FreeBSD.org intrusion and how to use SSH Keys and SSH-Agent

Great excuse to write about how to use ssh keys securely by password protecting the keyfile: On Sunday 11th of November 2012 FreeBSD.org has suffered an intrusion on two machines that contained third party software (packages, ports) within the FreeBSD.org cluster. For details about this read this Incident Report. As far as i can guess from the report and the news, it appears the intruder gained access to the affected systems by means of a developers ssh key that was not protected by a passphrase.

General

SSH keys + passphrase are a great way to enhance the security of remotely logging into your machines via ssh by utilizing two factor authentication (something you have + something you know).

Requirements and assumptions

  • 2 SSH capable machines (FreeBSD in this case)
  • full admin privileges (to keep it simple)

Preparing the target server
Run cat /etc/ssh/sshd_config and make sure your targets sshd_config contains the following settings. On my system, these where commented out defaults so i did not have to do anything.

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys

Now on your source machine (say your laptop):

Generate your SSH Keys by issuing the command ssh-keygen. A simple ssh-key will generate a rsa key with 2048 bits, which is believed to me more than sufficient. I use the “-b 4096″ option to have my keys created with 4096 bit, just because i can. Make sure you pick a nice and long (as long as you can) passphrase, as that is the point of this whole excercise.

devbox# ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): *******************
Enter same passphrase again: *******************
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
7c:e6:e1:26:05:77:95:6e:d6:d7:3f:4a:f5:b2:d7:f9 root@devbox
The key's randomart image is:
+--[ RSA 4096]----+
|              .. |
|             ..  |
|        . . .. ..|
|       . o .  +.+|
|        S =  o. +|
|         * . ...o|
|        . + . .o+|
|         o   ...o|
|               .E|
+-----------------+
devbox# 

After the above your keys have been created and placed into whatever directory you picked, the default being ~/.ssh

devbox# ls -l .ssh
total 8
-rw-------  1 root  wheel  3326 Nov 19 14:06 id_rsa
-rw-r--r--  1 root  wheel   745 Nov 19 14:06 id_rsa.pub
devbox# 

Notice you have id_rsa denoting your private key, and id_rsa.pub denoting your public key. The private key is what you have to keep secret, while the public key is what you can send to your friends, use as your e-mail signature, or more commonly place onto your server so you can use it to authenticate yourself for login.

Now we need to copy our public key to our target server, and since we are not using Linux we cannot use ssh-copy-id:

# This command appends the contents of your public key to the targets authorized_keys file
# If the above command fails, it could be that you have to login to your target server first and create the ~/.ssh directory.
# Make sure that the targets .ssh directory is chmod 700 and owned by the target user
cat ~/.ssh/id_rsa.pub | ssh -v user@targetserver 'cat - >> ~/.ssh/authorized_keys'

Now that you have copied your public key, try this command from the source machine and enter your passphrase when prompted:

# ssh should try your key by default
ssh -v user@targetserver

# in case it does not
ssh -vi ~/.ssh/id_rsa.pub user@targetserver

If you are greeted by your servers shell prompt, congratulations. You have just logged in using a keyfile protected by a passphrase. If you need to do this many times a day, then entering in the long passphrase will get rather boring. Of course you could setup the keys without entering a passphrase, but i hope its obvious by now that that would not be a good idea – if you ever loose control of your private key, the finder can use it to login without password. Pretty much what i think happened in the referenced freebsd.org incident, and pretty much what i think happens in a lot of incidents involving unauthorized ssh access.

Setting up SSH-Agent

If you still want to login without entering the passphrase each time, ssh-agent to the rescue. It asks your for your passphrase once at the beginning of each session (say you rebooted your laptop), and not again after that.

Start ssh-agent from your console on your source machine

devbox# ssh-agent 
setenv SSH_AUTH_SOCK /tmp/ssh-wGCWm0EqgEWx/agent.1003;
setenv SSH_AGENT_PID 1004;
echo Agent pid 1004;
devbox# 

Now that the agent is started, use ssh-add to add your private key.

devbox# ssh-add .ssh/id_rsa
Enter passphrase for .ssh/id_rsa: 
Identity added: .ssh/id_rsa (.ssh/id_rsa)
devbox# 

Now try and login to your target machine, and if everything went right, you will not be prompted for your password! Now the one thing you will want to take care of is not to leave your shell unattended. Read about Locking your shell

Speak Your Mind

*