Course Account SSH Keys: CSCF Administration

We use ssh and public keys to provide access to course accounts.

We have deployed an automated tool to propagate ssh keys to course accounts from home directories in the student region (i.e. one of the linux.student.cs.uwaterloo.ca systems). Authorized users of a course account will be able to ssh and scp from their preferred workstation into the course account, after a one-time key copy to their own student-environment account. An automated check for new keys happens once an hour.

If there is need to manually run the tool, as root on ubuntu1804-002.student.cs.uwaterloo.ca run: /root/pull_ssh_keys_package/bin/pull-ssh-keys -f $COURSE_ACCOUNT_NAME

Where -f forces an update for the given course account $COURSE_ACCOUNT_NAME.

If there is need to be sure a user's keys are updated for all courses they are involved with, you can signal that their key information has changed. From any student-region host, touch $USER/.ssh/authorized_keys and the next automated run will update all known courses for that user.

More Detail on Implementation

The scripts run on a host which is in the student region; currently ubuntu1404-002.student.cs.uwaterloo.ca.

Scripts are located under /root/pull_ssh_keys_package (a long time ago in xhier package local_cron.student.cs.uwaterloo.ca, whence the structure):

  • export/crontab has two entries:
    • 0332h: egrep 'Teaching-(SE|CS)' /software/accounts/data/users |awk -F':' '{print $1}' > /software/local_cron.student.cs.uwaterloo.ca/data/group-accounts
    • every hour on the 4th minute: pipe the preceding data file to /root/pull_ssh_keys_package/bin/pull-ssh-keys, logging in /var/log/pull_ssh_keys.log

  • bin/pull-ssh-keys
    • perl script plus two perl libraries residing in subdirs Text and Algorithm
  • data/group-accounts - generated file, see crontab entry above. NOTE: The 0332h crontab seems to not be used anymore. Just edit this group-accounts file directly. Creating new course accounts happens rarely anyway.

As described in ST#64298, there is a patch to the sshd package to make this process work smoothly. The patch for xhiered Solaris is maintained by Jeff Voskamp in IST. The patch for linux.student.cs.uwaterloo.ca (currently ubuntu 9.10 LTS) is maintained by Daniel Allen. The openssh maintainers have approved the patch's inclusion (in principle) in the official release, which may happen in 2011; at some later point ubuntu should pick up the version. Until then, CSCF will maintain a patched sshd on linux.

The patch's purpose is to avoid a security hole with the "PermitUserEnvironment" sshd option, as described in the above ST. The patched format for PermitUserEnvironment allows our hosts to include the following sshd_config stanza:

PermitUserEnvironment REMOTEUSER

The automatically-generated authorized_keys data for each course-account will include REMOTEUSER via the following format:

$ cat .ssh/authorized_keys
environment="REMOTEUSER=drallen" ssh-dss AAAAB[...]+js1k= comment-such-as-user@host=

sshd on the linux.student.cs.uwaterloo.ca host will include the REMOTEUSER variable as the user logs in as the course-account; which is used by our default course-account login script to cd the proper course-account user directory. Without REMOTEUSER set, each login will involve a prompt "User Id?" to which the user should fill in their regular user-id.

The automatically generated authorized_keys data also includes a copy of the key without the REMOTEUSER variable, so if the connection happens without the patched sshd, authentication by public key will still occur.

See Also

For more information, see:

-- DanielAllen - 2013-11-02
-- AdrianPepper - 2015-04-13 -- YiLee - 2017-04-28
Topic revision: r5 - 2019-08-29 - FraserGunn
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback