/ssh-manager

:closed_lock_with_key: Central SSH Management Service for AWS Linux EC2 :vertical_traffic_light:

Primary LanguageGoApache License 2.0Apache-2.0

ssh-manager

Release Release Go Report Card License

🔐 Central SSH Management Service for AWS Linux EC2 🚦

PIC

Features

  • Automatically allow/deny SSH access to servers
  • Easily manage sudo access
  • Centrally manage team's SHS Keys
  • Only public SSH key is used, private key never leave user's workstation
  • Leverage AWS IAM for service authentication
  • SystemD Service
  • Supports AMD64/ARM64

Manual

It is strongly recommended updating the service once in a while

Central Configuration

  1. Create configuration on AWS Secret which will hold a public ssh keys of your team members and server groups with a permissions mapping.
ℹ️ AWS Secret Structure
{
    "users": {
        "user.1": "ssh-rsa AAA...",
        "user.2": "ssh-rsa AAA...",
        "user.3": "ssh-rsa AAA...",
        "user.4": "ssh-rsa AAA...",
        "user.5": "ssh-rsa AAA...",
        "user.6": "ssh-rsa AAA..."
    },
    "server_groups": {
        "backend": {
            "sudoers": [
                "user.2"
            ],
            "users": [
                "user.1",
                "user.4",
                "user.5"
            ]
        },
        "poc": {
            "sudoers": [
                "user.1",
                "user.2",
                "user.4"
            ],
            "users": [
                "user.6"
            ]
        },
        "devops": {
            "sudoers": [
                "user.2"
            ],
            "users": [
                "user.3",
                "user.5"
            ]
        }
    }
}
  1. Create IAM Policy to allow servers to fetch the secret.
ℹ️ AWS IAM Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:*:*:secret:<secret-name>"
        }
    ]
}

Server Configuration

  1. Create a local configuration file /root/ssh-manager.yml

    secret_name: ssh-manager
    region: us-west-1
    groups:
      - devops
      - poc
    • secret_name (required) - AWS Secret name with a central configuration
    • region - AWS region where a Secret is stored. Default us-east-1
    • groups (required) - a list of server group names from a central configuration
  2. Create and attach an IAM Roles or configure an IAM User to allow EC2's to fetch the secret.

    • If using User Authentication, configure the credentials for root user.

Installation

  • Download installation script: curl https://raw.githubusercontent.com/ReasonSoftware/ssh-manager/master/scripts/install.sh --output install.sh (or install_arm64.sh)
    • Alternative script that relies on crontab: curl https://raw.githubusercontent.com/ReasonSoftware/ssh-manager/master/scripts/install_cronjob.sh --output install.sh (or install_cronjob_arm64.sh)
  • Execute with elevated privileges: sudo bash install.sh
ℹ️ Manual Installation
  • Create an application directory: mkdir -p /var/lib/ssh-manager

  • Download latest release unzip to /var/lib/ssh-manager

  • Create systemd service under /etc/systemd/system/ssh-manager.service with the following content:

    [Unit]
    Description=Central SSH Management Service for AWS Linux EC2
    Wants=network-online.target
    After=network-online.target
    
    [Service]
    Type=oneshot
    ExecStart=/var/lib/ssh-manager/ssh-manager
    StandardOutput=journal
    User=root
    
    [Install]
    WantedBy=multi-user.target
    
  • Create systemd timer under /etc/systemd/system/ssh-manager.timer with the following content:

    [Unit]
    Description=Timer for Central SSH Management Service
    Wants=network-online.target
    After=network-online.target
    
    [Timer]
    Unit=ssh-manager.service
    OnBootSec=10min
    OnUnitInactiveSec=60min
    Persistent=true
    
    [Install]
    WantedBy=multi-user.target
    
  • Reload systemd configuration: systemctl daemon-reload

  • Enable ssh-manager service: systemctl enable ssh-manager.service

  • Enable and start ssh-manager timer: systemctl enable --now ssh-manager.timer

ℹ️ Update
  • Download latest release and replace /var/lib/ssh-manager/ssh-manager file
ℹ️ Uninstall

Decide what are you going to do with the users and either delete them (userdel -r <username>) or change their primary group to some other group (usermod -G <groupname> <username>)

  • Delete systemd service and timer:

    systemctl stop ssh-manager.service
    systemctl stop ssh-manager.timer
    rm -f /etc/systemd/system/ssh-manager.*
  • Delete application groups:

    groupdel ssh-manager-users
    groupdel ssh-manager-sudoers
  • Remove %ssh-manager-sudoers ALL=(ALL) NOPASSWD: ALL entry from /etc/sudoers file

  • Delete app directory rm -rf /var/lib/ssh-manager

  • Delete local configuration file rm -f /root/ssh-manager.yml

Examples

Notes

  • This service strongly relies on Linux capabilities to manage users and group, and will require the following to operate: sudo/useradd/userdel/usermod/bash
  • Users default shell will be set to bash
  • Assuming sudoers file is /etc/sudoers
  • Application directory /var/lib/ssh-manager will be created automatically
  • Custom linux groups ssh-manager-users/ssh-manager-sudoers will be created with a GID's 32109/32108

License

Apache-2.0 © 2021 Reason Cybersecurity Ltd.