lundi 16 février 2015

A consistent and safe approach to passwordless accounts with SSH


I must admit that I like servers without passwords in some cases. A typical server is vulnerable to anyone who has physical access to it. So in some cases it is practical to lock it physically and since then trust any physical access.


Basic concepts


In theory, when I physically reach such a server, I should be able to perform administration tasks without password by simply typing root as the login and I shouldn't be asked for a password. The same may apply to user accounts but one would not really access them physically. Therefore no system passwords are needed for (occasional) local access.


When accessing the server remotely, either for administration, or for user account, I expect to always use an SSH private key. It is very easy to set up an SSH key for a just created account and thus no system passwords are needed for (regular) remote access.



# user=...
# 
# useradd -m "$user"
# sudo -i -u "$user"

$ keyurl=...
$
$ mkdir -p .ssh
$ curl -o .ssh/authorized_keys "$keyurl"


The conclusion is that, in theory, we wouldn't neeed any system passwords for use cases like that. So the question is, how do we configure the system and user accounts to make it happen in a consistent and secure way.


Local access details


How do we ensure the root account can be accessed locally without a password? I don't think we can use passwd -d as that will make root access too permissive and an unpriviliged user could switch to root for free, which is wrong. We cannot use passwd -l as it prevents us from logging in.


Remote access details


Until recently the above solution would work but now SSH started to check for locked user accounts. We cannot probably use passwd -d for the same reasons. We cannot use passwd -u as it just complains that it would lead to what passwd -d does.


There's a workaround with dummy password for this part.



user=...

echo -ne "$user:`pwgen 16`\n" | chpasswd


It might also be possible to turn off locked account checking in SSH entirely but it would be nicer to retain the support of locked accounts and just be able to unlock them.


Final notes


What I'm interested in is a solution that would allow you to log in to the root account locally and all accounts including root remotely, without any passwords. I'm ready to improve structure of the question if it helps.



Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)