Get best of the week

How to establish secure access to servers in remote mode



Here on Habré there are already dozens of articles telling how people experienced the transition to a remote place, how they experienced the first days of a remote site, then how the first week went, and so on. Sometimes some practical advice slipped between the description of emotions. We, as people with 12 years of experience in remote server administration, decided to talk about a tool without which the remote server turns into a rather dangerous event for your business. Why? - Because people think about anything (first of all, of course, about the damned free 40 minutes in the “zoom”), but not about security. More precisely, of course, you were thinking about this issue - but we bet that he was not the first in line?

And the counter-question: I wonder what your thoughts led to. After all, your colleagues, sitting in cozy apartments and houses, go with unprotected equipment through insecure channels and literally touch the company's servers with all of these ...

We want to share with you an open-source version of the tool used in our company as a bastion server. It is called the DevOpsProdigy Isolate Authentication Server .

How it works


1. Isolate adds a one-time password and two-factor authentication to the SSH login. You can use the YubiKey equipment or the Google Authenticator application for this . Even if a user has lost the password from his account, without an OTP key, an attacker cannot use it and get to the Isolate server. To implement two-factor authentication, we use the pam-module. You can read more about this in this old article .

2. Users do not get direct access to the end servers - the connection passes through the Isolate server, and the system monitors and records all their activity.

All user actions come down to using two commands:

s <search-str>- to search for information by project name or server name, information is stored in the built-in Redis database, which is closed by authorization.

g <ip-address> / g <project-name> <server-name>- a call to this command starts /usd/bin/ssh . Arguments for the call (for example, username, ip-address, port, proxy) are taken from the database.

3. It is easy to manage access to the authentication server - add / remove users, etc. You can find a large number of examples on the use of commands in the readme auth-add-user, auth-add-hostetc.

Technically, you need to generate and put the Isolate server key on the destination servers, and your users must get regular access to the Isolate server from sudo to ssh.

And when they want to connect to the destination server, the system will execute the ssh command. Next, an ssh client launched from a privileged user will receive a key, using which the system, in turn, will gain access to the desired server.

That's all. Isolate runs on CentOS 7 / Ubuntu 16.04 / Debian 9 setup . Ansible 2.3+ is also needed .

I cannot but note that DevOpsProdigy IsolateIt’s also useful in “peacetime”: you can be calm with it for your servers, even if someone loses a laptop with an SSH key. And when an employee who had access leaves the company, you will not have to rush to change all passwords and keys. Now we are preparing a list of improvements and features for the current version of this tool, which are implemented in our internal system. We are waiting for wishes, issue's, PR in our github repository . For discussions and questions, there is also a telegram chat and a chat in Slack .

So now remote work in your company may become a little easier. And for sure - much safer. Good luck

More articles:


All Articles