.

Pallav Jha avatar
cn flag
Hi @CrazyTux - Thanks for the answer. I'm currently looking into a way to decouple the ssh authentication logic with the userbase so that steps like copying/pasting or transferring the keys is removed. I'm currently looking into LDAP based authenticaton so that once the user's account is created there then all the servers will use that for authentication.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.