2. Plan
I. SERVER ACCESS PROBLEMS
II. SSHGATE PRESENTATION
III. SSHGATE INTERNAL
THURSDAY, JULY 28TH, 2011
PAGE 2 / 35
3. About me
Patrick GUIRAN
THURSDAY, JULY 28TH, 2011
PAGE 3 / 35
4. Plan
I. SERVER ACCESS PROBLEMS
II. SSHGATE PRESENTATION
III. SSHGATE INTERNAL
THURSDAY, JULY 28TH, 2011
PAGE 2 / 35
5. I. Server access problem
Information system
THE
admin
THURSDAY, JULY 28TH, 2011
PAGE 5 / 35
6. I. Server access problem
Information system
THE
admin
THURSDAY, JULY 28TH, 2011
PAGE 6 / 35
7. I. Server access problem
Information system
THE
admin
THURSDAY, JULY 28TH, 2011
PAGE 7 / 35
8. I. Server access problem
Information system
THE
admin
THURSDAY, JULY 28TH, 2011
PAGE 8 / 35
9. I. Server access problem
Access through different ways
§ Access with password
• Pick up from an LDAP/Kerberos/….
• Can be found on « post-it » J
• Can be shared between many administrators
• …or only one administrator has all passwords
§ Access with keys
• Who does this key belong to?
• Add my friend’s keys
§ Access to the all servers
§ Even business-critical servers (mail, database)
• …to everyone unconditionally
THURSDAY, JULY 28TH, 2011
PAGE 9 / 35
10. I. Server access problem
Accesses managment
§ Arrival and Departure of an administrator ?
§ Who has access to a server ? (simple to answer)
§ Which server does an administrator have access to ? (complex)
• « Simple » when the administrator has access to all servers J
• Good administrator : « It’s so simple ! » (really ?)
user_sshkey=$( cat user-sshkey.pub )
for serveur in $( cat listserver.txt ) ; do
ssh $serveur 'cat ~/.ssh/authorized_keys2?'
| grep ${user_sshkey} >/dev/null
[ $? eq 0 ] && echo ”${serveur}”
done#
§ Who grants and restricts access ?
THURSDAY, JULY 28TH, 2011
PAGE 10 / 35
11. I. Server access problem
Our needs
§ Must have
ü Use ssh protocol
ü Use keys authentification
ü No user’s keys on administrated servers
ü Unified access control list (ACL)
§ Nice to have
ü Log connection’s events
ü Record user’s SSH session
ü Notification of administration events
THURSDAY, JULY 28TH, 2011
PAGE 11 / 35
12. I. Server access problem
Look for an existing solution
q Wallix AdminBastion
• Solution from France, closed source + licence, support ssh/telnet/rdp
q Observe-it
• Solution from USA, closed source + licence, support ssh/telnet/rdp
q sshProxy
• Open-source (GPLv2), python, specific client software
• Dead since 2008(?), unable to download the project on its website
q AdminProxy
• Open-source, sponsored by the French Government
• Support by Wallix, Mandriva, and university Paris 6
• 2 years project, should be ended in sept 2010
• Where is the repository ? L
THURSDAY, JULY 28TH, 2011
PAGE 12 / 35
13. I. Server access problem
Search Result
§ No solution
• Too expensive
• Requires wide installation
• Not found
➫ Development of de sshGate !
• Free and open-source
• Make it quick
• Simple
THURSDAY, JULY 28TH, 2011
PAGE 13 / 35
14. I. Server access problem
Limitations & Challenges
§ Use existing tools : OpenSSH & PuTTY
• No installation required on administrated servers
• No installation required on client system
§ Cross-platforms
• sshGate server
• Administrated servers
• Client computers
§ No patch on sshGate server (no sshd patches)
§ Simple, with less dependency (no SQL-database, …)
THURSDAY, JULY 28TH, 2011
PAGE 14 / 35
15. Sommaire
I. SERVER ACCESS PROBLEMS
II. SSHGATE PRESENTATION
III. SSHGATE INTERNAL
THURSDAY, JULY 28TH, 2011
PAGE 15 / 35
17. II. sshGate presentation
Functionalities
ü Support SSH sessions & SCP file transfers
ü ACL management centralization (users, groups)
ü Management of server name aliases
ü Multi-login support
ü SSH configuration support (global and per server - login)
ü Log connection’s events
ü Record SSH sessions
ü CLI administration interface
THURSDAY, JULY 28TH, 2011
PAGE 17 / 35
18. II. sshGate presentation
Characteristics
§ Licence : GPLv2+
§ Language : Shell Script (sh, dash, bash, zsh)
§ Cross-platforms :
• For servers : Linux, Solaris, *BSD
• For clients : Linux, MacOS, Windows/Putty
THURSDAY, JULY 28TH, 2011
PAGE 18 / 35
19. II. sshGate presentation
History
§ Born of sshGate : August 2010
§ First usage in production : September 2010
§ Versions :
• Production : 0.1
• Trunk : 0.2
• Version 1.0 release this summer
THURSDAY, JULY 28TH, 2011
PAGE 19 / 35
20. II. sshGate presentation
sshGate usage at Linagora
§ Some numbers
• 61 users
• 10 user groups
• 161 administrated systems
• 214 server aliases
§ Accesses
• 96 group accesses
• 103 user accesses
§ During the 6 last months
• 2063 SCP transfers
• 16568 SSH sessions
THURSDAY, JULY 28TH, 2011
PAGE 20 / 35
21. II. sshGate presentation
Known bugs
§ DOS : flood logs until disk full
user@host $ cat /dev/random ## flood :(#
One solution : if the growth velocity of big logfile is too high, kill the connection
§ It’s possible to hide some commands
user@host $ read s var # ## rm rf * #
user@host $ eval "${var}" ## Ouch !#
This is not a bug.
sshGate doesn’t log keyboard events, and will never do it !
THURSDAY, JULY 28TH, 2011
PAGE 21 / 35
22. II. sshGate presentation
Roadmap
DOS protection
July August Sept In the future
• Packaging : Solaris, FreeBSD, Fedora, arch
telnet support • Web administration interface
Debian Packaging • OpenSSH certificate support
• LDAP support
THURSDAY, JULY 28TH, 2011
PAGE 22 / 35
23. Sommaire
I. SERVER ACCESS PROBLEMS
II. SSHGATE PRESENTATION
III. SSHGATE INTERNAL
THURSDAY, JULY 28TH, 2011
PAGE 23 / 35
24. III. sshGate internal
Session opening steps (1/4)
§ Connect
to sshGate server via SSH
• Check that the user SSH key exists in authorized_keys#
• Launch sshgate-bridge#
THURSDAY, JULY 28TH, 2011
PAGE 24 / 35
25. III. sshGate internal
Session opening steps (2/4)
§ Parse
SSH_ORIGINAL_COMMAND
:
• Determine the action : ssh or scp ? Remote command ?
• Extract and check the target host, the user wants to administrate, with ACL
THURSDAY, JULY 28TH, 2011
PAGE 25 / 35
26. III. sshGate internal
Session opening steps (3/4)
§ Launch sshclient : <ssh-login>@<target> (<command>)
• Use known_hosts to check target host identity
• Use configured parameters (ssh_config, ssh key)
THURSDAY, JULY 28TH, 2011
PAGE 26 / 35
27. III. sshGate internal
Session opening steps (4/4)
§ Connection is established
THURSDAY, JULY 28TH, 2011
PAGE 27 / 35
31. III. sshGate internal
ScriptHelper Library
§ Shell script toolkit
• Allow to write script quicker
• Want to be POSIX compliant (as much as possible)
§ List of some of them :
• exec.lib.sh : run command with checks, rollback capability
• ask.lib.sh : ask question easily
• cli.lib.sh : build a CLI
• conf.lib.sh : build and use configuration file
• mutex.lib.sh / lock.lib.sh : lock and mutex managment
• record.lib.sh : record and play shell session
• ...
THURSDAY, JULY 28TH, 2011
PAGE 31 / 35
32. III. sshGate internal
ask.lib.sh usage
ASK SSHGATE_TARGETS_DEFAULT_SSH_LOGIN
"What’s the default user account to use when connecting to target host ?"
"${SSHGATE_TARGETS_DEFAULT_SSH_LOGIN}"
CONF_SAVE SSHGATE_TARGETS_DEFAULT_SSH_LOGIN
ASK yesno SSHGATE_MAIL_SEND
"Activate mail notification system [Yes] ?"
"Y”
if [ "${SSHGATE_MAIL_SEND}" = 'Y' ]; then
ASK SSHGATE_MAIL_TO
"Who will receive mail notification (comma separated mails) ?"
"${SSHGATE_MAIL_TO}"
[ z "${SSHGATE_MAIL_TO}" ] && SSHGATE_MAIl_SEND=’N’
fi
CONF_SAVE SSHGATE_MAIL_SEND
CONF_SAVE SSHGATE_MAIL_TO
THURSDAY, JULY 28TH, 2011
PAGE 32 / 35
33. III. sshGate internal
cli.lib.sh usage
# load ScriptHelper#
. ./lib/cli.lib.sh#
#
# help generation#
# SSHGATE_GET_HELP : In sshGate, extract help content from comment in the code#
# SSHGATE_DISPLAY_HELP : How to display help menu#
# SSHGATE_DISPLAY_HELP_FOR : How to display help for a command#
CLI_REGISTER_HELP #'/tmp/sshgate-cli-help.txt' #
#SSHGATE_GET_HELP #
#SSHGATE_DISPLAY_HELP #
#SSHGATE_DISPLAY_HELP_FOR#
#
# Register CLI contextual menus and CLI commands#
CLI_REGISTER_MENU 'user' 'User related commands'#
CLI_REGISTER_COMMAND 'user list' 'USERS_LIST'#
CLI_REGISTER_COMMAND 'user list <pattern>' 'USERS_LIST 1'#
CLI_REGISTER_COMMAND 'user add <user> mail <email>' 'USER_ADD 1 2'#
CLI_REGISTER_COMMAND 'user del <user>' 'USER_DEL 1’#
#
# launch the CLI#
CLI_RUN!
THURSDAY, JULY 28TH, 2011
PAGE 33 / 35
34. III. sshGate internal
Industrialization
§ SshGate and ScriptHelper
• build.sh : Build a package to deploy
• install.sh / uninstall.sh : quick & easy deploiement
• test.sh : run tests
tauop@Tauopbox:~/sshGate$ ./build.sh server !
sshgate version ? 0.2 #
sshGate build number ? 014 #
Include ScriptHelper in package ? y#
Build sshgateserver package ... OK #
tauop@Tauopbox:~/sshGate$#
THURSDAY, JULY 28TH, 2011
PAGE 34 / 35
35. III. sshGate internal
Installation (1 / 2)
tauop@Tauopbox:/tmp/sshGate-server-0.2-0.71$ sudo ./install.sh!
#
--- sshGate server installation ---#
by Patrick Guiran#
#
#
NOTICE: ScriptHelper will be installed as part of sshGate, not system-wide#
If you want to install ScriptHelper system-wide, please visit http://github.com/
Tauop/ScriptHelper#
#
Where do you want to locate sshGate [/opt/sshgate] ?#
Which unix account to use for sshGate users [sshgate] ?#
What’s the default user account to use when connecting to target host [root] ?#
List of available languages: fr us#
Default language for user messages [us] ? fr#
Which editor to use [vim] ?#
Activate mail notification system [Y] ?#
Who will receive mail notification (comma separated mails) [sshgate@linagora.com] ?#
Do users have to accept TOS when connecting for the first time [Y] ?#
Allow remote command [Y] ?#
Allow remote administration CLI [Y] ?#
THURSDAY, JULY 28TH, 2011
PAGE 35 / 35
36. III. sshGate internal
Installation (2 / 2)
[...]#
- Reload configuration ... OK#
- Installing sshGate ... OK#
- Generate default sshkey pair ... OK#
- Setup files permissions ... OK#
- Install archive cron ... OK#
#
#
You need to add the first user of sshGate, which will be sshGate administrator.#
This user will allow you to manage other users, targets and accesses.#
user login ? pguiran#
user mail ? pguiran@linagora.com#
#
In order to administrate sshGate, just ssh this host with this user#
If you have installed sshGate client -> sshg cli#
with standard ssh client -> ssh -t sshgate@Tauopbox cli#
from this terminal -> /opt/sshgate/bin/sshgate-cli -u pguiran#
#
NOTICE: You may add /opt/sshgate/bin in your PATH variable#
#
tauop@Tauopbox:/tmp/exmaple/sshGate-server-0.2-0.71$#
THURSDAY, JULY 28TH, 2011
PAGE 36 / 35
37. III. sshGate internal
Tests
root@gate:/opt/sshgate/bin/tests# ./test.sh all!
- Loading sshGate core ... OK#
- Setup sshGate data directory ... OK#
- Generate temporary test file ... OK#
- Generate temporary sshkey test file ... OK#
- Create and setup temporary Unix account ... OK#
- Reset temporary test file ... OK#
- Reset sshGate data directories ... OK#
- Generate user tests ... OK#
- Launch user tests ... OK#
- Reset temporary test file ... OK#
- Reset sshGate data directories ... OK#
- Generate target tests ... OK#
- Launch target tests ... OK#
- Reset temporary test file ... OK#
- Reset sshGate data directories ... OK#
- Generate usergroup tests ... OK#
- Launch usergroup tests ... OK#
- Reset temporary test file ... OK#
- Reset sshGate data directories ... OK#
- Generate access tests ... OK#
- Launch access tests ... OK#
- Remove tests data ... OK#
root@gate:/opt/sshgate/bin/tests##
THURSDAY, JULY 28TH, 2011
PAGE 37 / 35