SSH agent forwarding (was: weird behaviour of quotes in dash variable assignments)
On 2020-09-22 13:05, Gary Dale wrote:
On 2020-09-22 00:25, David Christensen wrote:
On 2020-09-21 18:04, Gary Dale wrote:
The two servers are for different customers. I would not want to
create a tunnel between them. Instead I have my normal ssh tunnels to
each server from my workstation. However the script is only readable
by root while my tunnels are for my non-root account. While I could
copy the file to my non-root account (while root), chown it, copy it
to my workstation then to the other server, where I'd move it to
/root, that's a lot more work than cat, copy, paste, save.
Again, the method I used should not have created any changes in the
script that would affect its operation. And to date I've seen no
indication that it did. I still don't know why the script was leaving
the quotes in nor why it started working.
You might want to consider ssh-agent and SSH agent forwarding. These
allow you to access your version control server over SSH from remote
hosts by using your workstation credentials; no credentials required
on the remote host:
https://dev.to/levivm/how-to-use-ssh-and-ssh-agent-forwarding-more-secure-ssh-2c32
David
I'm not sure that does anything for me. I would need to create a "root"
key to get access to the file, which is something I refuse to do.
This book is relevant:
https://mwl.io/nonfiction/tools#ssh
Here is my workstation. I will demonstrate SSH agent forwarding using
it both as the workstation and as the server:
2020-09-22 14:57:40 root@tinkywinky ~
# cat /etc/debian_version ; uname -a
9.13
Linux tinkywinky 4.9.0-13-amd64 #1 SMP Debian 4.9.228-1 (2020-07-05)
x86_64 GNU/Linux
The workstation and the server must have at least one SSH host key pair.
The Debian installer creates three:
2020-09-22 14:49:56 dpchrist@tinkywinky ~
$ ls -1 /etc/ssh/ssh_host*key*
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
The workstation user account must have at least one SSH user key pair:
2020-09-22 14:51:21 dpchrist@tinkywinky ~
$ ls -1 .ssh/id_rsa*
.ssh/id_rsa
.ssh/id_rsa.pub
No root account key pair is required on the server.
The server root account authorized_keys file must contain the
workstation user account public key(s). Append the contents of
~/.ssh/id_rsa.pub from the workstation to /root/.ssh/authorized_keys on
the server.
Agent forwarding must be enabled on the workstation:
2020-09-22 14:55:20 dpchrist@tinkywinky ~
$ egrep ^ForwardAgent /etc/ssh/ssh_config
ForwardAgent yes
Root public key authentication must be enabled on the server (it is
enabled by default on my Debian machines):
2020-09-22 14:56:32 dpchrist@tinkywinky ~
$ egrep PermitRootLogin /etc/ssh/sshd_config | head -n 1
PermitRootLogin prohibit-password
Restart sshd on the server, if required:
2020-09-22 14:57:35 root@tinkywinky ~
# service sshd restart
Start a terminal on the workstation. Start ssh-agent(1) using your
shell of choice (with any required options or arguments):
2020-09-22 15:01:31 dpchrist@tinkywinky ~
$ ssh-agent bash -l
Add your user account key pair to the SSH agent:
2020-09-22 15:01:34 dpchrist@tinkywinky ~
$ ssh-add
Enter passphrase for /home/dpchrist/.ssh/id_rsa:
Identity added: /home/dpchrist/.ssh/id_rsa (/home/dpchrist/.ssh/id_rsa)
Log in as root on the server via public key authentication (no
passphrase required):
2020-09-22 15:02:09 dpchrist@tinkywinky ~
$ ssh root@localhost
Linux tinkywinky 4.9.0-13-amd64 #1 SMP Debian 4.9.228-1 (2020-07-05) x86_64
Last login: Tue Sep 22 14:57:35 2020 from ::1
2020-09-22 15:02:35 root@tinkywinky ~
#
Now I can use my workstation user account credentials on the remote
machine just like I would use them locally (via agent forwarding; no
passphrase required):
2020-09-22 15:02:35 root@tinkywinky ~
# cvs diff
Optionally, you can disable password authentication on the server and
restart sshd. The only way to log in will be via the console or via SSH
public key authentication:
2020-09-22 15:04:40 root@tinkywinky ~
# grep Password /etc/ssh/sshd_config
PasswordAuthentication no
2020-09-22 15:22:05 root@tinkywinky ~
# service sshd restart
Right now the ssh tunnel requires a key on the remote server
I don't use SSH tunnels (yet). The SSH agent forwarding technique I
demonstrated above does not require any user or root keys on the server.
and there
are no root keys so even if someone gains access, they still don't have
root access.
If someone gains access to what?
There are other tools that work better for pushing things to multiple
servers but all of these tools assume you are doing it often enough or
to enough machines to make it worthwhile. That's not my situation.
Ansible, Puppet, etc., seem like overkill for my needs. I have not used
them.
I use ssh-agent(1), scp(1), and ssh(1) interactively, and I wrote shell
scripts, Perl scripts, and Makefiles to automate repetitive tasks.
CVS allows me to develop scripts and Makefiles on any machine, check
them in, and check out exact copies on every other machine. If I edit
one file on two machines, CVS knows how to solve the three-way merge
problem (for text files, not for binary files). CVS is very useful,
saves time, and eliminates the chaos of sneakernet, cut-and-paste, etc..
Any other good networked version control system should do the same.
David
Reply to: