sshGate - OSCON 2011

download sshGate - OSCON 2011

of 41

  • date post

    13-Jul-2015
  • Category

    Technology

  • view

    1.507
  • download

    2

Embed Size (px)

Transcript of sshGate - OSCON 2011

  • sshGate

    WWW.LINAGORA.COM

  • PlanI. SERVER ACCESS PROBLEMS

    II. SSHGATE PRESENTATION

    III. SSHGATE INTERNAL

    THURSDAY, JULY 28TH, 2011 PAGE 2 / 35

  • About me

    PAGE 3 / 35 THURSDAY, JULY 28TH, 2011

    Patrick GUIRAN

  • PlanI. SERVER ACCESS PROBLEMS

    II. SSHGATE PRESENTATION

    III. SSHGATE INTERNAL

    THURSDAY, JULY 28TH, 2011 PAGE 2 / 35

  • I. Server access problem

    PAGE 5 / 35

    Information system

    THURSDAY, JULY 28TH, 2011

    THE admin

  • I. Server access problem

    PAGE 6 / 35

    Information system

    THURSDAY, JULY 28TH, 2011

    THE admin

  • I. Server access problem

    PAGE 7 / 35

    Information system

    THURSDAY, JULY 28TH, 2011

    THE admin

  • I. Server access problem

    PAGE 8 / 35

    Information system

    THURSDAY, JULY 28TH, 2011

    THE admin

  • I. Server access problem

    Access with password Pick up from an LDAP/Kerberos/. Can be found on post-it J Can be shared between many administrators or only one administrator has all passwords

    Access with keys Who does this key belong to? Add my friends keys

    Access to the all servers Even business-critical servers (mail, database) to everyone unconditionally

    PAGE 9 / 35

    Access through different ways

    THURSDAY, JULY 28TH, 2011

  • Arrival and Departure of an administrator ? Who has access to a server ? (simple to answer)

    Which server does an administrator have access to ? (complex) Simple when the administrator has access to all servers J Good administrator : Its so simple ! (really ?)

    Who grants and restricts access ?

    PAGE 10 / 35

    Accesses managment

    user_sshkey=$( cat user-sshkey.pub ) for serveur in $( cat listserver.txt ) ; do ssh $serveur 'cat ~/.ssh/authorized_keys2?' \ | grep ${user_sshkey} >/dev/null [ $? eq 0 ] && echo ${serveur} done#

    I. Server access problem

    THURSDAY, JULY 28TH, 2011

  • Must have Use ssh protocol Use keys authentification No users keys on administrated servers Unified access control list (ACL)

    Nice to have Log connections events Record users SSH session Notification of administration events

    PAGE 11 / 35

    Our needsI. Server access problem

    THURSDAY, JULY 28TH, 2011

  • q Wallix AdminBastion Solution from France, closed source + licence, support ssh/telnet/rdp

    q Observe-it Solution from USA, closed source + licence, support ssh/telnet/rdp

    q sshProxy Open-source (GPLv2), python, specific client software Dead since 2008(?), unable to download the project on its website

    q AdminProxy Open-source, sponsored by the French Government Support by Wallix, Mandriva, and university Paris 6 2 years project, should be ended in sept 2010 Where is the repository ? L

    PAGE 12 / 35

    Look for an existing solutionI. Server access problem

    THURSDAY, JULY 28TH, 2011

  • No solution Too expensive Requires wide installation Not found

    Development of de sshGate ! Free and open-source Make it quick Simple

    PAGE 13 / 35

    Search ResultI. Server access problem

    THURSDAY, JULY 28TH, 2011

  • Use existing tools : OpenSSH & PuTTY No installation required on administrated servers No installation required on client system

    Cross-platforms sshGate server Administrated servers Client computers

    No patch on sshGate server (no sshd patches) Simple, with less dependency (no SQL-database, )

    PAGE 14 / 35

    Limitations & ChallengesI. Server access problem

    THURSDAY, JULY 28TH, 2011

  • SommaireI. SERVER ACCESS PROBLEMS

    II. SSHGATE PRESENTATION

    III. SSHGATE INTERNAL

    PAGE 15 / 35 THURSDAY, JULY 28TH, 2011

  • II. sshGate presentation

    PAGE 16 / 35

    Global view

    THURSDAY, JULY 28TH, 2011

  • Support SSH sessions & SCP file transfers ACL management centralization (users, groups) Management of server name aliases Multi-login support SSH configuration support (global and per server - login) Log connections events Record SSH sessions CLI administration interface

    PAGE 17 / 35

    FunctionalitiesII. sshGate presentation

    THURSDAY, JULY 28TH, 2011

  • Licence : GPLv2+

    Language : Shell Script (sh, dash, bash, zsh)

    Cross-platforms : For servers : Linux, Solaris, *BSD For clients : Linux, MacOS, Windows/Putty

    PAGE 18 / 35

    CharacteristicsII. sshGate presentation

    THURSDAY, JULY 28TH, 2011

  • Born of sshGate : August 2010 First usage in production : September 2010 Versions :

    Production : 0.1 Trunk : 0.2 Version 1.0 release this summer

    PAGE 19 / 35

    HistoryII. sshGate presentation

    THURSDAY, JULY 28TH, 2011

  • Some numbers 61 users 10 user groups 161 administrated systems 214 server aliases

    Accesses 96 group accesses 103 user accesses

    During the 6 last months 2063 SCP transfers 16568 SSH sessions PAGE 20 / 35

    sshGate usage at LinagoraII. sshGate presentation

    THURSDAY, JULY 28TH, 2011

  • DOS : flood logs until disk full

    One solution : if the growth velocity of big logfile is too high, kill the connection

    Its possible to hide some commands

    This is not a bug. sshGate doesnt log keyboard events, and will never do it !

    PAGE 21 / 35

    Known bugs

    user@host $ read s var # ## rm rf * #user@host $ eval "${var}" ## Ouch !#

    II. sshGate presentation

    THURSDAY, JULY 28TH, 2011

    user@host $ cat /dev/random ## flood :(#

  • Debian Packaging

    telnet support Packaging : Solaris, FreeBSD, Fedora, arch Web administration interface OpenSSH certificate support LDAP support

    July August Sept In the future

    PAGE 22 / 35

    RoadmapII. sshGate presentation

    DOS protection

    THURSDAY, JULY 28TH, 2011

  • SommaireI. SERVER ACCESS PROBLEMS

    II. SSHGATE PRESENTATION

    III. SSHGATE INTERNAL

    PAGE 23 / 35 THURSDAY, JULY 28TH, 2011

  • III. sshGate internal

    PAGE 24 / 35

    Session opening steps (1/4)

    THURSDAY, JULY 28TH, 2011

    Connect to sshGate server via SSH Check that the user SSH key exists in authorized_keys# Launch sshgate-bridge#

  • III. sshGate internal

    PAGE 25 / 35

    Session opening steps (2/4)

    THURSDAY, JULY 28TH, 2011

    Parse SSH_ORIGINAL_COMMAND : Determine the action : ssh or scp ? Remote command ? Extract and check the target host, the user wants to administrate, with ACL

  • III. sshGate internal

    PAGE 26 / 35

    Session opening steps (3/4)

    THURSDAY, JULY 28TH, 2011

    Launch sshclient : @ () Use known_hosts to check target host identity Use configured parameters (ssh_config, ssh key)

  • III. sshGate internal

    PAGE 27 / 35

    Session opening steps (4/4)

    THURSDAY, JULY 28TH, 2011

    Connection is established

  • III. sshGate internal

    PAGE 28 / 35

    Administration CLI

    THURSDAY, JULY 28TH, 2011

  • III. sshGate internal

    PAGE 29 / 35

    Entity-relationship model

    THURSDAY, JULY 28TH, 2011

  • III. sshGate internal

    PAGE 30 / 35

    Architecture

    THURSDAY, JULY 28TH, 2011

  • Shell script toolkit Allow to write script quicker Want to be POSIX compliant (as much as possible)

    List of some of them : exec.lib.sh : run command with checks, rollback capability ask.lib.sh : ask question easily cli.lib.sh : build a CLI conf.lib.sh : build and use configuration file mutex.lib.sh / lock.lib.sh : lock and mutex managment record.lib.sh : record and play shell session ...

    PAGE 31 / 35

    ScriptHelper LibraryIII. sshGate internal

    THURSDAY, JULY 28TH, 2011

  • PAGE 32 / 35

    ask.lib.sh usage

    ASK SSHGATE_TARGETS_DEFAULT_SSH_LOGIN \ "Whats the default user account to use when connecting to target host ?" \ "${SSHGATE_TARGETS_DEFAULT_SSH_LOGIN}"

    CONF_SAVE SSHGATE_TARGETS_DEFAULT_SSH_LOGIN ASK yesno SSHGATE_MAIL_SEND \

    "Activate mail notification system [Yes] ?" \ "Y

    if [ "${SSHGATE_MAIL_SEND}" = 'Y' ]; then

    ASK SSHGATE_MAIL_TO \ "Who will receive mail notification (comma separated mails) ?" \ "${SSHGATE_MAIL_TO}" [ z "${SSHGATE_MAIL_TO}" ] && SSHGATE_MAIl_SEND=N

    fi CONF_SAVE SSHGATE_MAIL_SEND CONF_SAVE SSHGATE_MAIL_TO

    III. sshGate internal

    THURSDAY, JULY 28TH, 2011

  • PAGE 33 / 35

    cli.lib.sh usage

    # load ScriptHelper#. ./lib/cli.lib.sh### help generation## SSHGATE_GET_HELP : In sshGate, extract help content from comment in the code## SSHGATE_DISPLAY_HELP : How to display help menu## SSHGATE_DISPLAY_HELP_FOR : How to display help for a command#CLI_REGISTER_HELP #'/tmp/sshgate-cli-help.txt' \# #SSHGATE_GET_HELP \# #SSHGATE_DISPLAY_HELP \# #SSHGATE_DISPLAY_HELP_FOR### Register CLI contextual menus and CLI commands#CLI_REGISTER_MENU 'user' 'User related commands'#CLI_REGISTER_COMMAND 'user list' 'USERS_LIST'#CLI_REGISTER_COMMAND 'user list ' 'USERS_LIST \1'#CLI_REGISTER_COMMAND 'user add mail ' 'USER_ADD \1 \2'#CLI_REGISTER_COMMAND 'user del ' 'USER_DEL \1### launch the CLI#CLI_RUN!

    III. sshGate internal

    THURSDAY, JULY 28TH, 2011

  • SshGate and ScriptHelper build.sh : Build a package to deploy install.sh / uninstall.sh : quick & easy deploiement test.sh : run tests

    PAGE 34 / 35

    Industrialization

    tauop