🧰Installation & Deployment
The following guide covers how to install and deploy OpenPubkey SSH to enable SSH access without the use of SSH keys.
Prerequisites
OpenPubkey SSH requires the use of the Zero Trust Command Line Interface (ZLI), which is supported on MacOS, Linux, and Windows devices.
OpenPubkey SSH provides SSH access to servers and containers running Linux.
Your remote server must be running OpenSSH v. 8.1 or greater.
OpenPubkey SSH assumes that the person looking to configure their remote host(s) is able to SSH to that box and has at minimum, sudo-er permissions on that machine.
OpenPubkey SSH supports only Google as an OpenID Provider (OP) at this time.
There Are Two Parts To Deploying OpenPubkey SSH:
Step 1: How To Configure the Client
OpenPubkey SSH is currently available only for those with a Google email (Gmail or G Suite).
Configuring OpenPubkey SSH (OPK SSH) is managed through the Zero Trust Command Line Interface (ZLI).
Please install the ZLI on your local machine and ensure it is version >= 6.36.1
.
Once installed, you are ready to configure and authenticate with OPK SSH! See our guide for Accessing Your Remote Host if your host is already configured or continue with the instructions below.
Step 2: How To Configure Your Remote Server
Configuring a remote server with OPK SSH requires that:
The user has existing SSH access to the machine.
The user has, at minimum, sudo-er permissions on the machine.
The host you are looking to secure must have an entry in your local
~/.ssh/config
file. Thezli configure
command relies on your ssh config to connect to your remote host. See What Does The Configure Command Do? for more details.For collaborative access, the user with sudo permissions runs the
configure
command first before non-root users add themselves to the policy file.
To configure your server to use OPK SSH, execute the following command from your terminal:
For example, this may look like zli configure opk alice@acme.co ec2-user@my-aws-box
.
OPK SSH requires there are no existing AuthorizedKeysCommand
s configured on your remote host.
This is because when you initiate a connection to your server, sshd
will run the first AuthorizedKeysCommand
command it finds in its configuration. If there is an existing command, the OPK verifier will not be run, and OPK SSH will not work.
To avoid this situation, when you configure your server, OPK SSH automatically comments out any existing AuthorizedKeysCommand
s in sshd_config
. This is usually harmless, but before configuring, you may wish to check /etc/ssh/sshd_config
to prevent disrupting any existing access control processes you have previously set up.
With this configuration complete, your remote host is now able to facilitate SSH access through OPK SSH.
What Does The Configure
Command Do?
Configure
Command Do?This configure
command does the following:
The ZLI uses the provided
<Linux user>@<hostname>
to connect to the host via SSH and executes a Bash script that:Copies the OPK SSH binary to the host.
Creates or amends a policy file,
policy.yml
, (if it does not already exist) to allow access for the<Google email>
as the<Linux user>
to the<hostname>
. In the example above, thatconfigure
command allowsalice@acme.co
to accessmy-aws-box
as theec2-user
via OPK SSH.Ensures the OpenPubkey SSH binary and
policy.yml
file are both owned byroot
and permissions are set to700
and600
respectively.Configures
sshd
to invoke the OPK SSH binary to check if the user is authenticated when attempting to SSH into the server (or in other words, enablessshd
to recognize theAuthorizedKeysCommand
).Restarts
sshd
.
How To Test OPK SSH Is Configured Correctly
To test your setup was a success:
Run the following command to SSH to the remote host you configured:
If your SSH command successfully connects, then you no longer need to rely on your existing SSH keys.
If you’re unable to connect after configuring and logging in, you may need to make additional changes to your server-side SSH configuration. See Troubleshooting for assistance.
Remove Your SSH Keys
Product feedback? Send us a note at product@bastionzero.com.
Last updated