Every now and then I get the odd request to provide remote support, troubleshooting and/or performance tuning on Linux systems.
Larger companies often already have well established procedures to provide remote access to vendors/suppliers and I only need to comply to those. (For better or for worse.)
On the other hand small companies and individuals invariably turn to me to instruct them with what they need to do to set up me up. Typically their servers are directly connected to the internet and the existing security measures consist of the defaults for whatever their Linux distribution is.
Nearly always I'll need root level access and whoever will be setting up access for me is not an expert sysadmin. I don't want their root password and I'm also pretty sure my actions won't be malicious, but what reasonably simple instructions should I give to:
- set up an account and securely exchange credentials
- set up root (sudo) access
- restrict access to my account
- provide audit trail
(And yes I'm aware and always warn those clients that once I do have admin access hiding any malicious actions is trivial, but let's assume that I have nothing to hide and actively participate in creating an audit trail.)
What can be improved on the steps below?
My current instruction set:
set up an account and securely exchange credentials
I provide a password hash and ask that my account is set up with that encrypted password, so we won't need to transmit a clear text password, I'l be the only one that knows the password and we don't start off with a predictable weak password.
sudo useradd -p '$1$********' hbruijn
I provide a public key SSH (specific key-pair per client) and ask they set up my account with that key:
sudo su - hbruijn
mkdir -p ~/.ssh
chmod 0700 ~/.ssh
echo 'from="10.80.0.0/14,192.168.1.2" ssh-rsa AAAAB3NzaC1y***...***== hbruijn@serverfault' >> ~/.ssh/authorized_keys
chmod 0600 ~/.ssh/authorized_keys
set up root (sudo) access
I ask the client to set up sudo for me with sudo sudoedit
or by using their favourite editor and append to /etc/sudoers
:
hbruijn ALL=(ALL) ALL
restrict access to my account
Typically the client still allows password based logins and I ask them to add the following two lines to /etc/ssh/sshd_config
to at least restrict my account to SSH keys only:
Match user hbruijn
PasswordAuthentication no
Depending on the client I'll route all my SSH access through a single bastion host to always provide a single static IP-address (for instance 192.168.1.2) and/or provide the IP-address range my ISP uses (for instance 10.80.0.0/14). The client may need to add those to a firewall whitelist if SSH access is restricted (more often than not ssh is unfiltered though).
You already saw those ip-addresses as the from=
restriction in the ~.ssh/authorized_keys
file that limits the hosts from which my key can be used to access their systems.
provide audit trail
Until now no client has asked me for that, and I have not done anything specific beyond the following to cover my ass:
I try to consistently use sudo
with individual commands and try to prevent using sudo -i
or sudo su -
. I try not to use sudo vim /path/to/file
but use sudoedit
instead.
By default all the privileged actions will then be logged to syslog (and /var/log/secure
):
Sep 26 11:00:03 hostname sudo: hbruijn : TTY=pts/0 ; PWD=/home/hbruijn ; USER=jboss ; COMMAND=sudoedit /usr/share/jbossas/domain/configuration/domain.xml
Sep 26 11:00:34 hostname sudo: hbruijn : TTY=pts/0 ; PWD=/home/hbruijn ; USER=root ; COMMAND=/usr/bin/tail -n 5 /var/log/messages
I have mostly gives up on customising my work environments, the only thing I really do is set the following in my ~/.bash_profile
increasing the bash history and to include time-stamps:
export HISTSIZE=99999999999
export HISTFILESIZE=99999999999
export HISTIGNORE="w:ls:ls -lart:dmesg:history:fg"
export HISTTIMEFORMAT='%F %H:%M:%S '
shopt -s histappend
The only thing that comes to mind would be to add
--expiredate
to theadduser
call.With that the customer knows that your access will automatically expire at a fixed date.
He still needs to trust you as you have root access and still could remove the expire flag.
You can record your sessions with the script(1) utility.
then everything is in session.log.
Since you are already logging in with an SSH public key, it would tighten things up a little if you didn't supply a password hash; instead tell them to use
adduser --disabled-password
(equivalently,useradd -p '!'
, I think), which is effectively equivalent toPasswordAuthentication no
for that account, plus there is no chance someone snooping on your email could brute-force the password hash and log in as you.Why provide a password at all, when you are going to use public/private keys.
Public keys are meant to be shared, so this is what you should use to securily exchange credentials, not hashed passwords.
sudo useradd --disabled-password hbruijn
When sending your public key, verify the fingerprint over a second channel, like a phone call, so you know nobody altered it on it's way in.
Since you won't have a password now to use sudo, you need to also alter your line in the sudoers file to
hbruijn ALL=(ALL) NOPASSWD:ALL
If you're not comfortable with having no password for sudo, and really want a password, there still is no need for you to send your hashed password, let the account be created without password, set your public key, and once your account is set up you can log in over ssh and run
passwd
to set your own password.