-
Notifications
You must be signed in to change notification settings - Fork 0
authKeys
Due to the nature of user-based ssh proxying, there are connections for
the proxied users and syncronized public keys as well as the additional
public keys needed for the proxying itself. Because of that it is
recommended to split the authorized_keys-file into two. The default
configuration for openssh often sets two of these files:
authorized_keysauthorized_keys2
If this isn't done by default, it can be set using the line
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
in /etc/ssh/sshd_config. For convenience reasons, the
authorized_keys2 should be the one syncronized between app and gateway.
If the contents of this files (so the allowed public keys) change seldom it might be sufficient to sync this file manually. For all other cases, there are multiple solutions, as described in the following.
Distributing the file using a distributed filesystem like NFS, samba
or a cluster like ceph or glusterfs is a well-tested solution.
It clearly has the advantage, that the file is in sync immediatly between both hosts. However, setting up a fileserver only for this one file might be a bit overkill.
a second variant is to scp the file regularly, exp. via cron.
The script sshproxy_syncfile does this copying. In fact it checks, wether the
file has been modified before performing the file-transfer itself.
In preparation an additional key-pair should be generated, so that password-less login from the SSH-Application to the Gateway is possible.
The public key of that file should then be added in a seperate line in
the authorized_keys on the gateway.
command="internal-sftp",restrict ssh-rsa ...
should do this. The gateway should assure, that this file isn't tempered with afterwards.
The easiest way to do this would be via a cron script.
Alternatively, this can be done using a systemd-timer as well. The
corresponding files (sshproxy_syncfile.target and
sshproxy_syncfile.timer) are provided.
As the timer should be started as a certain user (eg. sshapp), the
corresponding user-session has to be always active (not only after
login), so the following command should be executed as root on the
application server:
loginctl enable-linger sshapp
Afterwards the trigger can be enabled by
systemctl --user enable sshproxy_syncfile.timer
For convenience, the file ssphroxy_syncfile.cron is provided as a
template for regular execution of file syncronization via cron.
In this file, the username and path should be adjusted.
With resp. to the systemd timer, it has the advantage, that a mail is send everytime a public key is updated and it is easier to set up. On the other hand the systemd management isnt' available.