SSU Extending SSH for Secure Root Administration

SSU Extending SSH for Secure Root Administration

The following paper was originally published in the Proceedings of the Twelfth Systems Administration Conference (LISA ’98) Boston, Massachusetts, December 6-11, 1998 SSU Extending SSH for Secure Root Administration Christopher Thorpe, Yahoo!, Inc. For more information about USENIX Association contact: 1. Phone: 510 528-8649 2. FAX: 510 548-5738 3. Email: [email protected] 4. WWW URL: http://www.usenix.org SSU: Extending SSH for Secure Root Administration Christopher Thorpe – Yahoo!, Inc. ABSTRACT SSU†, ‘‘Secure su,’’ is a mechanism that uses SSH [Ylonen] to provide the security for distributing access to privileged operations. Its features include both shell or per-command access, a password for each user that is distinct from the login password and easily changed, and high portability. By installing SSU, administrators build a solid infrastructure for using SSH for improving security in other areas, such as file distribution and revision control. Introduction and Site Information been successfully used to support the secure exchange of data for programs such as rdist [Cooper] and CVS The EECS research computing environment at [Cyclic]. Harvard University is comprised of approximately two hundred workstations running eight variations of In any large installation, key management is an Unix. Users are primarily faculty, graduate students important task for the proper installation and mainte- and researchers, most of whom need some level of nance of SSH. Since we already used SSH, it was nat- root access to their workstations. Some students need ural to extend the key management system we devel- only the ability to reboot their workstations or mount oped for remote root operations into a more complex removable storage media, but many computer science system supporting SSU. By doing so, researchers researchers need full root access for their work. In adding a new system need only install SSH and add addition, these Unix-savvy users ease the load on sys- the trusted public identity key in root’s autho- tem administrators tremendously by performing rized_keys file. After this is done, SSU is installed administration tasks when possible. automatically from the trusted host and keys are peri- odically updated. Note that SSH uses two types of Because the EECS environment is a research-ori- RSA keys: one for host identification and another for ented group, machines come and go on the network all user authorization. SSU does not use the host identifi- the time, as do users who need privileged access. cation keys outside their normal use when ssh estab- There are several independent research groups within lishes a connection between two hosts. All SSU EECS, and researchers in a group generally need priv- authentication uses 1024-bit RSA key pairs, com- ileged access only to that group’s machines. In addi- pletely separate from a host’s identity keys. tion, many researchers administer their own research machines while using our network and home directory The features we required: NFS server. Since our environment is comprised of • The ability to easily redefine users’ root access machines for which we provide various levels of • Definition of access in terms of groups of administration, we built a system to give both admin- machines and automatic update of machines’ istrators and researchers root access on various groups root access configurations when these groups of machines. In addition, we made the system easy to change install so that anyone setting up a new machine need • The ability to administer machines without pos- only modify or create two files in addition to the ssh sessing a local user id distribution (which everyone installs anyway.) • Easy installation for researchers installing new systems SSU sits on top of the widely-used secure shell Seamless portability between all of our operat- protocol SSH. Because of its usefulness in providing • ing systems security and ease of access to networked computing environments, ssh is now in use on all of the Unix- Features we wanted: based machines within EECS. SSH can also be used • A password for privileged operations distinct for remote administration, where a trusted host uses from the user’s login password and consistent the protocol to establish secure connections to other for all operations machines and execute privileged operations. SSH has • Authentication of the user within the EECS domain before allowing root access †The bulk of this work was completed while the author was Description of SSU employed as a student systems administrator while an under- graduate at Harvard University. SSU is currently used in Table 1 shows the commands and files used by Harvard’s EECS (Electrical Engineering and Computer Sci- SSU. Examples 1, 2, and 3 show how to reboot the ence) research environment. local machine, gain a remote shell, and grant access to 1998 LISA XII – December 6-11, 1998 – Boston, MA 27 SSU: Extending SSH for Secure Root Administration Thorpe a new user. Note that this program asks for multiple script then determines the appropriate identity to use, command/host pairs, so that it is possible to define a connects to the SSU port on the remote machine or different set of commands for each group of hosts. loopback interface as root, and ssh executes the com- mand as root. See Appendix D for a description of Overview of How SSU Works how SSH authenticates a user. Note that SSU does not When users are granted access they are given allow .rhosts, .shosts or password authentication, and access to commands chosen from a list of SSU com- disables TCP/IP, X, and agent forwarding by default. mands (checked in a configuration file for sanity). Key Management A configuration file is created or updated by run- ning ssu-user. This file may be modified by hand to Key management was probably the most difficult change users’ permissions in the future. The reason problem in implementing this solution. Since the sys- for using this file is that if a user is granted access to tem’s security is based on RSA public/private key groups of servers (as defined in the netgroup file or cryptography, it is vital to correctly administer the the GROUPS directory) and those groups change the keys. First, we introduce the idea of a ‘‘trusted mas- user ’s permissions are automatically adjusted to corre- ter.’’ This machine holds an RSA private key for the spond to the changes in those groups the next time root user that is trusted by the root users on all other process-ssu is run. machines on our network. (It is possible, and probably wise, to have multiple trusted masters.) An RSA key pair is generated for each com- mand, and the passphrase is set to be the same for all By configuring all the machines in the network commands for that particular user (in order to facili- to trust the root identity on this host, it allows all tate ease of remembering the passphrases.) The ssu- authentication for user root access to take place on the passwd command makes it easy for users to change all trusted machine. Connections with root access can be of their SSU passphrases at once. established from there. This also has the useful side effect of creating a machine that can establish secure, A user executes a privileged command by typing privileged connections to all other machines for any ‘‘ssu command’’ or ‘‘ssu command@host.’’ The ssu purpose – e.g., rdist, network monitoring and backups. Command/File Description ssu Used to invoke a privileged operation locally or remotely. ssu-passwd Used to modify a user’s RSA passphrases for all SSU commands. ssu-user Administrators’ tool for creating or modifying SSU privileges. Processes the configuration files, generates the authorized_keys files, process-ssu and pushes the files to the hosts. A Perl 5 module that contains local configuration settings and library SSU.pm functions used by ssu commands. ssu_cmdgroups Definitions of convenient groups of SSU commands. ssu_usergroups Definitions of convenient groups of SSU users. These groups may work with or be instead of the system group file. ssu_hostgroups Definitions of convenient groups of hosts for SSU. These groups may work with or be instead of the system netgroup file. Table 1: User Interface. % ssu reboot Enter passphrase for RSA key ’cat:tcsh@eecs’: [passphrase] Shutdown at Sun Sep 20 14:59:19 1998. shutdown: [pid 19268] Connection to localhost closed. Example 1: Rebooting the local machine. % ssu tcsh@herbert Enter passphrase for RSA key ’cat:reboot@eecs’: [passphrase] herbert# Example 2: Gaining a shell on a remote machine. 28 1998 LISA XII – December 6-11, 1998 – Boston, MA Thorpe SSU: Extending SSH for Secure Root Administration Alternatively, private keys may be pushed to all of the options with which ssh will execute the command machines on the network or placed in an NFS- (e.g., environment=‘‘SHELL=/bin/false’’ to prevent mounted directory (see Appendix C for security con- shell escapes from vi or less), and the public key for cerns). With the keys available everywhere, users can the user-command pair generated by ssu-user or pro- gain root access through the loopback port. This cess-ssu. allows restricted login access to the trusted master as Since the private keys of these user-command well as the ability to gain root access even if the pairs are protected by passphrases, even if they are trusted master is inaccessible. captured via NFS sniffing or user negligence they are The master’s trusted private key should be care- still secure. Some administrators may wish to place fully guarded. We do not protect it with a passphrase them on the trusted server’s local disk if root access is so automatic privileged operations can execute with- to be limited to connections coming from the trusted out administrator intervention at boot time.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    11 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us