Download - sshGate - OSCON 2011
Plan I. SERVER ACCESS PROBLEMS
II. SSHGATE PRESENTATION
III. SSHGATE INTERNAL
THURSDAY, JULY 28TH, 2011 PAGE 2 / 35
Plan I. SERVER ACCESS PROBLEMS
II. SSHGATE PRESENTATION
III. SSHGATE INTERNAL
THURSDAY, JULY 28TH, 2011 PAGE 2 / 35
I. Server access problem
§ Access with password • Pick up from an LDAP/Kerberos/…. • Can be found on « post-it » J • Can be shared between many administrators • …or only one administrator has all passwords
§ Access with keys • Who does this key belong to? • Add my friend’s keys
§ Access to the all servers § Even business-critical servers (mail, database) • …to everyone unconditionally
PAGE 9 / 35
Access through different ways
THURSDAY, JULY 28TH, 2011
§ Arrival and Departure of an administrator ? § Who has access to a server ? (simple to answer)
§ Which server does an administrator have access to ? (complex) • « Simple » when the administrator has access to all servers J • Good administrator : « It’s so simple ! » (really ?)
§ Who grants and restricts access ?
PAGE 10 / 35
Accesses managment
user_sshkey=$( cat user-sshkey.pub ) for serveur in $( cat listserver.txt ) ; do ssh $serveur 'cat ~/.ssh/authorized_keys2?' \ | grep ${user_sshkey} >/dev/null [ $? eq 0 ] && echo ”${serveur}” done#
I. Server access problem
THURSDAY, JULY 28TH, 2011
§ Must have ü Use ssh protocol ü Use keys authentification ü No user’s keys on administrated servers ü Unified access control list (ACL)
§ Nice to have ü Log connection’s events ü Record user’s SSH session ü Notification of administration events
PAGE 11 / 35
Our needs I. Server access problem
THURSDAY, JULY 28TH, 2011
q Wallix AdminBastion • Solution from France, closed source + licence, support ssh/telnet/rdp
q Observe-it • Solution from USA, closed source + licence, support ssh/telnet/rdp
q sshProxy • Open-source (GPLv2), python, specific client software • Dead since 2008(?), unable to download the project on its website
q AdminProxy • Open-source, sponsored by the French Government • Support by Wallix, Mandriva, and university Paris 6 • 2 years project, should be ended in sept 2010 • Where is the repository ? L
PAGE 12 / 35
Look for an existing solution I. Server access problem
THURSDAY, JULY 28TH, 2011
§ No solution • Too expensive • Requires wide installation • Not found
➫ Development of de sshGate ! • Free and open-source • Make it quick • Simple
PAGE 13 / 35
Search Result I. Server access problem
THURSDAY, JULY 28TH, 2011
§ Use existing tools : OpenSSH & PuTTY • No installation required on administrated servers • No installation required on client system
§ Cross-platforms • sshGate server • Administrated servers • Client computers
§ No patch on sshGate server (no sshd patches) § Simple, with less dependency (no SQL-database, …)
PAGE 14 / 35
Limitations & Challenges I. Server access problem
THURSDAY, JULY 28TH, 2011
Sommaire I. SERVER ACCESS PROBLEMS
II. SSHGATE PRESENTATION
III. SSHGATE INTERNAL
PAGE 15 / 35 THURSDAY, JULY 28TH, 2011
ü Support SSH sessions & SCP file transfers ü ACL management centralization (users, groups) ü Management of server name aliases ü Multi-login support ü SSH configuration support (global and per server - login) ü Log connection’s events ü Record SSH sessions ü CLI administration interface
PAGE 17 / 35
Functionalities II. sshGate presentation
THURSDAY, JULY 28TH, 2011
§ Licence : GPLv2+
§ Language : Shell Script (sh, dash, bash, zsh)
§ Cross-platforms : • For servers : Linux, Solaris, *BSD • For clients : Linux, MacOS, Windows/Putty
PAGE 18 / 35
Characteristics II. sshGate presentation
THURSDAY, JULY 28TH, 2011
§ Born of sshGate : August 2010 § First usage in production : September 2010 § Versions :
• Production : 0.1 • Trunk : 0.2 • Version 1.0 release this summer
PAGE 19 / 35
History II. sshGate presentation
THURSDAY, JULY 28TH, 2011
§ Some numbers • 61 users • 10 user groups • 161 administrated systems • 214 server aliases
§ Accesses • 96 group accesses • 103 user accesses
§ During the 6 last months • 2063 SCP transfers • 16568 SSH sessions PAGE 20 / 35
sshGate usage at Linagora II. sshGate presentation
THURSDAY, JULY 28TH, 2011
§ DOS : flood logs until disk full
One solution : if the growth velocity of big logfile is too high, kill the connection
§ It’s possible to hide some commands
This is not a bug. sshGate doesn’t log keyboard events, and will never do it !
PAGE 21 / 35
Known bugs
user@host $ read s var # ## rm rf * #user@host $ eval "${var}" ## Ouch !#
II. sshGate presentation
THURSDAY, JULY 28TH, 2011
user@host $ cat /dev/random ## flood :(#
Debian Packaging
telnet support • Packaging : Solaris, FreeBSD, Fedora, arch • Web administration interface • OpenSSH certificate support • LDAP support
July August Sept In the future
PAGE 22 / 35
Roadmap II. sshGate presentation
DOS protection
THURSDAY, JULY 28TH, 2011
Sommaire I. SERVER ACCESS PROBLEMS
II. SSHGATE PRESENTATION
III. SSHGATE INTERNAL
PAGE 23 / 35 THURSDAY, JULY 28TH, 2011
III. sshGate internal
PAGE 24 / 35
Session opening steps (1/4)
THURSDAY, JULY 28TH, 2011
§ Connect to sshGate server via SSH • Check that the user SSH key exists in authorized_keys#• Launch sshgate-bridge#
III. sshGate internal
PAGE 25 / 35
Session opening steps (2/4)
THURSDAY, JULY 28TH, 2011
§ Parse SSH_ORIGINAL_COMMAND : • Determine the action : ssh or scp ? Remote command ? • Extract and check the target host, the user wants to administrate, with ACL
III. sshGate internal
PAGE 26 / 35
Session opening steps (3/4)
THURSDAY, JULY 28TH, 2011
§ Launch sshclient : <ssh-login>@<target> (<command>) • Use known_hosts to check target host identity • Use configured parameters (ssh_config, ssh key)
III. sshGate internal
PAGE 27 / 35
Session opening steps (4/4)
THURSDAY, JULY 28TH, 2011
§ Connection is established
§ Shell script toolkit • Allow to write script quicker • Want to be POSIX compliant (as much as possible)
§ List of some of them : • exec.lib.sh : run command with checks, rollback capability • ask.lib.sh : ask question easily • cli.lib.sh : build a CLI • conf.lib.sh : build and use configuration file • mutex.lib.sh / lock.lib.sh : lock and mutex managment • record.lib.sh : record and play shell session • ...
PAGE 31 / 35
ScriptHelper Library III. sshGate internal
THURSDAY, JULY 28TH, 2011
PAGE 32 / 35
ask.lib.sh usage
ASK SSHGATE_TARGETS_DEFAULT_SSH_LOGIN \ "What’s the default user account to use when connecting to target host ?" \ "${SSHGATE_TARGETS_DEFAULT_SSH_LOGIN}"
CONF_SAVE SSHGATE_TARGETS_DEFAULT_SSH_LOGIN ASK yesno SSHGATE_MAIL_SEND \
"Activate mail notification system [Yes] ?" \ "Y”
if [ "${SSHGATE_MAIL_SEND}" = 'Y' ]; then
ASK SSHGATE_MAIL_TO \ "Who will receive mail notification (comma separated mails) ?" \ "${SSHGATE_MAIL_TO}" [ z "${SSHGATE_MAIL_TO}" ] && SSHGATE_MAIl_SEND=’N’
fi CONF_SAVE SSHGATE_MAIL_SEND CONF_SAVE SSHGATE_MAIL_TO
III. sshGate internal
THURSDAY, JULY 28TH, 2011
PAGE 33 / 35
cli.lib.sh usage
# load ScriptHelper#. ./lib/cli.lib.sh### help generation## SSHGATE_GET_HELP : In sshGate, extract help content from comment in the code## SSHGATE_DISPLAY_HELP : How to display help menu## SSHGATE_DISPLAY_HELP_FOR : How to display help for a command#CLI_REGISTER_HELP #'/tmp/sshgate-cli-help.txt' \# #SSHGATE_GET_HELP \# #SSHGATE_DISPLAY_HELP \# #SSHGATE_DISPLAY_HELP_FOR### Register CLI contextual menus and CLI commands#CLI_REGISTER_MENU 'user' 'User related commands'#CLI_REGISTER_COMMAND 'user list' 'USERS_LIST'#CLI_REGISTER_COMMAND 'user list <pattern>' 'USERS_LIST \1'#CLI_REGISTER_COMMAND 'user add <user> mail <email>' 'USER_ADD \1 \2'#CLI_REGISTER_COMMAND 'user del <user>' 'USER_DEL \1’### launch the CLI#CLI_RUN!
III. sshGate internal
THURSDAY, JULY 28TH, 2011
§ SshGate and ScriptHelper • build.sh : Build a package to deploy • install.sh / uninstall.sh : quick & easy deploiement • test.sh : run tests
PAGE 34 / 35
Industrialization
tauop@Tauopbox:~/sshGate$ ./build.sh server !sshgate version ? 0.2 #sshGate build number ? 014 #Include ScriptHelper in package ? y# Build sshgateserver package ... OK #tauop@Tauopbox:~/sshGate$#
III. sshGate internal
THURSDAY, JULY 28TH, 2011
III. sshGate internal
PAGE 35 / 35
Installation (1 / 2)
tauop@Tauopbox:/tmp/sshGate-server-0.2-0.71$ sudo ./install.sh!# --- sshGate server installation ---# by Patrick Guiran###NOTICE: ScriptHelper will be installed as part of sshGate, not system-wide#If you want to install ScriptHelper system-wide, please visit http://github.com/Tauop/ScriptHelper##Where do you want to locate sshGate [/opt/sshgate] ?#Which unix account to use for sshGate users [sshgate] ?#What’s the default user account to use when connecting to target host [root] ?#List of available languages: fr us#Default language for user messages [us] ? fr#Which editor to use [vim] ?#Activate mail notification system [Y] ?#Who will receive mail notification (comma separated mails) [[email protected]] ?#Do users have to accept TOS when connecting for the first time [Y] ?#Allow remote command [Y] ?#Allow remote administration CLI [Y] ?#
THURSDAY, JULY 28TH, 2011
III. sshGate internal
PAGE 36 / 35
Installation (2 / 2)
[...]#- Reload configuration ... OK#- Installing sshGate ... OK#- Generate default sshkey pair ... OK#- Setup files permissions ... OK#- Install archive cron ... OK###You need to add the first user of sshGate, which will be sshGate administrator.#This user will allow you to manage other users, targets and accesses.#user login ? pguiran#user mail ? [email protected]##In order to administrate sshGate, just ssh this host with this user# If you have installed sshGate client -> sshg cli# with standard ssh client -> ssh -t sshgate@Tauopbox cli# from this terminal -> /opt/sshgate/bin/sshgate-cli -u pguiran##NOTICE: You may add /opt/sshgate/bin in your PATH variable##tauop@Tauopbox:/tmp/exmaple/sshGate-server-0.2-0.71$#
THURSDAY, JULY 28TH, 2011
III. sshGate internal
PAGE 37 / 35
Tests
root@gate:/opt/sshgate/bin/tests# ./test.sh all!- Loading sshGate core ... OK#- Setup sshGate data directory ... OK#- Generate temporary test file ... OK#- Generate temporary sshkey test file ... OK#- Create and setup temporary Unix account ... OK#- Reset temporary test file ... OK#- Reset sshGate data directories ... OK#- Generate user tests ... OK#- Launch user tests ... OK#- Reset temporary test file ... OK#- Reset sshGate data directories ... OK#- Generate target tests ... OK#- Launch target tests ... OK#- Reset temporary test file ... OK#- Reset sshGate data directories ... OK#- Generate usergroup tests ... OK#- Launch usergroup tests ... OK#- Reset temporary test file ... OK#- Reset sshGate data directories ... OK#- Generate access tests ... OK#- Launch access tests ... OK#- Remove tests data ... OK#root@gate:/opt/sshgate/bin/tests##
THURSDAY, JULY 28TH, 2011
ü SshGate - http://www.github.com/Tauop/sshGate ü ScriptHelper - http://www.github.com/Tauop/ScriptHelper
ü IRC@Freenode #linagora - Tauop ü Contact : [email protected] / [email protected]
PAGE 39 / 35
Download, test, provide feedback, contribute IV. Luck, get the source
THURSDAY, JULY 28TH, 2011
Thank you
Contact : LINAGORA – Siège social
80, rue Roque de Fillol 92800 PUTEAUX
France Phone. : (+33) 1 58 18 68 28
Fax : (+33) 1 46 96 63 64 Mail : [email protected]
WWW.LINAGORA.COM