sshGate - OSCON 2011

sshGate

WWW.LINAGORA.COM

Plan I.  SERVER ACCESS PROBLEMS

II.  SSHGATE PRESENTATION

III.  SSHGATE INTERNAL

THURSDAY, JULY 28TH, 2011 PAGE 2 / 35

About me

PAGE 3 / 35 THURSDAY, JULY 28TH, 2011

Patrick GUIRAN

Plan I.  SERVER ACCESS PROBLEMS



THURSDAY, JULY 28TH, 2011 PAGE 2 / 35

I.  Server access problem

PAGE 5 / 35

Information system

THURSDAY, JULY 28TH, 2011

THE admin


PAGE 6 / 35

Information system


THE admin


PAGE 7 / 35

Information system


THE admin


PAGE 8 / 35

Information system


THE admin


§  Access with password •  Pick up from an LDAP/Kerberos/…. •  Can be found on « post-it » J •  Can be shared between many administrators •  …or only one administrator has all passwords

§  Access with keys •  Who does this key belong to? •  Add my friend’s keys

§  Access to the all servers §  Even business-critical servers (mail, database) •  …to everyone unconditionally

PAGE 9 / 35

Access through different ways


§  Arrival and Departure of an administrator ? §  Who has access to a server ? (simple to answer)

§  Which server does an administrator have access to ? (complex) •  « Simple » when the administrator has access to all servers J •  Good administrator : « It’s so simple ! » (really ?)

§  Who grants and restricts access ?

PAGE 10 / 35

Accesses managment

user_sshkey=$( cat user-sshkey.pub ) for serveur in $( cat listserver.txt ) ; do ssh $serveur 'cat ~/.ssh/authorized_keys2?' \ | grep ${user_sshkey} >/dev/null [ $? eq 0 ] && echo ”${serveur}” done#



§  Must have ü Use ssh protocol ü Use keys authentification ü No user’s keys on administrated servers ü Unified access control list (ACL)

§  Nice to have ü  Log connection’s events ü  Record user’s SSH session ü Notification of administration events

PAGE 11 / 35

Our needs I.  Server access problem


q  Wallix AdminBastion •  Solution from France, closed source + licence, support ssh/telnet/rdp

q  Observe-it •  Solution from USA, closed source + licence, support ssh/telnet/rdp

q  sshProxy •  Open-source (GPLv2), python, specific client software •  Dead since 2008(?), unable to download the project on its website

q  AdminProxy •  Open-source, sponsored by the French Government •  Support by Wallix, Mandriva, and university Paris 6 •  2 years project, should be ended in sept 2010 •  Where is the repository ? L

PAGE 12 / 35

Look for an existing solution I.  Server access problem


§  No solution •  Too expensive •  Requires wide installation •  Not found

➫  Development of de sshGate ! •  Free and open-source •  Make it quick •  Simple

PAGE 13 / 35

Search Result I.  Server access problem


§  Use existing tools : OpenSSH & PuTTY •  No installation required on administrated servers •  No installation required on client system

§  Cross-platforms •  sshGate server •  Administrated servers •  Client computers

§  No patch on sshGate server (no sshd patches) §  Simple, with less dependency (no SQL-database, …)

PAGE 14 / 35

Limitations & Challenges I.  Server access problem


Sommaire I.  SERVER ACCESS PROBLEMS




II.  sshGate presentation

PAGE 16 / 35

Global view


ü  Support SSH sessions & SCP file transfers ü  ACL management centralization (users, groups) ü  Management of server name aliases ü  Multi-login support ü  SSH configuration support (global and per server - login) ü  Log connection’s events ü  Record SSH sessions ü  CLI administration interface

PAGE 17 / 35

Functionalities II.  sshGate presentation


§  Licence : GPLv2+

§  Language : Shell Script (sh, dash, bash, zsh)

§  Cross-platforms : •  For servers : Linux, Solaris, *BSD •  For clients : Linux, MacOS, Windows/Putty

PAGE 18 / 35

Characteristics II.  sshGate presentation


§  Born of sshGate : August 2010 §  First usage in production : September 2010 §  Versions :

•  Production : 0.1 •  Trunk : 0.2 •  Version 1.0 release this summer

PAGE 19 / 35

History II.  sshGate presentation


§  Some numbers •  61 users •  10 user groups •  161 administrated systems •  214 server aliases

§  Accesses •  96 group accesses •  103 user accesses

§  During the 6 last months •  2063 SCP transfers •  16568 SSH sessions PAGE 20 / 35

sshGate usage at Linagora II.  sshGate presentation


§  DOS : flood logs until disk full

One solution : if the growth velocity of big logfile is too high, kill the connection

§  It’s possible to hide some commands

This is not a bug. sshGate doesn’t log keyboard events, and will never do it !

PAGE 21 / 35

Known bugs

user@host $ read s var # ## rm rf * #user@host $ eval "${var}" ## Ouch !#

II.  sshGate presentation


user@host $ cat /dev/random ## flood :(#

Debian Packaging

telnet support •  Packaging : Solaris, FreeBSD, Fedora, arch •  Web administration interface •  OpenSSH certificate support •  LDAP support

July August Sept In the future

PAGE 22 / 35

Roadmap II.  sshGate presentation

DOS protection


Sommaire I.  SERVER ACCESS PROBLEMS




III. sshGate internal

PAGE 24 / 35

Session opening steps (1/4)


§  Connect to sshGate server via SSH •  Check that the user SSH key exists in authorized_keys#•  Launch sshgate-bridge#


PAGE 25 / 35



§  Parse SSH_ORIGINAL_COMMAND : •  Determine the action : ssh or scp ? Remote command ? •  Extract and check the target host, the user wants to administrate, with ACL


PAGE 26 / 35



§  Launch sshclient : <ssh-login>@<target> (<command>) •  Use known_hosts to check target host identity •  Use configured parameters (ssh_config, ssh key)


PAGE 27 / 35



§  Connection is established


PAGE 28 / 35

Administration CLI



PAGE 29 / 35

Entity-relationship model



PAGE 30 / 35

Architecture


§  Shell script toolkit •  Allow to write script quicker •  Want to be POSIX compliant (as much as possible)

§  List of some of them : •  exec.lib.sh : run command with checks, rollback capability •  ask.lib.sh : ask question easily •  cli.lib.sh : build a CLI •  conf.lib.sh : build and use configuration file •  mutex.lib.sh / lock.lib.sh : lock and mutex managment •  record.lib.sh : record and play shell session •  ...

PAGE 31 / 35

ScriptHelper Library III. sshGate internal


/ 35

ask.lib.sh usage

ASK SSHGATE_TARGETS_DEFAULT_SSH_LOGIN \ "What’s the default user account to use when connecting to target host ?" \ "${SSHGATE_TARGETS_DEFAULT_SSH_LOGIN}"

CONF_SAVE SSHGATE_TARGETS_DEFAULT_SSH_LOGIN ASK yesno SSHGATE_MAIL_SEND \

"Activate mail notification system [Yes] ?" \ "Y”

if [ "${SSHGATE_MAIL_SEND}" = 'Y' ]; then

ASK SSHGATE_MAIL_TO \ "Who will receive mail notification (comma separated mails) ?" \ "${SSHGATE_MAIL_TO}" [ z "${SSHGATE_MAIL_TO}" ] && SSHGATE_MAIl_SEND=’N’

fi CONF_SAVE SSHGATE_MAIL_SEND CONF_SAVE SSHGATE_MAIL_TO



/ 35

cli.lib.sh usage

# load ScriptHelper#. ./lib/cli.lib.sh### help generation## SSHGATE_GET_HELP : In sshGate, extract help content from comment in the code## SSHGATE_DISPLAY_HELP : How to display help menu## SSHGATE_DISPLAY_HELP_FOR : How to display help for a command#CLI_REGISTER_HELP #'/tmp/sshgate-cli-help.txt' \# #SSHGATE_GET_HELP \# #SSHGATE_DISPLAY_HELP \# #SSHGATE_DISPLAY_HELP_FOR### Register CLI contextual menus and CLI commands#CLI_REGISTER_MENU 'user' 'User related commands'#CLI_REGISTER_COMMAND 'user list' 'USERS_LIST'#CLI_REGISTER_COMMAND 'user list <pattern>' 'USERS_LIST \1'#CLI_REGISTER_COMMAND 'user add <user> mail <email>' 'USER_ADD \1 \2'#CLI_REGISTER_COMMAND 'user del <user>' 'USER_DEL \1’### launch the CLI#CLI_RUN!



§  SshGate and ScriptHelper •  build.sh : Build a package to deploy •  install.sh / uninstall.sh : quick & easy deploiement •  test.sh : run tests

PAGE 34 / 35

Industrialization

tauop@Tauopbox:~/sshGate$ ./build.sh server !sshgate version ? 0.2 #sshGate build number ? 014 #Include ScriptHelper in package ? y# Build sshgateserver package ... OK #tauop@Tauopbox:~/sshGate$#




PAGE 35 / 35

Installation (1 / 2)

tauop@Tauopbox:/tmp/sshGate-server-0.2-0.71$ sudo ./install.sh!# --- sshGate server installation ---# by Patrick Guiran###NOTICE: ScriptHelper will be installed as part of sshGate, not system-wide#If you want to install ScriptHelper system-wide, please visit http://github.com/Tauop/ScriptHelper##Where do you want to locate sshGate [/opt/sshgate] ?#Which unix account to use for sshGate users [sshgate] ?#What’s the default user account to use when connecting to target host [root] ?#List of available languages: fr us#Default language for user messages [us] ? fr#Which editor to use [vim] ?#Activate mail notification system [Y] ?#Who will receive mail notification (comma separated mails) [[email protected]] ?#Do users have to accept TOS when connecting for the first time [Y] ?#Allow remote command [Y] ?#Allow remote administration CLI [Y] ?#



PAGE 36 / 35

Installation (2 / 2)

[...]#- Reload configuration ... OK#- Installing sshGate ... OK#- Generate default sshkey pair ... OK#- Setup files permissions ... OK#- Install archive cron ... OK###You need to add the first user of sshGate, which will be sshGate administrator.#This user will allow you to manage other users, targets and accesses.#user login ? pguiran#user mail ? [email protected]##In order to administrate sshGate, just ssh this host with this user# If you have installed sshGate client -> sshg cli# with standard ssh client -> ssh -t sshgate@Tauopbox cli# from this terminal -> /opt/sshgate/bin/sshgate-cli -u pguiran##NOTICE: You may add /opt/sshgate/bin in your PATH variable##tauop@Tauopbox:/tmp/exmaple/sshGate-server-0.2-0.71$#



PAGE 37 / 35

Tests

root@gate:/opt/sshgate/bin/tests# ./test.sh all!- Loading sshGate core ... OK#- Setup sshGate data directory ... OK#- Generate temporary test file ... OK#- Generate temporary sshkey test file ... OK#- Create and setup temporary Unix account ... OK#- Reset temporary test file ... OK#- Reset sshGate data directories ... OK#- Generate user tests ... OK#- Launch user tests ... OK#- Reset temporary test file ... OK#- Reset sshGate data directories ... OK#- Generate target tests ... OK#- Launch target tests ... OK#- Reset temporary test file ... OK#- Reset sshGate data directories ... OK#- Generate usergroup tests ... OK#- Launch usergroup tests ... OK#- Reset temporary test file ... OK#- Reset sshGate data directories ... OK#- Generate access tests ... OK#- Launch access tests ... OK#- Remove tests data ... OK#root@gate:/opt/sshgate/bin/tests##


IV. sshGate internal

PAGE 38 / 35

Recycle sshGate


ü  SshGate - http://www.github.com/Tauop/sshGate ü  ScriptHelper - http://www.github.com/Tauop/ScriptHelper

ü  IRC@Freenode #linagora - Tauop ü  Contact : [email protected] / [email protected]

PAGE 39 / 35

Download, test, provide feedback, contribute IV. Luck, get the source


Q & A

PAGE 40 / 35

Questions & Answers


Thank you

Contact : LINAGORA – Siège social

80, rue Roque de Fillol 92800 PUTEAUX

France Phone. : (+33) 1 58 18 68 28

Fax : (+33) 1 46 96 63 64 Mail : [email protected]

WWW.LINAGORA.COM

sshGate - OSCON 2011

Technology

Transcript of sshGate - OSCON 2011