sshGate WWW . LINAGORA . COM Plan I. S ERVER ACCESS PROBLEMS SSH G - - PowerPoint PPT Presentation

sshgate
SMART_READER_LITE
LIVE PREVIEW

sshGate WWW . LINAGORA . COM Plan I. S ERVER ACCESS PROBLEMS SSH G - - PowerPoint PPT Presentation

Feb 27, 2023 348 likes •776 views

sshGate WWW . LINAGORA . COM Plan I. S ERVER ACCESS PROBLEMS SSH G ATE PRESENTATION II. III. SSH G ATE INTERNAL T HURSDAY , J ULY 28 TH , 2011 P AGE 2 / 35 About me Patrick GUIRAN T HURSDAY , J ULY 28 TH , 2011 P AGE 3 / 35 Plan I. S ERVER ACCESS

slide-1
SLIDE 1

sshGate

WWW.LINAGORA.COM

slide-2
SLIDE 2

Plan

  • I. SERVER ACCESS PROBLEMS

II. SSHGATE PRESENTATION

  • III. SSHGATE INTERNAL

THURSDAY, JULY 28TH, 2011 PAGE 2 / 35

slide-3
SLIDE 3

About me

PAGE 3 / 35 THURSDAY, JULY 28TH, 2011

Patrick GUIRAN

slide-4
SLIDE 4

Plan

  • I. SERVER ACCESS PROBLEMS

II. SSHGATE PRESENTATION

  • III. SSHGATE INTERNAL

THURSDAY, JULY 28TH, 2011 PAGE 2 / 35

slide-5
SLIDE 5

I. Server access problem

PAGE 5 / 35

Information system

THURSDAY, JULY 28TH, 2011

THE ¡admin ¡

slide-6
SLIDE 6

I. Server access problem

PAGE 6 / 35

Information system

THURSDAY, JULY 28TH, 2011

THE ¡admin ¡

slide-7
SLIDE 7

I. Server access problem

PAGE 7 / 35

Information system

THURSDAY, JULY 28TH, 2011

THE ¡admin ¡

slide-8
SLIDE 8

I. Server access problem

PAGE 8 / 35

Information system

THURSDAY, JULY 28TH, 2011

THE ¡admin ¡

slide-9
SLIDE 9

I. Server access problem

§ Access with password

  • Pick up from an LDAP/Kerberos/….
  • Can be found on « post-it » J
  • Can be shared between many administrators
  • …or only one administrator has all passwords

§ Access with keys

  • Who does this key belong to?
  • Add my friend’s keys

§ Access to the all servers

§ Even business-critical servers (mail, database)

  • …to everyone unconditionally

PAGE 9 / 35

Access through different ways

THURSDAY, JULY 28TH, 2011

slide-10
SLIDE 10

§ Arrival and Departure of an administrator ? § Who has access to a server ? (simple to answer) § Which server does an administrator have access to ? (complex)

  • « Simple » when the administrator has access to all servers J
  • Good administrator : « It’s so simple ! » (really ?)

§ Who grants and restricts access ?

PAGE 10 / 35

Accesses managment

user_sshkey=$( cat user-sshkey.pub )
 for serveur in $( cat list­server.txt ) ; do
 ssh $serveur 'cat ~/.ssh/authorized_keys2?' \
 | grep ${user_sshkey} >/dev/null 
 [ $? ­eq 0 ] && echo ”${serveur}”
 done

I. Server access problem

THURSDAY, JULY 28TH, 2011

slide-11
SLIDE 11

§ Must have

ü Use ssh protocol ü Use keys authentification ü No user’s keys on administrated servers ü Unified access control list (ACL)

§ Nice to have

ü Log connection’s events ü Record user’s SSH session ü Notification of administration events

PAGE 11 / 35

Our needs

I. Server access problem

THURSDAY, JULY 28TH, 2011

slide-12
SLIDE 12

q Wallix AdminBastion

  • Solution from France, closed source + licence, support ssh/telnet/rdp

q Observe-it

  • Solution from USA, closed source + licence, support ssh/telnet/rdp

q sshProxy

  • Open-source (GPLv2), python, specific client software
  • Dead since 2008(?), unable to download the project on its website

q AdminProxy

  • Open-source, sponsored by the French Government
  • Support by Wallix, Mandriva, and university Paris 6
  • 2 years project, should be ended in sept 2010
  • Where is the repository ? L

PAGE 12 / 35

Look for an existing solution

I. Server access problem

THURSDAY, JULY 28TH, 2011

slide-13
SLIDE 13

§ No solution

  • Too expensive
  • Requires wide installation
  • Not found

➫ Development of de sshGate !

  • Free and open-source
  • Make it quick
  • Simple

PAGE 13 / 35

Search Result

I. Server access problem

THURSDAY, JULY 28TH, 2011

slide-14
SLIDE 14

§ Use existing tools : OpenSSH & PuTTY

  • No installation required on administrated servers
  • No installation required on client system

§ Cross-platforms

  • sshGate server
  • Administrated servers
  • Client computers

§ No patch on sshGate server (no sshd patches) § Simple, with less dependency (no SQL-database, …)

PAGE 14 / 35

Limitations & Challenges

I. Server access problem

THURSDAY, JULY 28TH, 2011

slide-15
SLIDE 15

Sommaire

  • I. SERVER ACCESS PROBLEMS

II. SSHGATE PRESENTATION

  • III. SSHGATE INTERNAL

PAGE 15 / 35 THURSDAY, JULY 28TH, 2011

slide-16
SLIDE 16
  • II. sshGate presentation

PAGE 16 / 35

Global view

THURSDAY, JULY 28TH, 2011

slide-17
SLIDE 17

ü Support SSH sessions & SCP file transfers ü ACL management centralization (users, groups) ü Management of server name aliases ü Multi-login support ü SSH configuration support (global and per server - login) ü Log connection’s events ü Record SSH sessions ü CLI administration interface

PAGE 17 / 35

Functionalities

  • II. sshGate presentation

THURSDAY, JULY 28TH, 2011

slide-18
SLIDE 18

§ Licence : GPLv2+ § Language : Shell Script (sh, dash, bash, zsh) § Cross-platforms :

  • For servers : Linux, Solaris, *BSD
  • For clients : Linux, MacOS, Windows/Putty

PAGE 18 / 35

Characteristics

  • II. sshGate presentation

THURSDAY, JULY 28TH, 2011

slide-19
SLIDE 19

§ Born of sshGate : August 2010 § First usage in production : September 2010 § Versions :

  • Production : 0.1
  • Trunk : 0.2
  • Version 1.0 release this summer

PAGE 19 / 35

History

  • II. sshGate presentation

THURSDAY, JULY 28TH, 2011

slide-20
SLIDE 20

§ Some numbers

  • 61 users
  • 10 user groups
  • 161 administrated systems
  • 214 server aliases

§ Accesses

  • 96 group accesses
  • 103 user accesses

§ During the 6 last months

  • 2063 SCP transfers
  • 16568 SSH sessions

PAGE 20 / 35

sshGate usage at Linagora

  • II. sshGate presentation

THURSDAY, JULY 28TH, 2011

slide-21
SLIDE 21

§ DOS : flood logs until disk full

One solution : if the growth velocity of big logfile is too high, kill the connection

§ It’s possible to hide some commands

This is not a bug. sshGate doesn’t log keyboard events, and will never do it !

PAGE 21 / 35

Known bugs

user@host $ read ­s var

  • # rm ­rf *

user@host $ eval "${var}" # Ouch !

  • II. sshGate presentation

THURSDAY, JULY 28TH, 2011

user@host $ cat /dev/random # flood :(

slide-22
SLIDE 22

Debian Packaging telnet support

  • Packaging : Solaris, FreeBSD, Fedora, arch
  • Web administration interface
  • OpenSSH certificate support
  • LDAP support

July August Sept In the future

PAGE 22 / 35

Roadmap

  • II. sshGate presentation

DOS protection

THURSDAY, JULY 28TH, 2011

slide-23
SLIDE 23

Sommaire

  • I. SERVER ACCESS PROBLEMS

II. SSHGATE PRESENTATION

  • III. SSHGATE INTERNAL

PAGE 23 / 35 THURSDAY, JULY 28TH, 2011

slide-24
SLIDE 24
  • III. sshGate internal

PAGE 24 / 35

Session opening steps (1/4)

THURSDAY, JULY 28TH, 2011

§ Connect ¡to sshGate server via SSH

  • Check that the user SSH key exists in authorized_keys
  • Launch sshgate-bridge
slide-25
SLIDE 25
  • III. sshGate internal

PAGE 25 / 35

Session opening steps (2/4)

THURSDAY, JULY 28TH, 2011

§ Parse ¡SSH_ORIGINAL_COMMAND ¡: ¡

  • Determine the action : ssh or scp ? Remote command ?
  • Extract and check the target host, the user wants to administrate, with ACL
slide-26
SLIDE 26
  • III. sshGate internal

PAGE 26 / 35

Session opening steps (3/4)

THURSDAY, JULY 28TH, 2011

§ Launch sshclient : <ssh-login>@<target> (<command>)

  • Use known_hosts to check target host identity
  • Use configured parameters (ssh_config, ssh key)
slide-27
SLIDE 27
  • III. sshGate internal

PAGE 27 / 35

Session opening steps (4/4)

THURSDAY, JULY 28TH, 2011

§ Connection is established

slide-28
SLIDE 28
  • III. sshGate internal

PAGE 28 / 35

Administration CLI

THURSDAY, JULY 28TH, 2011

slide-29
SLIDE 29
  • III. sshGate internal

PAGE 29 / 35

Entity-relationship model

THURSDAY, JULY 28TH, 2011

slide-30
SLIDE 30
  • III. sshGate internal

PAGE 30 / 35

Architecture

THURSDAY, JULY 28TH, 2011

slide-31
SLIDE 31

§ Shell script toolkit

  • Allow to write script quicker
  • Want to be POSIX compliant (as much as possible)

§ List of some of them :

  • exec.lib.sh : run command with checks, rollback capability
  • ask.lib.sh : ask question easily
  • cli.lib.sh : build a CLI
  • conf.lib.sh : build and use configuration file
  • mutex.lib.sh / lock.lib.sh : lock and mutex managment
  • record.lib.sh : record and play shell session
  • ...

PAGE 31 / 35

ScriptHelper Library

  • III. sshGate internal

THURSDAY, JULY 28TH, 2011

slide-32
SLIDE 32

PAGE 32 / 35

ask.lib.sh usage

ASK ASK SSHGATE_TARGETS_DEFAULT_SSH_LOGIN \ "What’s the default user account to use when connecting to target host ?" \ "${SSHGATE_TARGETS_DEFAULT_SSH_LOGIN}" CONF_SAVE CONF_SAVE SSHGATE_TARGETS_DEFAULT_SSH_LOGIN ASK ASK ­­ ­­yesno yesno SSHGATE_MAIL_SEND \ "Activate mail notification system [Yes] ?" \ "Y” if [ "${SSHGATE_MAIL_SEND}" = 'Y' ]; then ASK ASK SSHGATE_MAIL_TO \ "Who will receive mail notification (comma separated mails) ?" \ "${SSHGATE_MAIL_TO}" [ ­z "${SSHGATE_MAIL_TO}" ] && SSHGATE_MAIl_SEND=’N’ fi CONF_SAVE CONF_SAVE SSHGATE_MAIL_SEND CONF_SAVE CONF_SAVE SSHGATE_MAIL_TO

  • III. sshGate internal

THURSDAY, JULY 28TH, 2011

slide-33
SLIDE 33

PAGE 33 / 35

cli.lib.sh usage

# load ScriptHelper . ./lib/cli.lib.sh

  • # help generation

# SSHGATE_GET_HELP : In sshGate, extract help content from comment in the code # SSHGATE_DISPLAY_HELP : How to display help menu # SSHGATE_DISPLAY_HELP_FOR : How to display help for a command CLI_REGISTER_HELP '/tmp/sshgate-cli-help.txt' \ SSHGATE_GET_HELP \ SSHGATE_DISPLAY_HELP \ SSHGATE_DISPLAY_HELP_FOR

  • # Register CLI contextual menus and CLI commands

CLI_REGISTER_MENU 'user' 'User related commands' CLI_REGISTER_COMMAND 'user list' 'USERS_LIST' CLI_REGISTER_COMMAND 'user list <pattern>' 'USERS_LIST \1' CLI_REGISTER_COMMAND 'user add <user> mail <email>' 'USER_ADD \1 \2' CLI_REGISTER_COMMAND 'user del <user>' 'USER_DEL \1’

  • # launch the CLI

CLI_RUN

  • III. sshGate internal

THURSDAY, JULY 28TH, 2011

slide-34
SLIDE 34

§ SshGate and ScriptHelper

  • build.sh : Build a package to deploy
  • install.sh / uninstall.sh : quick & easy deploiement
  • test.sh : run tests

PAGE 34 / 35

Industrialization

tauop@Tauopbox:~/sshGate$ ./build.sh server sshgate version ? 0.2 sshGate build number ? 014 Include ScriptHelper in package ? y ­ Build sshgate­server package ... OK tauop@Tauopbox:~/sshGate$

  • III. sshGate internal

THURSDAY, JULY 28TH, 2011

slide-35
SLIDE 35
  • III. sshGate internal

PAGE 35 / 35

Installation (1 / 2)

tauop@Tauopbox:/tmp/sshGate-server-0.2-0.71$ sudo ./install.sh

  • -- sshGate server installation ---

by Patrick Guiran

  • NOTICE: ScriptHelper will be installed as part of sshGate, not system-wide

If you want to install ScriptHelper system-wide, please visit http://github.com/ Tauop/ScriptHelper

  • Where do you want to locate sshGate [/opt/sshgate] ?

Which unix account to use for sshGate users [sshgate] ? What’s the default user account to use when connecting to target host [root] ? List of available languages: fr us Default language for user messages [us] ? fr Which editor to use [vim] ? Activate mail notification system [Y] ? Who will receive mail notification (comma separated mails) [sshgate@linagora.com] ? Do users have to accept TOS when connecting for the first time [Y] ? Allow remote command [Y] ? Allow remote administration CLI [Y] ?

THURSDAY, JULY 28TH, 2011

slide-36
SLIDE 36
  • III. sshGate internal

PAGE 36 / 35

Installation (2 / 2)

[...]

  • Reload configuration ... OK
  • Installing sshGate ... OK
  • Generate default sshkey pair ... OK
  • Setup files permissions ... OK
  • Install archive cron ... OK
  • You need to add the first user of sshGate, which will be sshGate administrator.

This user will allow you to manage other users, targets and accesses. user login ? pguiran user mail ? pguiran@linagora.com

  • In order to administrate sshGate, just ssh this host with this user

If you have installed sshGate client -> sshg cli with standard ssh client -> ssh -t sshgate@Tauopbox cli from this terminal -> /opt/sshgate/bin/sshgate-cli -u pguiran

  • NOTICE: You may add /opt/sshgate/bin in your PATH variable
  • tauop@Tauopbox:/tmp/exmaple/sshGate-server-0.2-0.71$

THURSDAY, JULY 28TH, 2011

slide-37
SLIDE 37
  • III. sshGate internal

PAGE 37 / 35

Tests

root@gate:/opt/sshgate/bin/tests# ./test.sh all

  • Loading sshGate core ... OK
  • Setup sshGate data directory ... OK
  • Generate temporary test file ... OK
  • Generate temporary sshkey test file ... OK
  • Create and setup temporary Unix account ... OK
  • Reset temporary test file ... OK
  • Reset sshGate data directories ... OK
  • Generate user tests ... OK
  • Launch user tests ... OK
  • Reset temporary test file ... OK
  • Reset sshGate data directories ... OK
  • Generate target tests ... OK
  • Launch target tests ... OK
  • Reset temporary test file ... OK
  • Reset sshGate data directories ... OK
  • Generate usergroup tests ... OK
  • Launch usergroup tests ... OK
  • Reset temporary test file ... OK
  • Reset sshGate data directories ... OK
  • Generate access tests ... OK
  • Launch access tests ... OK
  • Remove tests data ... OK

root@gate:/opt/sshgate/bin/tests#

THURSDAY, JULY 28TH, 2011

slide-38
SLIDE 38
  • IV. sshGate internal

PAGE 38 / 35

Recycle sshGate

THURSDAY, JULY 28TH, 2011

slide-39
SLIDE 39

ü SshGate - http://www.github.com/Tauop/sshGate ü ScriptHelper - http://www.github.com/Tauop/ScriptHelper ü IRC@Freenode #linagora - Tauop ü Contact : pguiran@linagora.com / patrick.guiran@gmail.com

PAGE 39 / 35

Download, test, provide feedback, contribute

  • IV. Luck, get the source

THURSDAY, JULY 28TH, 2011

slide-40
SLIDE 40

Q & A

PAGE 40 / 35

Questions & Answers

THURSDAY, JULY 28TH, 2011

slide-41
SLIDE 41

Thank you

Contact : LINAGORA – Siège social 80, rue Roque de Fillol 92800 PUTEAUX France

  • Phone. : (+33) 1 58 18 68 28

Fax : (+33) 1 46 96 63 64 Mail : info@linagora.com

WWW.LINAGORA.COM