Friday, October 14, 2005

Secure remote tasks with ssh and keys

Secure remote tasks with ssh and keys

Takeaway:
If you want to set up another administrator on your server or execute
remote tasks securely, learn to use ssh with keys. Vincent Danen tells
you how in this Linux tip.

Often, if you're administering a server, you'll find you need to
execute some small task on the server, or you want to delegate a task
to another administrator, but you don't want to give them full access.
Perhaps you want to execute a remote backup or status test. This can
all be accomplished using ssh with keys so that it can be unattended,
but still secure.

The first step is to create the ssh key using the ssh-keygen utility.
This is extremely straightforward. If you plan to have the task
unattended, be sure to not give it a password. To increase security,
make a special account to execute the task; make sure it can't log in,
and make sure that the ssh public key is used only on a particular
server or set of servers.

On the remote server, copy the user's ssh public key into
~/.ssh/authorized_keys. You will need to make some modifications to
the line in authorized_keys. To begin, you should set a "command"
keyword to ensure that only one particular command can be executed by
that key. The syntax looks like:

<code>

command="" KEY

</code>

where command could be something as simple as "/usr/bin/rsync" or
"/usr/local/bin/foo.sh". To enhance and secure this further, add the
following options to authorized_keys:

<code>

command="/usr/local/bin/foo.sh",no-port-forwarding,no-X11-
forwarding,no-agent-forwarding,no-pty KEY

</code>

This ensures that anyone connecting cannot do any port forwarding, X11
forwarding, agent forwarding, and ssh doesn't allocate a pseudo-TTY
which prevents the issuing of commands through an interactive session.

If the client system is adequately secured to protect the
password-less key, and the availability of commands is restricted on
the server, using SSH to execute remote commands is a breeze.

0 Comments:

Post a Comment

<< Home