ssh-manager

🔐 Central SSH Management Service for AWS Linux EC2 🚦

Features

• Automatically allow/deny SSH access to servers
• Easily manage sudo access
• Centrally manage team's SHS Keys
• Only public SSH key is used, private key never leave user's workstation
• Leverage AWS IAM for service authentication
• SystemD Service
• Supports AMD64/ARM64

Manual

• Prepare Central Configuration once
• Add new servers by:
  • Complete Server Configuration
  • Install the service

It is strongly recommended updating the service once in a while

Central Configuration

1. Create configuration on AWS Secret which will hold a public ssh keys of your team members and server groups with a permissions mapping.

ℹ️ AWS Secret Structure

{
    "users": {
        "user.1": "ssh-rsa AAA...",
        "user.2": "ssh-rsa AAA...",
        "user.3": "ssh-rsa AAA...",
        "user.4": "ssh-rsa AAA...",
        "user.5": "ssh-rsa AAA...",
        "user.6": "ssh-rsa AAA..."
    },
    "server_groups": {
        "backend": {
            "sudoers": [
                "user.2"
            ],
            "users": [
                "user.1",
                "user.4",
                "user.5"
            ]
        },
        "poc": {
            "sudoers": [
                "user.1",
                "user.2",
                "user.4"
            ],
            "users": [
                "user.6"
            ]
        },
        "devops": {
            "sudoers": [
                "user.2"
            ],
            "users": [
                "user.3",
                "user.5"
            ]
        }
    }
}

2. Create IAM Policy to allow servers to fetch the secret.

ℹ️ AWS IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:*:*:secret:<secret-name>"
        }
    ]
}

Server Configuration

1. Create a local configuration file /root/ssh-manager.yml

   secret_name: ssh-manager
   region: us-west-1
   groups:
     - devops
     - poc

   • secret_name (required) - AWS Secret name with a central configuration
   • region - AWS region where a Secret is stored. Default us-east-1
   • groups (required) - a list of server group names from a central configuration

2. Create and attach an IAM Roles or configure an IAM User to allow EC2's to fetch the secret.

   • If using User Authentication, configure the credentials for root user.

Installation

• Download installation script: curl https://raw.githubusercontent.com/ReasonSoftware/ssh-manager/master/scripts/install.sh --output install.sh (or install_arm64.sh)
  • Alternative script that relies on crontab: curl https://raw.githubusercontent.com/ReasonSoftware/ssh-manager/master/scripts/install_cronjob.sh --output install.sh (or install_cronjob_arm64.sh)
• Execute with elevated privileges: sudo bash install.sh

ℹ️ Manual Installation

• Create an application directory: mkdir -p /var/lib/ssh-manager

• Download latest release unzip to /var/lib/ssh-manager

• Create systemd service under /etc/systemd/system/ssh-manager.service with the following content:

  [Unit]
  Description=Central SSH Management Service for AWS Linux EC2
  Wants=network-online.target
  After=network-online.target
  
  [Service]
  Type=oneshot
  ExecStart=/var/lib/ssh-manager/ssh-manager
  StandardOutput=journal
  User=root
  
  [Install]
  WantedBy=multi-user.target
  

• Create systemd timer under /etc/systemd/system/ssh-manager.timer with the following content:

  [Unit]
  Description=Timer for Central SSH Management Service
  Wants=network-online.target
  After=network-online.target
  
  [Timer]
  Unit=ssh-manager.service
  OnBootSec=10min
  OnUnitInactiveSec=60min
  Persistent=true
  
  [Install]
  WantedBy=multi-user.target
  

• Reload systemd configuration: systemctl daemon-reload

• Enable ssh-manager service: systemctl enable ssh-manager.service

• Enable and start ssh-manager timer: systemctl enable --now ssh-manager.timer

ℹ️ Update

• Download latest release and replace /var/lib/ssh-manager/ssh-manager file

ℹ️ Uninstall

Decide what are you going to do with the users and either delete them (userdel -r <username>) or change their primary group to some other group (usermod -G <groupname> <username>)

• Delete systemd service and timer:

  systemctl stop ssh-manager.service
  systemctl stop ssh-manager.timer
  rm -f /etc/systemd/system/ssh-manager.*

• Delete application groups:

  groupdel ssh-manager-users
  groupdel ssh-manager-sudoers

• Remove %ssh-manager-sudoers ALL=(ALL) NOPASSWD: ALL entry from /etc/sudoers file

• Delete app directory rm -rf /var/lib/ssh-manager

• Delete local configuration file rm -f /root/ssh-manager.yml

Examples

• Logs

Notes

• This service strongly relies on Linux capabilities to manage users and group, and will require the following to operate: sudo/useradd/userdel/usermod/bash
• Users default shell will be set to bash
• Assuming sudoers file is /etc/sudoers
• Application directory /var/lib/ssh-manager will be created automatically
• Custom linux groups ssh-manager-users/ssh-manager-sudoers will be created with a GID's 32109/32108

License

Apache-2.0 © 2021 Reason Cybersecurity Ltd.