Friday, July 15, 2016

security - AWS Amazon EC2 - password-less SSH login for non-root users using PEM keypairs

We've got a couple of clusters running on AWS (HAProxy/Solr, PGPool/PostgreSQL) and we've setup scripts to allow new slave instances to be auto-included into the clusters by updating their IPs to config files held on S3, then SSHing to the master instance to kick them to download the revised config and restart the service. It's all working nicely, but in testing we're using our master pem for SSH which means it needs to be stored on an instance. Not good.



I want a non-root user that can use an AWS keypair who will have sudo access to run the download-config-and-restart scripts, but nothing else. rbash seems to be the way to go, but I understand this can be insecure unless setup correctly.



So what security holes are there in this approach:





  • New AWS keypair created for user.pem (not
    really called 'user')

  • New user on instances: user

  • Public key for user is in
    ~user/.ssh/authorized_keys (taken by
    creating new instance with user.pem,
    and copying it from
    /root/.ssh/authorized_keys)

  • Private key for user is in

    ~user/.ssh/user.pem

  • 'user' has login shell of
    /home/user/bin/rbash

  • ~user/bin/ contains symbolic links to
    /bin/rbash and /usr/bin/sudo

  • /etc/sudoers has entry "user
    ALL=(root) NOPASSWD: [path to
    scripts]

  • ~user/.bashrc sets PATH to
    /home/user/bin/ only


  • ~user/.inputrc has 'set
    disable-completion on' to prevent
    double tabbing from 'sudo /' to find
    paths.

  • ~user/ -R is owned by root with
    read-only access to user, except for
    ~user/.ssh which has write access for
    user (for writing known_hosts), and
    ~user/bin/* which are +x

  • Inter-instance communication uses

    'ssh -o StrictHostKeyChecking=no -i
    ~user/.ssh/user.pem user@[host] sudo [scriptname]'



Any thoughts would be welcome.



Mark...

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...