sshGate - OSCON 2011

sshGate WWW.LINAGORA.COM

Plan I.  SERVER ACCESS PROBLEMS II.  SSHGATE PRESENTATION III.  SSHGATE INTERNALTHURSDAY, JULY 28TH, 2011 PAGE 2 / 35

About me Patrick GUIRANTHURSDAY, JULY 28TH, 2011 PAGE 3 / 35

Plan I.  SERVER ACCESS PROBLEMS II.  SSHGATE PRESENTATION III.  SSHGATE INTERNALTHURSDAY, JULY 28TH, 2011 PAGE 2 / 35

I.  Server access problem Information system THE admin THURSDAY, JULY 28TH, 2011 PAGE 5 / 35

I.  Server access problem Access through different ways §  Access with password •  Pick up from an LDAP/Kerberos/…. •  Can be found on « post-it » J •  Can be shared between many administrators •  …or only one administrator has all passwords §  Access with keys •  Who does this key belong to? •  Add my friend’s keys §  Access to the all servers §  Even business-critical servers (mail, database) •  …to everyone unconditionallyTHURSDAY, JULY 28TH, 2011 PAGE 9 / 35

I.  Server access problem Accesses managment §  Arrival and Departure of an administrator ? §  Who has access to a server ? (simple to answer) §  Which server does an administrator have access to ? (complex) •  « Simple » when the administrator has access to all servers J •  Good administrator : « It’s so simple ! » (really ?) user_sshkey=$( cat user-sshkey.pub )  for serveur in $( cat listserver.txt ) ; do  ssh $serveur cat ~/.ssh/authorized_keys2?   | grep ${user_sshkey} >/dev/null   [ $? eq 0 ] && echo ”${serveur}”  done# §  Who grants and restricts access ?THURSDAY, JULY 28TH, 2011 PAGE 10 / 35

I.  Server access problem Our needs §  Must have ü  Use ssh protocol ü  Use keys authentification ü  No user’s keys on administrated servers ü  Unified access control list (ACL) §  Nice to have ü  Log connection’s events ü  Record user’s SSH session ü  Notification of administration eventsTHURSDAY, JULY 28TH, 2011 PAGE 11 / 35

I.  Server access problem Look for an existing solution q  Wallix AdminBastion •  Solution from France, closed source + licence, support ssh/telnet/rdp q  Observe-it •  Solution from USA, closed source + licence, support ssh/telnet/rdp q  sshProxy •  Open-source (GPLv2), python, specific client software •  Dead since 2008(?), unable to download the project on its website q  AdminProxy •  Open-source, sponsored by the French Government •  Support by Wallix, Mandriva, and university Paris 6 •  2 years project, should be ended in sept 2010 •  Where is the repository ? LTHURSDAY, JULY 28TH, 2011 PAGE 12 / 35

I.  Server access problem Search Result §  No solution •  Too expensive •  Requires wide installation •  Not found ➫  Development of de sshGate ! •  Free and open-source •  Make it quick •  SimpleTHURSDAY, JULY 28TH, 2011 PAGE 13 / 35

I.  Server access problem Limitations & Challenges §  Use existing tools : OpenSSH & PuTTY •  No installation required on administrated servers •  No installation required on client system §  Cross-platforms •  sshGate server •  Administrated servers •  Client computers §  No patch on sshGate server (no sshd patches) §  Simple, with less dependency (no SQL-database, …)THURSDAY, JULY 28TH, 2011 PAGE 14 / 35

Sommaire I.  SERVER ACCESS PROBLEMS II.  SSHGATE PRESENTATION III.  SSHGATE INTERNALTHURSDAY, JULY 28TH, 2011 PAGE 15 / 35

II.  sshGate presentation Global viewTHURSDAY, JULY 28TH, 2011 PAGE 16 / 35

II.  sshGate presentation Functionalities ü  Support SSH sessions & SCP file transfers ü  ACL management centralization (users, groups) ü  Management of server name aliases ü  Multi-login support ü  SSH configuration support (global and per server - login) ü  Log connection’s events ü  Record SSH sessions ü  CLI administration interfaceTHURSDAY, JULY 28TH, 2011 PAGE 17 / 35

II.  sshGate presentation Characteristics §  Licence : GPLv2+ §  Language : Shell Script (sh, dash, bash, zsh) §  Cross-platforms : •  For servers : Linux, Solaris, *BSD •  For clients : Linux, MacOS, Windows/PuttyTHURSDAY, JULY 28TH, 2011 PAGE 18 / 35

II.  sshGate presentation History §  Born of sshGate : August 2010 §  First usage in production : September 2010 §  Versions : •  Production : 0.1 •  Trunk : 0.2 •  Version 1.0 release this summerTHURSDAY, JULY 28TH, 2011 PAGE 19 / 35

II.  sshGate presentation sshGate usage at Linagora §  Some numbers •  61 users •  10 user groups •  161 administrated systems •  214 server aliases §  Accesses •  96 group accesses •  103 user accesses §  During the 6 last months •  2063 SCP transfers •  16568 SSH sessionsTHURSDAY, JULY 28TH, 2011 PAGE 20 / 35

II.  sshGate presentation Known bugs §  DOS : flood logs until disk full user@host $ cat /dev/random ## flood :(# One solution : if the growth velocity of big logfile is too high, kill the connection §  It’s possible to hide some commands user@host $ read s var # ## rm rf * # user@host $ eval "${var}" ## Ouch !# This is not a bug. sshGate doesn’t log keyboard events, and will never do it !THURSDAY, JULY 28TH, 2011 PAGE 21 / 35

II.  sshGate presentation Roadmap DOS protection July August Sept In the future •  Packaging : Solaris, FreeBSD, Fedora, arch telnet support •  Web administration interface Debian Packaging •  OpenSSH certificate support •  LDAP supportTHURSDAY, JULY 28TH, 2011 PAGE 22 / 35

Sommaire I.  SERVER ACCESS PROBLEMS II.  SSHGATE PRESENTATION III.  SSHGATE INTERNALTHURSDAY, JULY 28TH, 2011 PAGE 23 / 35

III.  sshGate internal Session opening steps (1/4) §  Connect to sshGate server via SSH •  Check that the user SSH key exists in authorized_keys# •  Launch sshgate-bridge#THURSDAY, JULY 28TH, 2011 PAGE 24 / 35

III.  sshGate internal Session opening steps (2/4) §  Parse SSH_ORIGINAL_COMMAND : •  Determine the action : ssh or scp ? Remote command ? •  Extract and check the target host, the user wants to administrate, with ACLTHURSDAY, JULY 28TH, 2011 PAGE 25 / 35

III.  sshGate internal Session opening steps (3/4) §  Launch sshclient : <ssh-login>@<target> (<command>) •  Use known_hosts to check target host identity •  Use configured parameters (ssh_config, ssh key)THURSDAY, JULY 28TH, 2011 PAGE 26 / 35

III.  sshGate internal Session opening steps (4/4) §  Connection is establishedTHURSDAY, JULY 28TH, 2011 PAGE 27 / 35

III.  sshGate internal Administration CLITHURSDAY, JULY 28TH, 2011 PAGE 28 / 35

III.  sshGate internal Entity-relationship modelTHURSDAY, JULY 28TH, 2011 PAGE 29 / 35

III.  sshGate internal ArchitectureTHURSDAY, JULY 28TH, 2011 PAGE 30 / 35

III.  sshGate internal ScriptHelper Library §  Shell script toolkit •  Allow to write script quicker •  Want to be POSIX compliant (as much as possible) §  List of some of them : •  exec.lib.sh : run command with checks, rollback capability •  ask.lib.sh : ask question easily •  cli.lib.sh : build a CLI •  conf.lib.sh : build and use configuration file •  mutex.lib.sh / lock.lib.sh : lock and mutex managment •  record.lib.sh : record and play shell session •  ...THURSDAY, JULY 28TH, 2011 PAGE 31 / 35

III.  sshGate internal ask.lib.sh usage ASK SSHGATE_TARGETS_DEFAULT_SSH_LOGIN "What’s the default user account to use when connecting to target host ?" "${SSHGATE_TARGETS_DEFAULT_SSH_LOGIN}" CONF_SAVE SSHGATE_TARGETS_DEFAULT_SSH_LOGIN ASK yesno SSHGATE_MAIL_SEND "Activate mail notification system [Yes] ?" "Y” if [ "${SSHGATE_MAIL_SEND}" = Y ]; then ASK SSHGATE_MAIL_TO "Who will receive mail notification (comma separated mails) ?" "${SSHGATE_MAIL_TO}" [ z "${SSHGATE_MAIL_TO}" ] && SSHGATE_MAIl_SEND=’N’ fi CONF_SAVE SSHGATE_MAIL_SEND CONF_SAVE SSHGATE_MAIL_TOTHURSDAY, JULY 28TH, 2011 PAGE 32 / 35

III.  sshGate internal cli.lib.sh usage # load ScriptHelper# . ./lib/cli.lib.sh# # # help generation# # SSHGATE_GET_HELP : In sshGate, extract help content from comment in the code# # SSHGATE_DISPLAY_HELP : How to display help menu# # SSHGATE_DISPLAY_HELP_FOR : How to display help for a command# CLI_REGISTER_HELP #/tmp/sshgate-cli-help.txt # #SSHGATE_GET_HELP # #SSHGATE_DISPLAY_HELP # #SSHGATE_DISPLAY_HELP_FOR# # # Register CLI contextual menus and CLI commands# CLI_REGISTER_MENU user User related commands# CLI_REGISTER_COMMAND user list USERS_LIST# CLI_REGISTER_COMMAND user list <pattern> USERS_LIST 1# CLI_REGISTER_COMMAND user add <user> mail <email> USER_ADD 1 2# CLI_REGISTER_COMMAND user del <user> USER_DEL 1’# # # launch the CLI# CLI_RUN!THURSDAY, JULY 28TH, 2011 PAGE 33 / 35

III.  sshGate internal Industrialization §  SshGate and ScriptHelper •  build.sh : Build a package to deploy •  install.sh / uninstall.sh : quick & easy deploiement •  test.sh : run tests tauop@Tauopbox:~/sshGate$ ./build.sh server ! sshgate version ? 0.2 # sshGate build number ? 014 # Include ScriptHelper in package ? y# Build sshgateserver package ... OK # tauop@Tauopbox:~/sshGate$#THURSDAY, JULY 28TH, 2011 PAGE 34 / 35

III.  sshGate internal Installation (1 / 2) tauop@Tauopbox:/tmp/sshGate-server-0.2-0.71$ sudo ./install.sh! # --- sshGate server installation ---# by Patrick Guiran# # # NOTICE: ScriptHelper will be installed as part of sshGate, not system-wide# If you want to install ScriptHelper system-wide, please visit http://github.com/ Tauop/ScriptHelper# # Where do you want to locate sshGate [/opt/sshgate] ?# Which unix account to use for sshGate users [sshgate] ?# What’s the default user account to use when connecting to target host [root] ?# List of available languages: fr us# Default language for user messages [us] ? fr# Which editor to use [vim] ?# Activate mail notification system [Y] ?# Who will receive mail notification (comma separated mails) [sshgate@linagora.com] ?# Do users have to accept TOS when connecting for the first time [Y] ?# Allow remote command [Y] ?# Allow remote administration CLI [Y] ?#THURSDAY, JULY 28TH, 2011 PAGE 35 / 35

III.  sshGate internal Installation (2 / 2) [...]# - Reload configuration ... OK# - Installing sshGate ... OK# - Generate default sshkey pair ... OK# - Setup files permissions ... OK# - Install archive cron ... OK# # # You need to add the first user of sshGate, which will be sshGate administrator.# This user will allow you to manage other users, targets and accesses.# user login ? pguiran# user mail ? pguiran@linagora.com# # In order to administrate sshGate, just ssh this host with this user# If you have installed sshGate client -> sshg cli# with standard ssh client -> ssh -t sshgate@Tauopbox cli# from this terminal -> /opt/sshgate/bin/sshgate-cli -u pguiran# # NOTICE: You may add /opt/sshgate/bin in your PATH variable# # tauop@Tauopbox:/tmp/exmaple/sshGate-server-0.2-0.71$#THURSDAY, JULY 28TH, 2011 PAGE 36 / 35

III.  sshGate internal Tests root@gate:/opt/sshgate/bin/tests# ./test.sh all! - Loading sshGate core ... OK# - Setup sshGate data directory ... OK# - Generate temporary test file ... OK# - Generate temporary sshkey test file ... OK# - Create and setup temporary Unix account ... OK# - Reset temporary test file ... OK# - Reset sshGate data directories ... OK# - Generate user tests ... OK# - Launch user tests ... OK# - Reset temporary test file ... OK# - Reset sshGate data directories ... OK# - Generate target tests ... OK# - Launch target tests ... OK# - Reset temporary test file ... OK# - Reset sshGate data directories ... OK# - Generate usergroup tests ... OK# - Launch usergroup tests ... OK# - Reset temporary test file ... OK# - Reset sshGate data directories ... OK# - Generate access tests ... OK# - Launch access tests ... OK# - Remove tests data ... OK# root@gate:/opt/sshgate/bin/tests##THURSDAY, JULY 28TH, 2011 PAGE 37 / 35

IV.  sshGate internal Recycle sshGateTHURSDAY, JULY 28TH, 2011 PAGE 38 / 35

IV.  Luck, get the source Download, test, provide feedback, contribute ü  SshGate - http://www.github.com/Tauop/sshGate ü  ScriptHelper - http://www.github.com/Tauop/ScriptHelper ü  IRC@Freenode #linagora - Tauop ü  Contact : pguiran@linagora.com / patrick.guiran@gmail.com THURSDAY, JULY 28TH, 2011 PAGE 39 / 35

Questions & Answers Q & ATHURSDAY, JULY 28TH, 2011 PAGE 40 / 35

Thank you Contact : LINAGORA – Siège social 80, rue Roque de Fillol 92800 PUTEAUX France Phone. : (+33) 1 58 18 68 28 Fax : (+33) 1 46 96 63 64 Mail : info@linagora.com WWW.LINAGORA.COM

sshGate - OSCON 2011

by Tauop on Sep 02, 2011

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 21

Statistics

sshGate - OSCON 2011 Presentation Transcript

http://lanyrd.com	20
http://www.linkedin.com	1