Every now and then I get the odd request to provide remote support, troubleshooting and/or performance tuning on Linux systems.
Larger companies often already have well established procedures to provide remote access to vendors/suppliers and I only need to comply to those. (For better or for worse.)
On the other hand small companies and individuals invariably turn to me to instruct them with what they need to do to set up me up. Typically their servers are directly connected to the internet and the existing security measures consist of the defaults for whatever their Linux distribution is.
Nearly always I'll need root level access and whoever will be setting up access for me is not an expert sysadmin. I don't want their root password and I'm also pretty sure my actions won't be malicious, but what reasonably simple instructions should I give to:
- set up an account and securely exchange credentials
- set up root (sudo) access
- restrict access to my account
- provide audit trail
(And yes I'm aware and always warn those clients that once I do have admin access hiding any malicious actions is trivial, but let's assume that I have nothing to hide and actively participate in creating an audit trail.)
What can be improved on the steps below?
My current instruction set:
set up an account and securely exchange credentials
I provide a password hash and ask that my account is set up with that encrypted password, so we won't need to transmit a clear text password, I'l be the only one that knows the password and we don't start off with a predictable weak password.
sudo useradd -p '$1$********' hbruijn
I provide a public key SSH (specific key-pair per client) and ask they set up my account with that key:
sudo su - hbruijn
mkdir -p ~/.ssh
chmod 0700 ~/.ssh
echo 'from="10.80.0.0/14,192.168.1.2" ssh-rsa AAAAB3NzaC1y***...***== hbruijn@serverfault' >> ~/.ssh/authorized_keys
chmod 0600 ~/.ssh/authorized_keys
set up root (sudo) access
I ask the client to set up sudo for me with sudo sudoedit or by using their favourite editor and append to /etc/sudoers:
hbruijn ALL=(ALL) ALL
restrict access to my account
Typically the client still allows password based logins and I ask them to add the following two lines to /etc/ssh/sshd_config to at least restrict my account to SSH keys only:
Match user hbruijn
PasswordAuthentication no
Depending on the client I'll route all my SSH access through a single bastion host to always provide a single static IP-address (for instance 192.168.1.2) and/or provide the IP-address range my ISP uses (for instance 10.80.0.0/14). The client may need to add those to a firewall whitelist if SSH access is restricted (more often than not ssh is unfiltered though).
You already saw those ip-addresses as the from= restriction in the ~.ssh/authorized_keys file that limits the hosts from which my key can be used to access their systems.
provide audit trail
Until now no client has asked me for that, and I have not done anything specific beyond the following to cover my ass:
I try to consistently use sudo with individual commands and try to prevent using sudo -i or sudo su -. I try not to use sudo vim /path/to/file but use sudoedit instead.
By default all the privileged actions will then be logged to syslog (and /var/log/secure):
Sep 26 11:00:03 hostname sudo: hbruijn : TTY=pts/0 ; PWD=/home/hbruijn ; USER=jboss ; COMMAND=sudoedit /usr/share/jbossas/domain/configuration/domain.xml
Sep 26 11:00:34 hostname sudo: hbruijn : TTY=pts/0 ; PWD=/home/hbruijn ; USER=root ; COMMAND=/usr/bin/tail -n 5 /var/log/messages
I have mostly gives up on customising my work environments, the only thing I really do is set the following in my ~/.bash_profile increasing the bash history and to include time-stamps:
export HISTSIZE=99999999999
export HISTFILESIZE=99999999999
export HISTIGNORE="w:ls:ls -lart:dmesg:history:fg"
export HISTTIMEFORMAT='%F %H:%M:%S '
shopt -s histappend
