Skip to content

Support for Restricted Authorized SSH Key Authentication

Jump to bottom
Miriam McMahon edited this page Sep 1, 2023 · 1 revision

Restricted Authorized Keys

When configuring SSH key authentication on Linux/Unix, an authorized key can be restricted to certain commands.
Safeguard does not currently support full management of a restricted authorized key (ie the restriction is not reconfigured if the key is rotated by Safeguard). However, a restricted key can be used to authenticate a service account, if management of the service account's key is not required.

This example configures a restricted authorized key and uses it to authenticate a service account in Safeguard to check and change account passwords. This example uses a custom script that is available in the SSH Sample scripts directory in this repo.

Generate the SSH key pair

ssh-keygen -t rsa -f ~/.ssh/executeExample

Add the generated public key to the authorized keys file

cat ~/.ssh/executeExample.pub >> ~/.ssh/authorized_keys

Restrict the authorized key

In this example, the key is only permitted to execute the shell script /allowedcmds/executeExample.sh

Edit the key line in authorized_keys to add the command before the key:
command="/allowedcmds/executeExample.sh” ssh-rsa key

Configure the Restricted Commands

When authenticating using a restricted key, the SSHD server makes the original command available in the environment variable: SSH_ORIGINAL_COMMAND. This can be used to validate the command to be executed.

Add the following lines to the file /allowedcmds/executeExample.sh:

#!/bin/sh        
cmd=`echo "\$SSH_ORIGINAL_COMMAND" | cut -f 1 -d ' '`    
if [ "$cmd" = "sudo" ] ; then     
    $SSH_ORIGINAL_COMMAND    
    exit $?     
fi  
echo "COMMAND NOT PERMITTED: $SSH_ORIGINAL_COMMAND"    
exit 1

Configure sudo

Ensure that the selected service account has password less access to sudo. The sudo commands required by the script in this example are '/usr/bin/passwd name', '/usr/bin/id name', '/usr/bin/cat /etc/shadow'

Test the Restricted Key Configuration

Test the restricted key by running an ssh command on the host using the private key:
_ssh -i path_to_private_key_file -l serviceaccountname ipaddress sudo /usr/bin/id _

Add a custom platform in Safeguard that can use restricted key authentication

Import the RestrictedAuthorizedKeyExample custom platform script to Safeguard as a new custom platform. The script can be found here RestrictedAuthorizedKeyExample Custom Platform

Create the Safeguard asset

In Safeguard, create a new asset using the new RestrictedAuthorizedKeyExample custom platform. In the Connection Details, select the following:

  • AuthenticationType : SSH Key.
  • SSH Key Generation and Deployment : Import an SSH Key that I will deploy myself
  • Import SSH Key : Browse to the path of the generated private key file that matches the configured authorized key.
Clone this wiki locally