Keys to the Kingdom
Do NOT use trustedssh on systems you don't trust...
Home Helmer StrongBox Downloads Purchase Contact
StrongBox Authentication and Key Management

Background

StrongBox uses a secure, unique system for managing it's authentication and keys. This document describes how this works, and what tools are available to the user to make this process easier.

Public/Private Key Primer:

Public/private certificates and keys are used throughout StrongBox to create a much higher level of OS security. Simply put public/private keys are mathematical constructs that allow people to guarantee the origin and authenticity of data. In StrongBox, your configuration signing key is absolutely required in order to be able to update your configuration.

Other important points about keys:

  • Your key is your identity: nobody else should use your key.

  • If someone has your key, then they can access your servers and alter them with impunity

  • Keys that are lost or corrupted are not recoverable by any means

  • Changes made to StrongBox that are not signed with a valid key will be lost.

For a basic understanding of how a public/private key cryptography works, see: http://www.youdzone.com/signature.html. It's simple, illustrated, and explains the basic principles.

Configuration and OS Signing:

Because StrongBox is a cryptographically signed OS, there's more safeguards in place around actually making configuration changes. Each time you save a configuration, the following occurs:

  • The current running configuration is compared to the OS version on which it is based.

  • A list of changed files is made

  • An archive of all those changed files, and differences to the original versions is made

  • The user prompting for the save is prompted to add in comments that apply to the configuration being saved

  • These comments, a checksum of the archive and a date are put together into an S/MIME formatted file, which is signed by the user with their private key. The user's public certificate is also attached to the file.

  • Any verifications of the file are then performed based on the signature of the file, and the certificate included in the file.

There are a few important things to note about this method:

  1. You can't change a configuration file after you've saved it, as that would break the cryptographic signature and invalidate the file. Instead, you need to make a new one.

  2. The configuration changes are quickly and easily attributable to the user who saved them.

  3. If you don't have a certificate, or your certificate is invalid, your changes to configurations will not be acknowledged when the computer is rebooted -> they will be lost.

All this implies that you have a valid certificate and key. Your certificate and key allow you to administer StrongBox servers. Without them, you're locked out like any other would-be hacker.

StrongBox Signing Certificates and Keys:

StrongBox signing keys are very similar to the keys that web servers use for doing SSL. But, whereas these SSL certificates are for organizations, StrongBox certificates and keys are generally for particular people.

Because a key is so important for security, it needs to be kept safe. The recommended way of doing this is to keep it on a pocket USB flash card, a bluetooth phone, or something that you carry with you that your computer can access. This device, plus your encryption password, are both needed in order to access StrongBox based systems.

StrongBox provides services so that you can have your key sitting on your home computer, yet use that key to access and configure a computer half-way around the world. And, while normal unix authentication can work on StrongBox, the recommended way of authenticating is using these keys exclusively.

Using Keys for Authentication:

There are two different ways of using keys for authentication.

  1. Local private key authentication

In this method, you have the key available locally. You use the key's encryption passphrase as your authentication password. This is useful, as it allows you to have a secure password that no-one else can change. It allows your password to be stored using very high-grade encryption, not the lower grade provided by the unix shadow file. And it also allows you to have single-sign-on: you can then use the key that you've decrypted to log into other computers using remote public key authentication.

  1. Remote public key authentication:

In this method, you have the private keys available on your local computer, but only the public keys stored on the remote system. This allows you, and you alone, to authenticate to the remote system in a secure manner. It's also a zero trust method: you don't have to trust the remote system with your password, as you never have to give your key or password to the remote computer.

Setting up secure remote authentication in StrongBox:

StrongBox provides facilities for managing administrative users based on these keys. In order to administer administrative users and authentication, use “admuser”.

Admuser allows you to add new users and add authentication information for existing users.


lhelmer@fast1$ admuser
Sudoing to root to run /etc/scripts/admuser
First Name (): john
Last Name (): doe
User Name (jdoe):
Home Directory (/admins/jdoe):
Primary Group (admins):

So far, a new administrative user has been added with the username “jdoe”. This user is in the admins group, which gives him certain privileges on the system: for instance, access to the strongbox console, and a few other commands.

The next prompt asks what type of authentication to add for the user:
Add authentication information for the user.
What type would you like to add? (pass,cert,ssh):

Now, there's a couple of types of authentication that can be added. Ideally, on a shared box, you'd want to authenticate to the public key of your StrongBox cert, over SSH. This would mean that you'd have to have a version of ssh on your computer that has x.509 capability... which many do not. If you do, you'd want to link your certificate/private key file to your home directory at .ssh/identity. If you link to a file on your USB flash device, then you're even better off: you need to put in the USB flash device before you can log in to the remote computer, which is ideal.

If you want to do this, you need to extract an ssh public key from your certificate/key file. To do this, run:
lhelmer@fast1 lhelmer $ ssh-keygen -y -f .ssh/keys/lhelmer.pem > id.pub
Enter passphrase:
lhelmer@fast1 lhelmer $ cat id.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzQUIPfsD7rjDZp0ebYmHfRzv9bbzLKFzup
Zqwxvut5QsYQbmv8tN/CDstKQZwyi00i+tBYop043GVRteaE/Tv8X1Qb4sqKNhqHNwphoGH+0
MtjlS6xZK9m/fraUcYh5vYgUGN0MQPMtl/ng4e8NnexLJLxiUN87AKps8jB6YqgWAfH3/e0B1
y53fmV7WJGUESHXGVk49Y1hBnv+QVQcqQihcNo9PjbWGlYpxwDu2VBzInPSml6oTuO0xZLKEG
pBGW+i/EDXDAH7UjfSiQAv6MieuYnc2mjn+FI2wdTge7sAOwbpkD6vq0H29j3476V9Cx+nBcj
rhzP96VdGVQqdvF

This creates a public key suitable for framing... or adding to your authentication on a remote StrongBox system. You can then easily add it to your system. You can also have strongbox automatically create and add this public key for you:
lhelmer@fast1 lhelmer $ admuser jdoe
Sudoing to root to run /etc/scripts/admuser
SSH passphrase:
Username jdoe already exists.
Add authentication information for the user.
What type would you like to add? (pass,cert,ssh): ssh
Enter the directory or filename of the key (usb).Other options: ssh [ ask ], usb(1,2,3), boot, home: /admins/lhelmer/.ssh/keys/lhelmer.pem
Certificate lhelmer.pem information: VALID
Certificate lhelmer.pem information: VALID
StrongBox Purposes = patch,config,login,bundleconfig,bundlepatch
Valid From = Jul 15 21:38:57 2004 GMT
Valid Until = Jul 15 21:38:57 2005 GMT
subject=
countryName = CA
stateOrProvinceName = British Columbia
organizationName = Helmer Computing Corporation
organizationalUnitName = Head Office
commonName = Liam Helmer
emailAddress = lhelmer@strongboxlinux.com
Add key to authorized_keys?
y
Enter passphrase:

You've just allowed that user to connect, using the ssh public key from a certificate. You can also use any ssh public key file here, and admuser will automatically detect this and add it in soundlessly. Add authentication information for the user.
What type would you like to add? (pass,cert,ssh): ssh
Enter the directory or filename of the key (usb).Other options: ssh [ ask ], usb(1,2,3), boot, home: /admins/lhelmer/id.pub
File /admins/lhelmer/id.pub is not a certificate
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzQUIPfsD7rjDZp0ebYmHfRzv9bbzLKFzup
Zqwxvut5QsYQbmv8tN/CDstKQZwyi00i+tBYop043GVRteaE/Tv8X1Qb4sqKNhqHNwphoGH+0
MtjlS6xZK9m/fraUcYh5vYgUGN0MQPMtl/ng4e8NnexLJLxiUN87AKps8jB6YqgWAfH3/e0B1
y53fmV7WJGUESHXGVk49Y1hBnv+QVQcqQihcNo9PjbWGlYpxwDu2VBzInPSml6oTuO0xZLKEG
pBGW+i/EDXDAH7UjfSiQAv6MieuYnc2mjn+FI2wdTge7sAOwbpkD6vq0H29j3476V9Cx+nBcj
rhzP96VdGVQqdvF
Add key to authorized_keys? y

In this way, you can add in any public key to the ssh authentication for the box.

Setting up local authentication on StrongBox:

It's also possible to set up local authentication. This is less secure inherently: the authentication keys must reside on the box that is being logged in to, by definition.

There's a few ways to make this more secure. For starters, you can use submount to automatically mount a usb key, and link the .ssh/identity file to a file on the USB key. This would allow you to authenticate to your computer only when the USB key was attached. However, doing this is more situation dependant, and won't be covered here (yet).

In any case, you will probably need a backup method of getting into a box without rebooting it (for instance, if Internet access isn't working, USB isn't working, etc). For this, you can set up local keys on the box that can be authenticated to, or unix passwords.

I won't cover unix passwords, as they're very simple, and there's a million books on the unix password system. However, you also can use an ssh key as an authentication method for a particular StrongBox user like so:
lhelmer@fast1 lhelmer $ sudo su - jdoe
SSH-agent check
Connected to existing ssh-agent PID 3494
The agent has no identities.
jdoe@fast1 jdoe $ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/admins/jdoe/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /admins/jdoe/.ssh/id_rsa.
Your public key has been saved in /admins/jdoe/.ssh/id_rsa.pub.
The key fingerprint is:
58:7e:89:02:58:90:36:cc:cc:70:cf:5a:4d:e5:23:f6
jdoe@fast1.strongboxlinux.com

This user can now use this passphrase as a local authentication token, either for ssh or console/serial logins. Note that the key was added in as the user, not as an administrator: it's best to do it this way, for many reasons.

If you wanted to have your StrongBox private key loaded onto the computer, you can do so by selecting “cert”. Note: you should only do this on non-shared system (such as a laptop, or computer in your home or office behind your firewall that only you use). If someone gets your StrongBox key and decrypts it, they could potentially do all sorts of nasty things to all the servers that you administer with that key.

To do that, you'd run the following:
Username jdoe already exists.
Add authentication information for the user.
What type would you like to add? (pass,cert,ssh): cert
Enter the directory or filename of the key (usb).Other options: ssh [ ask ], usb(1,2,3), boot, home: /admins/lhelmer/.ssh/keys/lhelmer.pem
Certificate lhelmer.pem information: VALID
Certificate lhelmer.pem information: VALID
StrongBox Purposes = patch,config,login,bundleconfig,bundlepatch
Valid From = Jul 15 21:38:57 2004 GMT
Valid Until = Jul 15 21:38:57 2005 GMT
subject=
countryName = CA
stateOrProvinceName = British Columbia
organizationName = Helmer Computing Corporation
organizationalUnitName = Head Office
commonName = Liam Helmer
emailAddress = lhelmer@strongboxlinux.com
issuer=
countryName = CA
stateOrProvinceName = British Columbia
localityName = Vancouver
organizationName = Helmer Computing Corporation
organizationalUnitName = StrongBox Root
commonName = root-ca.strongboxlinux.com
emailAddress = hostmaster@strongboxlinux.com
Create ssh key from the cert (y/n):


This copies the key to the user's home directory at “.ssh/keys/certificatename.pem”, and links this file to their .ssh/identity file. The user can now use this certificate's passphrase to login, and have it automatically added to their ssh-agent when they login. This allows the user to have secure single-sign on to other computers that use that same key. Use this option wisely!

Single-signon, Trusted Systems, trustedssh:

In order to facilitate key management on multiple boxes, StrongBox has devised a system that will allow a user access to his own local keys on a remote box, in as secure a manner as possible. It's based around the principle of only having your keys available when you need them, and not at other times. To do this, there's several tools available to a user.

Submount allows you to keep your keys onto a USB flash device. This way, you can access important files securely and transparently, plugging the flash device in as you need it. This is a very good system security-wise, but is very impractical if you're hosting boxes elsewhere.

To facilitate having your keys on a local box, StrongBox allows you to connect to your local box over ssh. This is referred to by StrongBox as a “backconnect”, and allows you to login from a box further on a chain, back to your local box. Theoretically, this should work chained through many boxes... however, in practical terms, it probably shouldn't be used for more than 3 hops.

The basis of this is a script called “trustedssh” which is a wrapper to ssh. Only use this command when you need to have access to your keys on the remote box! The basic point of trustedssh is to allow the remote box to connect to your local computer, even through a firewall. Use this only on boxes that you know are safe!

Despite this warning, effort has been made to ensure that trustedssh works in a way that minimizes security exposure by default. Here's what the output of trustedssh looks like:
Syntax: /etc/scripts/trustedssh [ ssh args ] [ --knockpass= ] [ --fromip= ]
[ --noknock|knock ] [ --backport= ] [ --backto= ] [ --lock|nolock ]
[ --save ] [ --setdefault ] [ SSH OPTIONS ] HOST | USER@HOST

All ssh commands should work fine with trustedssh as well. The difference with trusted ssh are these:

  1. It only works for login shells

  2. It tries to use key authentication automatically

  3. It creates a connection from the remote host to the local host and passes information about that connection to the remote host.

  4. It performs port knocking if desired.

  5. It locks the ssh-agent by default, so that you don't have private keys exposed to attack immediately upon login -> you only expose them when you need to.

To connect to a remote host with trustedssh, use:
lhelmer@fast1 lhelmer $ trustedssh -l jdoe@fast2.strongboxlinux.com
export SSH_BACKPORT=60151 ; sed -i '/^export SSH_BACKPORT=60151/d' .profile
2048 22:3c:f1:fe:f5:df:78:02:37:b1:73:a4:70:14:16:6d /admins/lhelmer/.ssh/keys/lhelmer.pem (RSA)
Locking ssh-agent...
Enter lock password:
Again:
Agent locked.
Use "unlock" to unlock you ssh-agent identities
Enter passphrase for key '/admins/lhelmer/.ssh/identity':

This is the default mode for trustedssh -> it locks the ssh-agent before making it's connection to the remote server. You can then type in “unlock” on the remote side, to pass the password back to unlock the ssh-agent. Doing this relieves many of the vulnerabilities presented by using ssh-agent and trustedssh. Note of import: if a root-level administrator on the remote system wants to, they can use your ssh-agent connection to connect to your local box, and steal or destroy any and all information on your local system. Easily, and without any trouble. Do NOT use trustedssh on systems you don't trust.

For even better security, you should use ssh-askpass. This is a utility that brings up a password dialog on the local machine, when a key's passphrase is required on the remote machine. This is ideal, as it allows you to expose your keys on an as-needed basis, and doesn't open you up to keystroke logging attacks, etc.

If you want to change the configuration for connecting to a particular host, you can. For example, you can use:
lhelmer@fast1 lhelmer $ unlock keys
The agent has no identities.
Agent is either locked or simply has no keys
Enter lock password:
Agent unlocked.
2048 22:3c:f1:fe:f5:df:78:02:37:b1:73:a4:70:14:16:6d /admins/lhelmer/.ssh/keys/lhelmer.pem (RSA)
Enter passphrase for /admins/lhelmer/.ssh/keys/lhelmer.pem:
Enter passphrase for /admins/lhelmer/.ssh/keys/lhelmer.pem.hmm:
lhelmer@fast1 lhelmer $ trustedssh --knockpass=oogyboogy -l jdoe --knock --save --nolock fast1.strongboxlinux.com
Reading config from /admins/lhelmer/.ssh/trustedssh/jdoe@fast1.strongboxlinux.com
Writing config to /admins/lhelmer/.ssh/trustedssh/jdoe@fast1.strongboxlinux.com
export SSH_BACKPORT=60151 ; sed -i '/^export SSH_BACKPORT=60151/d' .profile
Last login: Wed Jul 21 22:53:35 2004 from localhost.localdomain

What this did was:

  1. Connect to ssh on the remote server

  2. Turn off the ssh-agent locking when logging into the remote server using ssh

  3. Automatically execute portknocking with the password “oogyboogy” before attempting the connection

  4. Logged in using the ssh private keys that are unlocked with the “unlock keys” command.

  5. Saved this configuration so that, next time, the knock password and the “nolock” status are saved for that username and that host.

This means that if I now execute the original command:
lhelmer@fast1 lhelmer $ trustedssh -l jdoe fast1.strongboxlinux.com
Reading config from /admins/lhelmer/.ssh/trustedssh/jdoe@fast1.strongboxlinux.com
Writing config to /admins/lhelmer/.ssh/trustedssh/jdoe@fast1.strongboxlinux.com
export SSH_BACKPORT=60151 ; sed -i '/^export SSH_BACKPORT=60151/d' .profile
Last login: Wed Jul 21 22:53:35 2004 from localhost.localdomain

I get the same result: the port knocking is performed, and no locking is done prior to the connection being made. While this is very convenient, but use this with caution.

Keymounts over trustedssh:

If you've signed on with trustedssh, you can now connect to your local key store. Simply execute:
jdoe@fast1 jdoe $ unlock keys
The agent has no identities.
Agent is either locked or simply has no keys
Enter lock password:
Agent unlocked.
2048 22:3c:f1:fe:f5:df:78:02:37:b1:73:a4:70:14:16:6d /admins/lhelmer/.ssh/keys/lhelmer.pem (RSA)
Enter passphrase for /admins/jdoe/.ssh/id_rsa:
Enter passphrase for /admins/jdoe/.ssh/keys/lhelmer.pem:
jdoe@fast1 jdoe $ keymount
Sudoing to root to run /etc/scripts/keymount
Connecting via ssh
2048 22:3c:f1:fe:f5:df:78:02:37:b1:73:a4:70:14:16:6d /admins/lhelmer/.ssh/keys/lhelmer.pem (RSA)
Agent already unlocked.
Mount dynamic:jdoe-localhost-60151 is not mountedMounting dynamic:jdoe-localhost-60151... Successful!

Keymount automatically puts in arguments. If you have a different username on the local computer, you'll have to enter in arguments for keymount to work properly:
jdoe@fast1 jdoe $ keymount ssh ask
Sudoing to root to run /etc/scripts/keymount
Connecting via ssh
2048 22:3c:f1:fe:f5:df:78:02:37:b1:73:a4:70:14:16:6d /admins/lhelmer/.ssh/keys/lhelmer.pem (RSA)
Agent already unlocked.
What username will you use to connect (jdoe):lhelmer
What directory on the remote server will you use: (/home/lhelmer/.ssh/keys):/admins/lhelmer/.ssh/keys
What server or ip will you connect to (localhost):
What port will you connct to (60151):
Mount dynamic:lhelmer-localhost-localhost is not mountedMounting dynamic:lhelmer-localhost-localhost...
Successful!

When you want to remove your keys (which you should do as soon as you're finished using them), you'll want to unmount your keys, and lock ssh again.
jdoe@fast1 jdoe $ lock
Sudoing to root to run /etc/scripts/keymount
Unmounting dynamic:lhelmer-localhost-localhost... Successful!
Unmounting keys from the terminal
2048 22:3c:f1:fe:f5:df:78:02:37:b1:73:a4:70:14:16:6d /admins/lhelmer/.ssh/keys/lhelmer.pem (RSA)
Password protecting ssh-agent
Enter lock password:
Again:
Agent locked.

At this point, your keys are safe... at least, until you unlock them again.

Caveats and Thoughts on Single Sign-on:

This single-signon system, while at least as secure as single-signon methods provided by other companies, is not perfect. There exist some attacks that can be used on this system, although they all involve having root access to the box in question. The reality is that if a user can log into a system using Single Sign-on, then the administrator of that system could potentially use their credentials. Unfortunately, this is true for every secure system out there, and there's very little way around it.

Alternatives require having a centralized domain for authentication. This is, in some cases, more secure, as it allows you to focus all your security on a single system. The StrongBox philosophy is different, however: the principle at work being to distribute the security as much as possible, so that no one compromised box can invalidate the security on the entire network.

As it is, StrongBox supports ldap and kerberos as authentication methods as well. This document doesn't cover those, there are many other documents available on the internet for how to do this.

Using Keys in the StrongBox Console:

Login is not the only time that StrongBox uses keys. The main reason for the single-signon method is to allow you to easily get to your StrongBox keys when you need them to sign configurations. And this configuration saving and signing takes place in the StrongBox console.

When you first run the StrongBox console, it won't have any key settings for you as a user. You need to enter “security settings” in the StrongBox console, and choose a key.

The settings for choosing a key are the same as with “keymount” above. If you want to automatically add in your local key store while administering a remote box, type in “ssh”. If you want to specify ssh options, type “ssh ask”. If you want to use a USB device, type usb, or usb1, or usb2 (depending on how many flash devices you have listed in /etc/vmounts/keys). Or, additionally, you can enter in any other path on the system. When you choose a key, that key's location will be saved into your strongbox profile, and used automatically the next time you go in.

In the StrongBox console, you'll need to, at the very least, select a volume on which to store patches. Patches are a set of changes from your installed StrongBox OS to the OS that you have running. Choose a volume that will be accessible at boot time. This includes any IDE or SCSI device, but it can also be a USB flash device, an LVM volume, or onboard compact flash. When you've made configuration changes to StrongBox, you can then choose “Save Current Configuration” in the StrongBox console. This will save an up to date patch onto the volume that you've selected. Once this is saved, you can then choose “Add to Boot Configuration”, which signs and commits the changes, and tells StrongBox to use this configuration the next time you reboot.

If you've done this once successfully, you shouldn't need to go through all the motions again the next time. Simply type: “strongbox quicksave” from the commandline, and you'll be able to save, sign, and commit the patch all in one easy step.

Kudos and Credits:

While I put everything together for the single-signon scheme, the credit for this goes to a number of people and groups:

The OpenSSH team:

http://www.openssh.org

The pam_ssh creator (Andrew J. Korty):

http://sourceforge.net/projects/pam-ssh/

The openssh – X.509 creator (Roumen Petrov):

http://roumenpetrov.info/openssh/

The openssl team:

http://www.openssl.org

Thanks to everyone!

Liam Helmer

StrongBox Linux

liam@strongboxlinux.com
home about products contact
© 2009 Helmer Computing Corp. All rights reserved.