Secure login for support personnel
I’m working on an appliance system where we occationally need to give access to support personnel to log in. They can’t use the customers admin accounts, and we also don’t want to maintain any shared passwords. We only want to allow support to log in when there’s an active incident, and the access should be short lived.
To achieve this, we utilize OpenSSH certificate based authentication. Our support organization has a central CA on a secure system. This was generated using:
# ssh-keygen -t ed25519 -f support_ca -C "ACME Support CA"
This generates 2 files. The “support_ca” private key, and the support_ca.pub public key. The support_ca.pub file is installed into the appliances as /etc/ssh/support_ca.pub.
On our appliances, we have the support account “acmesupport”, and the /etc/ssh/sshd_config section:
Match User acmesupport
TrustedUserCAKeys /etc/ssh/support_ca.pub
AuthorizedPrincipalsFile /etc/ssh/authorized_principals/acmesupport
AuthenticationMethods publickey
To make sure access is only granted on a per-system basis, we grant the access based on certificate principals named “acmesupport-
# mkdir -p /etc/ssh/authorized_principals/
# echo acmesupport-$(dmidecode -s system-serial-number) \
> /etc/ssh/authorized_principals/acmesupport
# cat /etc/ssh/authorized_principals/acmesupport
acmesupport-ABC123456
When support needs access, we have a service that that generates the needed keys using:
# ssh-keygen -t ed25519 -N "" -f acmesupport
# ssh-keygen \
-s support_ca \
-I ticket-4711 \
-n acmesupport-ABC123456 \
-V +0d:+1d \
acmesupport.pub
and serves the generated files “acmesupport-cert.pub” and “acmesupport” to the support personnel. They can then log into the system using “ssh -i acmesupport acmesupport@IP-ADDRESS”. The access will then only be valid for 24 hours, and it will be logged in the SSH access log that this access was for the specified ticket:
appliance sshd[5640]: Accepted publickey for acmesupport from ::1 port 34180 \
ssh2: ED25519-CERT ID ticket-4711 (serial 0) CA ED25519 SHA256:YUBNOhTHd7biqAz1FyBfFNbqwFbpEcNALFthuouMc0Q
Potential issues
- Probably we should password protect the acmesupport private key, for extra protection against leakage.
- How do we handle initially system provisioning where local clock might not be accurate ? Can we trust that clock is always less accurate or less than todays date?