EZSSH uses SSH Certificates to authenticate to endpoints. Since this is a OpenSSH supported protocol, no custom code has to run on your endpoints for authentication to work. By adding your EZSSH Certificate to your TrustedUserCAKeys your endpoint will start working with EZSSH.
In this page we will go through how to do this with running a bash script on an existing endpoint. You might also be interested in:
If you want to only set up the Linux principals of an access policy click the “Get Script” button of that access policy.
This Script should get you started with accessing your endpoints using EZSSH. However, it is important to understand what it does, since you might want to modify it to fit your deployment. In this Section we will go through a sample script line by line.
First we check if there has been a CA file added to the sshd_config, if we find one we remove it.
#!/bin/bash
authkeys=$(awk '$1 ~ /^TrustedUserCAKeys/' /etc/ssh/sshd_config)
if [ ! -z "$authkeys" ]
then
echo "TrustedUserCAKeys found removing from file"
awk '$1 !~ /^TrustedUserCAKeys/' /etc/ssh/sshd_config > tmp.txt
cat tmp.txt > /etc/ssh/sshd_config
rm tmp.txt
fi
Then we check if an AuthorizedPrincipalsFile was set in the sshd_config, if we find one we remove it.
authPrincipals=$(awk '$1 ~ /^AuthorizedPrincipalsFile/' /etc/ssh/sshd_config)
if [ ! -z "$authPrincipals" ]
then
echo "AuthorizedPrincipalsFile found removing from file"
awk '$1 !~ /^AuthorizedPrincipalsFile/' /etc/ssh/sshd_config > tmp.txt
cat tmp.txt > /etc/ssh/sshd_config
rm tmp.txt
fi
Then we specify our own TrustedUserCAKeys file location in sshd_config
echo "Adding trusted CA file to /etc/ssh/sshd_config"
echo "TrustedUserCAKeys /etc/ssh/trusted_ca_keys.pub" >> /etc/ssh/sshd_config
Then we specify the location of our Authorized principals
echo "Adding Authorized Principals file to /etc/ssh/sshd_config"
echo "AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u" >> /etc/ssh/sshd_config
Then we add the EZSSH Policy CA Public key to /etc/ssh/trusted_ca_keys.pub
echo "Adding CA Public Key"
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDOG5T6/jxg9h5NrZjXoN6DZ791C/wG0P7DLU70W9/7xPBxHfL2qHvh88zjY1KzH/wEYYuDpanuo7n5SrEDNaJTnHnBVDC/g6JQXQ1vXbyiggzW4G4Uw2eau5LQYNG8K9U5kamu9+a8g4sIHpE0G6N+tQiKWR1Yby3VMgZYZKlR55SIXjMVOpCwKcoiMcxwqsWmGnFoTgnXPc4uLVpOVvFNOkSYbA7bguTXQfPqFsZzaKAgl6TsguIg+XfiAtMsUb7NQip9VW75Gb6IacsJUeeh9xxaYo1URNupIyh7oLWU0p0UUoPa4yMroslZ/Qa0lfd/oQU5tRVCzmmKd1r3pUGFzJfFRymjm3p94EjCYikXfWaAM7HWvlOKBr9C2t7Zin2YWdb4RDijD3qGjRimc+9obImeY8Lh0ebdkfa87WnYCF6rNjxCNMTNFCinaUL9I7P3Gn7+tH0aqHAV8vYM944Poa96wkj3kVsLZlPUTHzSdb2hGEJhbR11O2etYUJkFjQRf1p8ShKPQ/lUV7FXj8EiJj2Ku9lDJ8JZ2/RGYWic9dn/qFYub7tOWVyUZ5oIMe2q7M3aJo/VDGQyQXu7ChAzZ3GNCT6A1Ux7SlGUYqHTUifNlb66hI8r1YQdneUu9SIeGrjxK247sgjYQ5vyzVk44QfE9szL+1pYgWo3QynyxQ==" > /etc/ssh/trusted_ca_keys.pub
Then we check if the directory we specified for auth principals exists, if not we create it.
if [ ! -d "/etc/ssh/auth_principals" ]; then
mkdir /etc/ssh/auth_principals
fi
Later we set a bool to see which type of sudo does your distro use:
sudogroup=$(awk '$1 ~ /^sudo/' /etc/group)
Then for each user on the policy we will try to create it and if it was marked as sudo we will try to add it to the sudo group.
This script will create the user and add them to the sudo group if appropriate, but will not create a home directory for each user.
Check if the user exists (in this example the user is called “root”), if it doesn’t exist, create the user.
if id root &>/dev/null;
then
echo 'Skipping user root since it already exists';
else
echo 'Adding user root';
useradd root
fi
Then if the user is set as sudo in EZSSH the script will contain the following if statement to add it to the sudo group.
if [ ! -z "$sudogroup" ]
then
usermod -aG sudo root
else
usermod -aG wheel root
fi
Then we add the user as an authorize principal for authentication.
#Adding principal for authentication
echo 'root' > /etc/ssh/auth_principals/root
Once we have added all the users, we restart the ssh service for it to take the changes we made.
service ssh restart