Let's say I have a set of machines (called here the customers' machines) that only a small list of people (called the support staff) is allowed to SSH into, using only one account by machine (the support access account).
The support staff are only supposed to log into the customers' machines using keys. Moreover, the support staff can evolve, so someone who leaves the support staff is not permitted to log in to any customer machine. Therefore, staff people are prohibited from reading the private keys used to log into the customers' machines. Also, it is forbidden to modify the authorized_keys
file on the customers' machines.
To realize that configuration, I had the idea to use an SSH proxy that the support staff will log into (with LDAP authentication, but that's another problem) and that contains the private keys.
The question is: How do I allow support staff to use the SSH private key without being able to read it?
I believe that I have to make a daemon running as root on the proxy machine that will accept a user's request and open an SSH session for them, but I have no idea how to do it. Any ideas?
Best Answer
I would suggest a couple of options.
Protect the ssh key and require the use of
sudo
on your support team's side. You could do this transparently with a wrapper. Call the wrapper, say,/usr/local/bin/ssh-support
and have it contain something like this (untested):This would require an entry in the
sudoers
file that permitted users in thesupport
group to use the tool. This command allows them to run thessh-support
tool as thessupport
user - which you must create. It does not confer any root privilege.If you are happy that the support users should not need to provider their own password to run the tool (as requested by the
sudo
invocation within the script itself) you can amend thesudoers
definition thus:Assuming
PATH
contained/usr/local/bin/
you would then call it withssh-support clientname
. Also assuming you had created thessupport
user as/home/ssupport
you would create/home/ssupport/.ssh/id_rsa_clientname
and/home/ssupport/.ssh/id_rsa_clientname.pub
as the certificate pair, and have a host entry in/home/ssupport/.ssh/config
forclientname
that defined the user, host, port, etc. for the target machine. You would probably disable X11 forwarding, port forwarding, etc. explicitly. As usual, the/home/ssupport/.ssh
directory would need to be protected with permissions0700
.Give each member of support their own local user account, and have each person use their own private ssh key to access the client's servers. When a person leaves the support group you remove their ssh key from the client's servers. This means that you no longer need to worry about preventing your staff from knowing the private ssh key.