-
Notifications
You must be signed in to change notification settings - Fork 70
Automation: Creating and Installing RSA Keypair
Link Here
The first step is to create an automation group and a new user to put in that group for the automation system to use
Saved as /tmp/otto_rsa (private key) and /tmp/otto_rsa.pub (public key). These are very important and sensitive so transport securely.
SSH KEY FAQ contains more information on using RSA keys for SSH authentication
The private key + password is how the automation system authenticates to CCF-VM as ottomate.
The user will not be able to use password authentication (on purpose)
ssh-keygen -t rsa -b 4096 -C ottomate -f /tmp/otto_rsa # Enter strong password 2x and record it
chmod 600 /tmp/otto_rsa
chmod 644 /tmp/otto_rsa.pub
sudo chown ottomate:ottomate /tmp/otto_rsa.pub
The public key from /tmp/otto_rsa.pub is placed into the /home/ottomate/.ssh/authorized_keys file prepended with command="/var/lib/automation/rc.py $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc <rsa_pub_key>
This authorized this key pair to authenticate as the ottomate user and is only allowed to execute /var/lib/automation/rc.py $SSH_ORIGINAL_COMMAND. It cannot be used to log in as the user. The rights of the user are restricted and there is input validation in rc.py to minimize the risk from command injections.
NOTE: Command injections into $SSH_ORIGINAL_COMMAND are limited but not eliminated. The RSA keypair and account restrictions minimize the risk but if the RSA keypair is compromised then command injection is possible.
For more details and to understand the risks please read these sites
- https://security.stackexchange.com/questions/118688/security-of-only-allowing-a-few-vetted-commands-using-ssh-original-command
- https://research.kudelskisecurity.com/2013/05/14/restrict-ssh-logins-to-a-single-command/
- https://binblog.info/2008/10/20/openssh-going-flexible-with-forced-commands/
echo command=\"/var/lib/automation/rc.py \$SSH_ORIGINAL_COMMAND\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc $(cat /tmp/otto_rsa.pub) |sudo tee -a /home/ottomate/.ssh/authorized_keys
sudo chown -R ottomate:ottomate /home/ottomate/.ssh
sudo chmod 644 /home/ottomate/.ssh/authorized_keys
Remove /tmp/otto_rsa and /tmp/otto_rsa.pub after saving them somewhere securely.
CAUTION: These keys allow access to the automation services of Skadi, guard them appropriately