sshGate - OSCON 2011

sshGate
WWW.LINAGORA.COM

PlanI. SERVER ACCESS PROBLEMS
II. SSHGATE PRESENTATION
III. SSHGATE INTERNAL
THURSDAY, JULY 28TH, 2011 PAGE 2 / 35

About me
PAGE 3 / 35 THURSDAY, JULY 28TH, 2011
Patrick GUIRAN

PlanI. SERVER ACCESS PROBLEMS
THURSDAY, JULY 28TH, 2011 PAGE 2 / 35

I. Server access problem
PAGE 5 / 35
Information system
THURSDAY, JULY 28TH, 2011
THE admin

PAGE 6 / 35
Information system
THE admin

PAGE 7 / 35
Information system
THE admin

PAGE 8 / 35
Information system
THE admin

Access with password Pick up from an LDAP/Kerberos/. Can be found on post-it J Can be shared between many administrators or only one administrator has all passwords
Access with keys Who does this key belong to? Add my friends keys
Access to the all servers Even business-critical servers (mail, database) to everyone unconditionally
PAGE 9 / 35
Access through different ways

Arrival and Departure of an administrator ? Who has access to a server ? (simple to answer)
Which server does an administrator have access to ? (complex) Simple when the administrator has access to all servers J Good administrator : Its so simple ! (really ?)
Who grants and restricts access ?
PAGE 10 / 35
Accesses managment
user_sshkey=$( cat user-sshkey.pub ) for serveur in $( cat listserver.txt ) ; do ssh $serveur 'cat ~/.ssh/authorized_keys2?' \ | grep ${user_sshkey} >/dev/null [ $? eq 0 ] && echo ${serveur} done#

Must have Use ssh protocol Use keys authentification No users keys on administrated servers Unified access control list (ACL)
Nice to have Log connections events Record users SSH session Notification of administration events
PAGE 11 / 35
Our needsI. Server access problem

q Wallix AdminBastion Solution from France, closed source + licence, support ssh/telnet/rdp
q Observe-it Solution from USA, closed source + licence, support ssh/telnet/rdp
q sshProxy Open-source (GPLv2), python, specific client software Dead since 2008(?), unable to download the project on its website
q AdminProxy Open-source, sponsored by the French Government Support by Wallix, Mandriva, and university Paris 6 2 years project, should be ended in sept 2010 Where is the repository ? L
PAGE 12 / 35
Look for an existing solutionI. Server access problem

No solution Too expensive Requires wide installation Not found
Development of de sshGate ! Free and open-source Make it quick Simple
PAGE 13 / 35
Search ResultI. Server access problem

Use existing tools : OpenSSH & PuTTY No installation required on administrated servers No installation required on client system
Cross-platforms sshGate server Administrated servers Client computers
No patch on sshGate server (no sshd patches) Simple, with less dependency (no SQL-database, )
PAGE 14 / 35
Limitations & ChallengesI. Server access problem

SommaireI. SERVER ACCESS PROBLEMS

II. sshGate presentation
PAGE 16 / 35
Global view

Support SSH sessions & SCP file transfers ACL management centralization (users, groups) Management of server name aliases Multi-login support SSH configuration support (global and per server - login) Log connections events Record SSH sessions CLI administration interface
PAGE 17 / 35
FunctionalitiesII. sshGate presentation

Licence : GPLv2+
Language : Shell Script (sh, dash, bash, zsh)
Cross-platforms : For servers : Linux, Solaris, *BSD For clients : Linux, MacOS, Windows/Putty
PAGE 18 / 35
CharacteristicsII. sshGate presentation

Born of sshGate : August 2010 First usage in production : September 2010 Versions :
Production : 0.1 Trunk : 0.2 Version 1.0 release this summer
PAGE 19 / 35
HistoryII. sshGate presentation

Some numbers 61 users 10 user groups 161 administrated systems 214 server aliases
Accesses 96 group accesses 103 user accesses
During the 6 last months 2063 SCP transfers 16568 SSH sessions PAGE 20 / 35
sshGate usage at LinagoraII. sshGate presentation

DOS : flood logs until disk full
One solution : if the growth velocity of big logfile is too high, kill the connection
Its possible to hide some commands
This is not a bug. sshGate doesnt log keyboard events, and will never do it !
PAGE 21 / 35
Known bugs
user@host $ read s var # ## rm rf * #user@host $ eval "${var}" ## Ouch !#
II. sshGate presentation
user@host $ cat /dev/random ## flood :(#

Debian Packaging
telnet support Packaging : Solaris, FreeBSD, Fedora, arch Web administration interface OpenSSH certificate support LDAP support
July August Sept In the future
PAGE 22 / 35
RoadmapII. sshGate presentation
DOS protection

SommaireI. SERVER ACCESS PROBLEMS

III. sshGate internal
PAGE 24 / 35
Session opening steps (1/4)
Connect to sshGate server via SSH Check that the user SSH key exists in authorized_keys# Launch sshgate-bridge#

PAGE 25 / 35
Parse SSH_ORIGINAL_COMMAND : Determine the action : ssh or scp ? Remote command ? Extract and check the target host, the user wants to administrate, with ACL

PAGE 26 / 35
Launch sshclient : @ () Use known_hosts to check target host identity Use configured parameters (ssh_config, ssh key)

PAGE 27 / 35
Connection is established

PAGE 28 / 35
Administration CLI

PAGE 29 / 35
Entity-relationship model

PAGE 30 / 35
Architecture

Shell script toolkit Allow to write script quicker Want to be POSIX compliant (as much as possible)
List of some of them : exec.lib.sh : run command with checks, rollback capability ask.lib.sh : ask question easily cli.lib.sh : build a CLI conf.lib.sh : build and use configuration file mutex.lib.sh / lock.lib.sh : lock and mutex managment record.lib.sh : record and play shell session ...
PAGE 31 / 35
ScriptHelper LibraryIII. sshGate internal

/ 35
ask.lib.sh usage
ASK SSHGATE_TARGETS_DEFAULT_SSH_LOGIN \ "Whats the default user account to use when connecting to target host ?" \ "${SSHGATE_TARGETS_DEFAULT_SSH_LOGIN}"
CONF_SAVE SSHGATE_TARGETS_DEFAULT_SSH_LOGIN ASK yesno SSHGATE_MAIL_SEND \
"Activate mail notification system [Yes] ?" \ "Y
if [ "${SSHGATE_MAIL_SEND}" = 'Y' ]; then
ASK SSHGATE_MAIL_TO \ "Who will receive mail notification (comma separated mails) ?" \ "${SSHGATE_MAIL_TO}" [ z "${SSHGATE_MAIL_TO}" ] && SSHGATE_MAIl_SEND=N
fi CONF_SAVE SSHGATE_MAIL_SEND CONF_SAVE SSHGATE_MAIL_TO

/ 35
cli.lib.sh usage
# load ScriptHelper#. ./lib/cli.lib.sh### help generation## SSHGATE_GET_HELP : In sshGate, extract help content from comment in the code## SSHGATE_DISPLAY_HELP : How to display help menu## SSHGATE_DISPLAY_HELP_FOR : How to display help for a command#CLI_REGISTER_HELP #'/tmp/sshgate-cli-help.txt' \# #SSHGATE_GET_HELP \# #SSHGATE_DISPLAY_HELP \# #SSHGATE_DISPLAY_HELP_FOR### Register CLI contextual menus and CLI commands#CLI_REGISTER_MENU 'user' 'User related commands'#CLI_REGISTER_COMMAND 'user list' 'USERS_LIST'#CLI_REGISTER_COMMAND 'user list ' 'USERS_LIST \1'#CLI_REGISTER_COMMAND 'user add mail ' 'USER_ADD \1 \2'#CLI_REGISTER_COMMAND 'user del ' 'USER_DEL \1### launch the CLI#CLI_RUN!

SshGate and ScriptHelper build.sh : Build a package to deploy install.sh / uninstall.sh : quick & easy deploiement test.sh : run tests
PAGE 34 / 35
Industrialization
tauop

sshGate - OSCON 2011

Technology

Transcript of sshGate - OSCON 2011

Mongo Web Apps: OSCON 2011

Intro to Dancer - OSCON 2011

Oscon miller 2011

Oscon 2011 Practicing Open Science

Mifos - OSCON 2010

JVM for Dummies - OSCON 2011

Oscon 2011 schroeder

Oscon 2011 - ATS

Oscon presentation

Oscon 2011 wylie

OSCON 2011 - Perl 5.16 and beyond

Oscon contratto

Oscon 2009

Oscon 2011 chemistry_hanwell

Scalling Solr in the Cloud - OSCON Data 2011

OpenMRS OSCON 2012

Hands on! Speakers: Ted Dunning, Robin Anil OSCON 2011, Portland.

Browserscope oscon 2011

OSCON 2011 - Resource Management with OSCON 2011.pdf6 Resource Management with CGroups Why ... • # Then start DD on the volume ... –

Oscon Talk; 2014