Automation with SSH tunneling
In the last post I covered how SSH key pairs can be used as a form of two factor authentication, commonly known as 2FA. In this post I’ll be covering SSH as a means to establish secure communications between systems. Using SSH will provide a way to run commands on remote hosts, whether they be on node on a local network or accross the globe. The key pair security is a way to set the remote host to only allow entry if the connecting client has the correct key.
First we’ll start by generating the key pairs. This will create a public key which will be place on the remote host. The second is a private key which will remain on the client. Typically, I create the key pairs on the client. It is much more secure to send a public key to a host than send a private key. I’m using linux, so this command will start the process of key pair generation. Again, I run this from my client that will be establishing a SSH connection to the host.
ssh-keygen -t rsa -b 2048 -C “Clientname to Hostname created yyyymmdd”
I like to add comments to the public key so I can tell who it applies to and when the key pair was created. Keys should be changed periodicly. Having the timestamp helps in key management. Now that the key pair has been created, we need to copy the public key to our remote host.
On the remote host, I will want to paste the public key text into the “%h/.ssh/authorized_keys” file. The authorized_keys file is located in the hidden folder named .ssh that resides in the user’s home directory. The public key should look something like this, I have several lines in my authorized_keys file so multiple clients can link up.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQA6…M1g9MUCk9BKNA SeattleClient to DallasHost created 20170214
Next, we’ll need to set the options on the host’s SSH service configuration. It’s good practice to make a backup of your configuration before starting, just in case.
sudo cp /etc/ssh/sshd_config{,.bak}
Now we can edit the sshd_config file for the options we’ll need. You’ll need to modify the file so that these entries are set.
PermitEmptyPasswords yes
PasswordAuthentication no
Restart your host when done. Now from your client system you should be able to establish a SSH tunnel to the host using nothing more than the key pair. Try and connect from another client that does not have a key pair with the host. You should get this message.
Permission denied (publickey).
Having the ablity to seamlessly establish a secure connection to the shell allows us to use systems to automate processes. Here we can schedule scripts to run on our client that will connect and execute on the remote host.