Shell user logins -- DreamHost best practices

Submitted by todd on Sun, 02/01/2009 - 21:20

For all of my DreamHost shell users, I've made all their passwords long, random passwords that are (near) impossible to hack.  This makes them near impossible to remember as well, so I use ssh public key authentication for all shell users.

Update: See 1st comment, below.

Table of Contents 
  1. The Setup / Discussion
  2. Actual Steps

The Setup / Discussion

For both the main user (the user set up when the account was created) and the "user"/"web" user pairs that run the actual hosted sites, I have their passwords set to these long strings.  In the discussion below, user "M" is the main user and users "U" and "W" are a representative pair of "user" and "web" users respectively.  Note: users must be created with the " Enhanced security?" setting set to false.

I have my main public key (my lappy's public key) installed in M's .ssh/authorized_keys file.  That gets me in the front door.

I have a script in ~M/bin called sshU ("ssh" + username) that reads:
ssh U@localhost
(I have one such script for every "user" user.)

I have a generated and unencrypted key pair for M called id_rsa.localhost.<username>/id_rsa.localhost.<username>.pub that is used for these purposes only.  To ensure that this key is only used for shelling to another user's account, I have the following lines in M and U's .ssh/config files:

Host localhost
    IdentityFile ~/.ssh/id_rsa.localhost.<username>

I put the public key in ~U/.ssh/authorized_keys (as well as the authorized_keys files of all the other "user" users).  This allows me to shell to any of the "user" users without a password.

I do a similar setup to shell from the "user" user to the "web" user.  (Almost never have to do this -- mainly only to check web logs.)  I have a script called "sshweb" in ~U/bin that reads:
ssh M@localhost
I have a similar key and .ssh/config setup as above.

If I happen to be doing some big development on a website owned by user "U" and want to be able to shell directly to that account (say to do sshfs mounts or to use sftp to transfer files), I simply put my lappy's public key in the authorized_keys file of the appropriate "user" user.  I generally remove it when I'm done, returning me to the state of only being able to shell into the main user's (M's) account.

Actual Steps

Here's how you actually place those key files.  This assumes that the "user" user and "web" user "U" and "W" (respectively) already have been created  in the DreamHost panel and have easy to use passwords.  (We'll update their passwords to impossible to hack/user ones afterwards.)  This list of steps starts with the generation of the main user's ("M") internal public key and the placing of that key in U's space thru the similar process for creating/placing a key of U's in W's space.  Below, the prompt indicates user and current directory -- i.e. "[user dir] $".  In all commands substitute real usernames for "M", "U", and "W"...

Create M's internal key and ssh config file

  1. $ ssh M@<your domain>
    (accept thumbprint and enter M's password)
  2. [M ~] $ mkdir .ssh ; chmod 0700 .ssh ; cd .ssh
    (.ssh directories HAVE to be non group/world accessible for the sshd to use them)
  3. [M .ssh] $ ssh-keygen
    (enter name "id_rsa.localhost.M"; hit enter for passphrase, i.e. no passphrase)
  4. [M .ssh] $ vi id_rsa.localhost.M.pub
    (change the text at the end to (something like): "M internal key for localhost usage")
  5. [M .ssh] $ cat id_rsa.localhost.M.pub
    (copy this from your terminal to some buffer)
  6. [M .ssh] $ cat > config
    (enter following lines (ctrl-D to end):
    Host localhost
            IdentityFile ~/.ssh/id_rsa.localhost.M
    )

Install M's public key in U's space:

  1. [M ~] $ ssh U@localhost
    (accept the thumbprint for the server, enter U's password)
  2. [U ~] $ mkdir .ssh ; chmod 0700 .ssh ; cd .ssh
  3. [U .ssh] $ cat > authorized_keys
    (copy the contents of M's id_rsa.M.pub from above; ensure there's only one line in file.)
  4. [U .ssh] $ chmod 0600 authorized_keys
  5. [U .ssh] $ exit

Create the 'sshU' script to allow shelling to U's accoutn (from M's):

  1. [M ~] $ mkdir ~bin
    (not necessary if you already have it, of course)
  2. [M ~] $ cd ~/bin
  3. [M bin] $ cat > sshU
    (enter in this line (ctrl-D to end):
    ssh U@localhost
    )

Add ~/bin to your PATH (in your ~/.bashrc file) if not already there.

The process of creating U's personal key is exactly the same as above, substituting "U" for "M" and "W" for "U".  After this is done, you can change the passwords of all your DreamHost users w/ the panel.

 

 

Free Tag:

Comments

todd

Tue, 02/16/2010 - 17:42

The functionality described in this post is now available in the setupUserPair.sh script -- a part of my DreamHost script library.

Anonymous (not verified)

Thu, 07/22/2010 - 21:15

So now someone just needs to hack that one box and presto, all your keys are compromised. Ensure that you add a strong passphrase on your private key.. -Tony

todd

Tue, 08/24/2010 - 23:47

I keep all my stuff on a web host (see the 'dreamhost' tag for more), so it's really nothing more than a way to categorize sites.  The two-user practice keeps sites more secure as the executing user has no write permission on the files.

For all users installed, I make the actual user password a random string of 16 characters that isn't recorded anywhere.  Access is (effectively) only by ssh -- and those users have only authorized keys of the 'master' user installed. 

It's true that if the private key of the master user was retrieved, it'd give an attacker full access.  But, it's only on my laptop (and pass-phrase encrypted at that).  If someone stole my laptop, I could have the webhost support blow away my public keys (or just the public key that corresponds to the private key on the lost lappy).  

I suppose someone could install a key logger on my machine and steal my passhprase to go w/ my private key... but then they could also just come up behind me and hit me on the head until I logged in for them....  :^)