Avatar of Brahmanatha
Brahmanatha
 asked on

SSH Keys Best Practices Guidance

This is not really a problem requiring a solution, unless you consider ignorance a problem.  I am a newbie in the use of SSH keys. It's easy to find info on a) how to make them, b) how to install. But I'm still a bit in the dark on best practices of how to use them. So this is a "request for mentoring" post.

Context/Background:

Linux CentOS 6.2 Web server running  plain vanilla web server with VirtualMin/WebMin wrapper/control panel. Server lives with GoGrid in their data center in San Franscisco, CA
All web site(s) content reside in /home/someuser/public_html (multiple sites)
Admin can log in as root if he need to do anything anywhere outside of /home... which is actually very rare.
More typical daily requirement is done by logging in with SFTP in an FTP client, as a specific user into into one of the "web directories" (/home/ApplesAreFruitDomain/public_html/*)
Goals: 1.) I want to set up ssh keys on the machine here (in hawaii) so that the users on the LAN are not necessarily having to enter a user name and password for every log in.
2. For some users on the LAN, I only want them to be able access 1 or 2 of the web sites in /home... not all of them.
3. Occasionally you have the typical requirement to install the keys of some remote developer "rajan"  who lives in India/Brasil/Toronto etc.. to work on a single web site. then later revoke access.
What I know now: I create some key here on my local machine. copy the public key to the server, cd to a given directory then run the install command and I get an "authorized-keys" folder. mv the public key in there. All that much is info widely available on the net.

Questions

If you want an admin to be able to access *all* folders in /home, but nothing up the directory tree (no system file access) where do you put the authorized keys folder?
From the above you can see I assume that keys in a top directory grant access permissions to all keys in subdirectories below that one. Is this assumption correct?
The corollary is, to state the obvious, if we have "/home/BrillianMoon/.ssh/authorized-keys" then users coming in with matching private keys will only have access to the BrilliantMoon directory and sub tree folders/files. Please confirm
To put the question in a more vague open way: where is the best place to install authorized keys?

Please do not feel you need to limit your answers to the above scope. I looking for "best practices" from security veterans who make the use of SSH key a daily part of their working regimen.  I may have to split the points across a lot of answers. If you had 15 minutes to tell someone the best thing to do, what would you tell them?

Thanks (from someone who learned it all since 1986, "just by doing" but lacks any formal computer science education.)
Linux SecuritySecurityWeb Components

Avatar of undefined
Last Comment
Brahmanatha

8/22/2022 - Mon
SOLUTION
arnold

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Member_2_406981

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Brahmanatha

ASKER
@Arnold: while I understand your thought "What you want is to use extended ACLS, and group memberships in combination with sudo"  I don't think I want to start "messing" with the default permissions.  Too much "management" overhead. As a "plain vanilla web server"   /home/someWebSiteOwner/public_html  means that we have users set up which match the domain folder.  I can (and have in the past) created users in /home independent of the web domain owners/users' folders. They then have to have the password for root or one or another of the other web users to switch to work as that user depending on their clearance level.

 But I'm not only looking to allow login, but to build desktop thin client to do rSync ... so I think we need to use "shared keys"  as someone else suggested to me (without a lot of info) I assume this means creating a ssh public key in /home/BrilliantMoon/.ssh/authorized_keys... and then pass the private key around inside your team... probably not the  best practice, now matter how trusted everyone is...

@ Andreas: I think you have the key Missing Brain Factor for me here:  "No: a key in top directory will not grant access to subdirectories. The key will give access to all diectories the user has rights to access according to the filesystem ACLs. Users with a private key matching /home/BrillianMoon/.ssh/ private key can access all files BrillanMoon can access. Usually this files are the files in the home directory of the user and some files."  OK, sheesh, that's simple and obvious enough.

Understood... can we expand on that?:  

7) If remote users Lakshmi, Tom, Andre, Jan each have a key in /home/BrilliantMoon/.ssh/authorized_keys/  (4 different keys)  when they log in they each "become" user "BrilliantMoon" Correct?   Can authorized keys have rational file names like "rajan_id_rsa.pub"  so that you know which key belongs which player?  I probably can find that info on the net.

8)  So another way to great a "group" would be to simply put Lakshmi's keys into 2  webdomain owner user folders if I want her to be able to access 2 domains. Right?

@jan: Yes, I'm allowing root log in now... and part of this whole discussion is to shut that down as soon as I get the SSH Keys thing working. It's a bit "scary" to look at the secure logs and see how aggressive the break in attempts are... non-stop  (odd increase of hacking attempts from China... years ago I use to see lots from Russia.  Thanks... I'll investigate lShell and ssh v2 ( don't know about the first, I think our box may already be configured for ssh v2... I will have to check.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Brahmanatha

ASKER
@jan: "you have no way to delineate what one access janedoe or johndoe have using the same account."  True, but if I want a thin client on the desktop to do rSync with the server without requiring passwords. I don't think I have a choice.  Right now the default set up by virtualMin is for  all web files in /home/BrilliantMoon/ are set to owner BrilliantMoon, group BrilliantMoon. Now.. I suppose I could take a cue from arnold and add "Janedoe" to group "brilliantMoon"  and set up a user /user/janedoe/.ssh/authorized_keys/   and then when she logged in besides her own folder she could work in BrilliantMoon. but then I have to reset all permissions so that files can be edited by group (a pain)...

re root log in: you are absolutely right.. I'll probably implement this by the end of next week.

Re White Listing IP's What about trusted team players logging in from a Java Cafe in Rio, and the ISP is using DHCP for assigning IP's from the block owned by the Cafe: This is a real use case I'm talking about here...  My top man may have  have bandwidth trouble at home (where he works) or just feel like he needs to get out of the house and goes to work in a nearby cafe with a legion of other Brasilian web wizards. I don't think the IP can be known in advance.  There is more and more of this kind of roaming log in, even among our home team, with laptops being so portable, and open wireless networks springing up everywhere  -- at the hospital, waiting in the dentist office, while traveling on the road in India with a mobile wireless web connection ISB modem/stick... you can even talk to your web server  in San Francisco while driving from Rishikesh to Delhi! On on a United flight from Singapore to LA... (all real use cases where connectivity is available, and I want to safely enable access). Typically the kind of use I'm talking about will have my desktop client which will do rync to sync with files he is developing or posting... where a) we are not going thru a web UI like WordPress b) he also doesn't know anything about "terminal" .. he thinks "terminal" is a place airplanes go to... So I'm thinking the safest thing is to set him up with keys for those domains he's allowed to work with and then my desktop app simply does rync log ins under the hood and it all works.  But  "trusted IPs" may not be an option.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Brahmanatha

ASKER
@ arnold:

FYI... it seems you can set setfacl to make future folders and file inherit permissions... found this on Slash Dot

up vote 4 down vote accepted
      

I actually found something that so far does what I asked for, sharing here so anyone who runs into this issue can try out this solution:

sudo setfacl -Rdm g:groupnamehere:rwx /base/path/members/
sudo setfacl -Rm g:groupnamehere:rwx /base/path/members/

Open in new window

R is recursive, which means everything under that directory will have the rule applied to it.
d is default, which means for all future items created under that directory, have these rules apply by default. m is needed to add/modify rules.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
arnold

Note, the owner of the files, can remove the extended ACL this is why you should consider using a cron job that will reapply the Extended ACL.
Brahmanatha

ASKER
Thanks to everyone for helping on this. I believe I have a good understanding... I gave Andreas a slight few more points for address my "black hole" on keys directly, but all the other advice is extremely helpful...

At least enough clear information in my head that I can turn off root access right away. I'll great a user for myself right away for terminal log in  and I can sudo as root from there as needed. (very rare that we need to touch the OS config).

Then starting with the SSH keys. I'll probably stick with the "shared keys" strategy that Andreas (and others on the LiveCode forum" because even if  we use setfacl... users will still need to go through a prompt/login. Though it would be interesting to see if you put  /home/arnold/.ssh/authorized_keys  and then used setfacl to give arnold permissions to read and write to /home/brilliantmoon/public_html.   what would happen... could he make new folders? would they still be accessible to brilliantmoon?  but testing that should be obvious.  I'll do my home work on the net for setfacl if it looks like a tool I'll need later