Using Secure Unattended Proxy (SUP)
Introduction
Initial Setup for Using the SUP
Generate an NCCS SUP Key (Once a Week)
Using the SUP for Unattended File Transfers and
Other Functions
Additional SUP Notes
Introduction
Initial Setup for Using the SUP
One-Time Setup for the NCCS SUP Server
The one-time setup with the NCCS SUP server includes steps to activate
your SUP account and set your SUP password, and then copy your
authorized_keys file to the NCCS SUP complex.
- Activate your NCCS SUP account
and set your NCCS SUP password:
- Get your login activated on
the NCCS SUP complex by contacting NCCS User Services (support@nccs.nasa.gov or 301-286-9120). NCCS
User Services will contact you with your temporary SUP password.
- Change your initial NCCS SUP password via sup_passwd on palm:
- Log on to palm.nccs.nasa.gov.
- Run the sup_passwd command to change your temporary SUP
password:
sup_passwd
Changing LDAP password for username
New password: new-password
Re-enter new password: new-password
Enter LDAP Password: old-password
Result: Success (0)
Note that your new password is requested first,
and your original password is requested last.
- Copy the authorized_key file to the NCCS SUP complex:
- On the host from which you
wish
to generate your SUP key, locate your existing public SSH key
(.ssh/id_dsa.pub or .ssh/id_rsa.pub
under your home directory), or create your SSH
public and private keys if you don't yet have them.
To create a new public SSH key:
- If it does not yet exist, create the .ssh directory under
your home directory on the host, and change directories the .ssh
directory:
mkdir .ssh
chmod 700 .ssh
cd .ssh
- Create a DSA public SSH key (the .ssh/id_dsa.pub under your
home directory):
ssh-keygen -t dsa
- Locate your authorized_keys
file, which contains one or more SSH public keys
that allow the corresponding SSH private keys to be used for
authentication to a system, or create
an
authorized_key file if you don't yet have one.
To create an authorized_keys file, concatenate your public SSH
key file (.ssh/id_dsa.pub or
.ssh/id_rsa.pub under your home directory)
into a file called authorized_keys. Run
"chmod 600" on the authorized_keys file to protect it. For
example, starting from your home directory:
cd .ssh
cat id_dsa.pub > ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
ls -l ~/.ssh/authorized_keys
-rw------- 1 user gabcde 6037 2006-09-25 15:24 /home/user/.ssh/authorized_keys
The NCCS SUP complex needs the SSH public key you would use
from each host from which you would run the request to generate a SUP
key. If you
request to generate your NCCS SUP key from different hosts, and use
different
SSH public keys on those hosts, you will need to
include those SSH public keys in the authorized_keys file that
you copy
to
the NCCS SUP complex. You can
concatenate the different SSH public key
files into a single authorized_key file. For example, starting
from your home directory:
cd .ssh
cat id_dsa.pub_host1 id_dsa.pub_host2 id_dsa.pub_host3 > ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
ls -l ~/.ssh/authorized_keys
-rw------- 1 user gabcde 6037 2006-09-25 15:24 /home/user/.ssh/authorized_keys
- Copy your authorized_keys
file to SUP server called sup-key.nccs.nasa.gov
using 'mesh-keygen --init'. From your home
directory:
cd .ssh
ssh -x -l username -o PubkeyAuthentication=no -o StrictHostKeyChecking=ask
\sup-key.nccs.nasa.gov mesh-keygen --init < authorized_keys
You will be prompted for both your NCCS Passcode (PIN + SecurID token
code) and your SUP password. The RSA key fingerprint of sup-key.nccs.nasa.gov is
64:2b:eb:86:de:77:54:7d:7c:33:fc:d6:54:91:2b:41 .
One-Time Setup on NCCS Hosts
- Execute authorization: In
order to perform any SUP operations on an NCCS host, a
.meshrc file must exist on your home directory on that host. You
can create the .meshrc file by running the following command from your
home directory on that NCCS host:
touch .meshrc>
You can also exclude the execution of certain SUP operations via
the .meshrc file. Instructions for excluding SUP operations via .meshrc
are here.
- Write authorization: You
must specify the top level of target
directories for file copies written via the SUP. In
your home directory on each NCCS host, edit a
.meshrc file containing one line for each each top-level directory into
which you want to write a file. For example, on palm the .meshrc file
might contain:
cat .meshrc
/home
/nobackup
/g1
Note: As a security
precaution the NCCS SUP will
not permit you to use the SUP to write or overwrite any file that
begins with the dot character (e.g., .login) within your NCCS host's
home directory.
Generate an NCCS SUP Key (Once a Week)
Now that you have completed your setup on the SUP server and NCCS
hosts, you must
generate the SUP key to be used for SUP operations. The SUP
key can be generated from commands issued on any of your remote hosts
or an NCCS host provided your SSH
public key on that host has been copied to the NCCS SUP complex;
see instructions here.
Note:
the
following command examples are based on OpenSSH commands used on UNIX
and Linux hosts. Your command line may be different if your host does
not use OpenSSH.)
- Start an ssh-agent process:
- If your login shell is sh or bash:
eval `ssh-agent -s`
- If your login shell is csh or tcsh:
eval `ssh-agent -c`
- Add your SSH private key identity (.ssh/id_dsa or .ssh/id_rsa under your home
directory) to the ssh-agent. For example :
ssh-add ~/.ssh/id_dsa
- Generate your SUP key by running 'mesh-keygen' via an ssh to sup.nccs.nasa.gov, and then protect
it:
- When you generate your SUP key, you need to save your SUP key
in a file in your ~/.ssh directory:
ssh -Ax -l username -o PubkeyAuthentication=no -o StrictHostKeyChecking=ask
\sup.nccs.nasa.gov mesh-keygen > ~/.ssh/nccs_sup_key_filename
You will be prompted for both your NCCS Passcode (PIN + SecurID token
code) and your SUP password. The RSA key fingerprint for sup.nccs.nasa.gov is
41:b1:ce:16:a5:94:9d:8c:c3:0f:4f:3d:c5:77:78:a1 .
Because multiple SUP keys may be active at one time, you may
prefer to include the key's creation date and time in the name of your
SUP key. For
example:
ssh -Ax -l username -o PubkeyAuthentication=no -o StrictHostKeyChecking=ask
\sup.nccs.nasa.gov mesh-keygen > ~/.ssh/nccs_sup_key.`date +%Y%m%d.%H%M`
- To use your SUP key successfully you must make your SUP key
readable only by you, e.g.:
chmod 600 ~/.ssh/nccs_sup_key_filename
- This SUP key may be used from other
remote hosts to perform SUP operations . Note that to use your
SUP key successfully you must
make sure your SUP key is
readable only by you. To copy your SUP key and preserve its file
permissions, run:
scp -p nccs_sup_key_filename another_host:.ssh/nccs_sup_key_filename
Using
the SUP for Unattended File Transfers and Other Functions
After your initial setup, you must do the following two things from
your remote host to perform unattended file transfers and other
functions using the SUP (steps are described in detail in this
section):
- ssh-add the SUP key(s) to an ssh-agent process, so that it
can pass the key(s) to the NCCS SUP host complex
- Issue the SUP versions of your commands
The following examples are based on OpenSSH commands used on UNIX and
Linux hosts. Your command line may be different if your host does not
use OpenSSH.
SUP Prerequisite: ssh-agent with keys
Before you issue any remote commands via the NCCS
SUP, on your remote host you must always ensure you have used
the ssh-add command to add the required limited-lifetime SUP key(s) to
an ssh-agent
process, so that it can pass them to the NCCS SUP.
- Start an ssh-agent process.
- Add your SUP key(s) to the ssh-agent:
ssh-add ~/.ssh/nccs_sup_key_filename_1 ~/.ssh/nccs_sup_key_filename_2 ...
SUP
Techniques: "supwrap" script (scp, sftp)
To use the SUP for unattended scp and sftp sessions, you can use a
small "supwrap" shell script to pass your key to the SUP.
- If one is not running already, start an ssh-agent
process and add your SUP key(s).
- Create the "supwrap" script.
- Create a file called "supwrap" that contains this shell
script:
#!/bin/sh
exec ssh -Ax -o BatchMode=yes sup.nccs.nasa.gov ssh -q $@
- Make the "supwrap" script file executable:
chmod 700 supwrap
- Use the "supwrap" script in scp and sftp file transfers
SUP
Example for qstat
- If one is not running already, start an ssh-agent process and
add your SUP key(s).
- Issue your qstat command using the SUP:
ssh -Ax -o BatchMode=yes sup.nccs.nasa.gov ssh -q palm qstat
SUP
Example for test
- If one is not running already, start an ssh-agent process and
add your SUP key(s).
- Issue your test command using the SUP:
ssh -Ax -o BatchMode=yes sup.nccs.nasa.gov ssh -q palm test -f /tmp/c_foobar
SUP Techniques: Shortcuts via Aliases (All
Commands, from bash, csh, and tcsh Login Shells)
You can create shell aliases that can simplify your use of the SUP:
- Sample bash aliases for SUP commands:
alias sup_keygen='ssh -Ax -o PubkeyAuthentication=no sup.nccs.nasa.gov mesh-keygen'
alias sup_scp='scp -S /dir/supwrap' (replace /dir appropriately)
alias sup_sftp='sftp -S /dir/supwrap' (replace /dir appropriately)
alias sup_bbftp='bbftp -L "ssh -Ax -o BatchMode=yes sup.nccs.nasa.gov ssh -q"'
alias sup_qstat='ssh -Ax -o BatchMode=yes sup.nccs.nasa.gov ssh -q palm qstat'
alias sup_ctest='ssh -Ax -o BatchMode=yes sup.nccs.nasa.gov ssh -q palm test'
- Sample csh and tcsh aliases for SUP commands:
alias sup_keygen 'ssh -Ax -o PubkeyAuthentication=no sup.nccs.nasa.gov mesh-keygen'
alias sup_scp 'scp -S /dir/supwrap' (replace /dir appropriately)
alias sup_sftp 'sftp -S /dir/supwrap' (replace /dir appropriately)
alias sup_bbftp 'bbftp -L "ssh -Ax -o BatchMode=yes sup.nccs.nasa.gov ssh -q"'
alias sup_qstat 'ssh -Ax -o BatchMode=yes sup.nccs.nasa.gov ssh -q palm qstat'
alias sup_ctest 'ssh -Ax -o BatchMode=yes sup.nccs.nasa.gov ssh -q palm test'
Additional
SUP Notes
SUP Use from Batch Jobs and Cron
Issue: a SUP key can expire between the time
when a job is submitted (or begins execution) and the time when the job
issues its command via SUP; a similar situation can arise for scripts
run via 'cron'. The batch job or cron script needs to make sure
it uses a SUP key valid at the time of the job's file transfers (or
other SUP operation) rather than the SUP keys valid at the time the job
started.
Solution:
- Generate SUP
keys at least twice a week, to ensure your batch jobs and cron
scripts
always have access to a valid key (because SUP keys have a 7-day
expiration). The SUP now allows more than one SUP key to be
active at a time.
- Immediately before your script
performs any file transfers or other SUP operations,
- Locate your latest SUP
key(s). The script can capture the names of the most
recent
SUP key files in a shell variable. For example, to set the value
of variable 'latest_keys' to contain the names of the two most recent
two SUP keys, a bash or sh script might use:
latest_keys=`ls -1t ~/.ssh/nccs_sup_key* | head -2`
- Start an ssh-agent and add
to
it your latest SUP keys. To ensure it gets the latest SUP keys,
the batch or cron
job script can start an ssh agent for every group of SUP commands,
rather than starting one at the beginning of a job and using keys
loaded earlier. For
example, in a bash or sh script:
eval `ssh-agent -s
ssh-add ~/.ssh/nccs_sup_key_filename(s)
...issue first SUP command...
....
...issue last SUP command...
kill `echo $SSH_AGENT_PID`
If the bash or sh script had set a variable 'latest_keys' as above, the
bash or sh script could use:
eval `ssh-agent -s
ssh-add $latest_keys
...issue first SUP command...
....
...issue last SUP command...
kill `echo $SSH_AGENT_PID`
Restricting Your SUP
Operations
You can modify the .meshrc file on an NCCS host to restrict or
limit your NCCS SUP operations for that NCCS host.
- Log in on the NCCS target host and use grep to
determine the list of all
SUP operations permitted by issuing:
grep "+x " /etc/mesh/etc/meshrc
Output from the grep command includes the full path name of SUP
operations permitted on that host. For example:
+x /usr/local/bin/bbftpd
+x /usr/local/bin/scp
+x /path/to/command
- Prohibit a command (e.g., "/path/to/command") from executing on a
given
host by adding the following (on a separate line) to your ~/.meshrc
file:
-x /path/to/command
SUP
Key Management
You may have multiple SUP keys that all expire at different times. The
"mesh-keytime" and "mesh-keykill" commands help you to manage multiple
SUP keys.
Mesh-keytime
To determine the expiration time of a SUP key stored in a file
"/key/file", run the following:
ssh -xi /key/file -o IdentitiesOnly=yes -o BatchMode=yes sup.nccs.nasa.gov mesh-keytime
If /key/file is still valid,
the key fingerprint and expiration time will be printed to your
terminal session. If the key is no longer valid, you will see
either "Permission denied (expired key)" or "Permission denied
(publickey,keyboard-interactive)."
Mesh-keykill
To invalidate SUP keys
before their expiration time has passed:
- If one is not running already, start an ssh-agent
process and add your SSH private key:
- Start an ssh-agent process:
- If your login shell is sh or bash:
eval `ssh-agent -s`
- If your login shell is csh or tcsh:
eval `ssh-agent -c`
- Add your SSH private key identity (.ssh/id_dsa or .ssh/id_rsa under your home
directory) to the ssh-agent. For example :
ssh-add ~/.ssh/id_dsa
- To invalidate one specific SUP
key stored in a file "/key/file", run the following:
ssh -Axi /key/file -o IdentitiesOnly=yes -o BatchMode=yes sup.nccs.nasa.gov mesh-keykill
To invalidate all your valid SUP keys, run:
ssh -Ax -o PubkeyAuthentication=no sup.nccs.nasa.gov mesh-keykill --all
Common SUP Issues and Questions
- Issues when copying authorized_keys files to
sup-key.nccs.nasa.gov
- What can I do if the "-o StrictHostKeyChecking=ask"
option causes an error when I try to use scp to copy my authorized_keys
file to sup-key.nccs.nas.gov?
You can remove the "-o StrictHostKeyChecking=ask" option and
try the scp again. If you get the error message "Host key verification
failed", your ~/.ssh/known_hosts file needs an entry for the
sup-key.nccs.nasa.gov host. Follow the directions here
to get the known_hosts entry added, and then issue your scp command
again.
- Why do I see "Host key verification failed"
when I try to copy my authorized_keys file to sup-key.nccs.nasa.gov?
On some hosts, the "-o StrictHostKeyChecking=ask" apparently doesn't work, or is not supported with the scp command. Users may then have to take out the "-o StrictHostKeyChecking=ask", and often then will see a failure with a "Host key verification failed" message. The reason is that the user's machine needs an entry for sup.nccs.nasa.gov and sup-key.nccs.nasa.gov in the ~/.ssh/known_hosts file. The workaround is to have the user attempt an ssh to sup.nccs.nasa.gov and sup-key.nccs.nasa.gov. While the ssh will fail, the desired entries will be added to the ~/.ssh/known_hosts file if the user just control-c's after answering yes to having the entry added, e.g.:
ssh sup.nccs.nasa.gov
The authenticity of host 'sup.nccs.nasa.gov (169.154.162.150)' can't be established.
RSA key fingerprint is aa:bb:cc:dd:ee:ff:aa:bb:cc:dd:ee:ff:aa:bb:cc:dd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'sup.nccs.nasa.gov,169.154.162.150' (RSA) to the list of known hosts.
- The only way you can copy files directly in to palm is
via the SUP, because there are no direct ssh logins to palm
from outside the NCCS facility. (Regular ssh connections to palm must
all log in from outside the NCCS perimeter via an ssh to
login.nccs.nasa.gov first.)
- Why do I get the following error when trying to use
bbftp to write a file, even though directory permissions allow
me to write files in that directory?
BBFTP-ERROR-00100: Error creation file /nobackup/user/myfile.bbftp.tmp.dirac.12383936 : Permission denied
This error occurs when you are prevented from writing in the target
directory (e.g., /nobackup) because it is not included in your .meshrc.
Follow the instructions here to add the
directory to your .meshrc file.
- If your SUP key file is readable by anyone other than
yourself, when you try to add it to the ssh-agent it will
prompt you for a passphrase, e.g.:
ls -l nccs_sup_key_filename
-rw-r----- 1 user abcdefg 887 2006-09-20 22:17 nccs_sup_key_filename
ssh-add nccs_sup_key_filename
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for 'nccs_sup_key_filename' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: nccs_sup_key_filename
Enter passphrase for nccs_sup_key_filename:
If this happens, you should control-c to cancel that ssh-add command
and before running it again, chmod the nccs_sup_key file to mode 600
(readable by owner only).
- When issuing the 'test' or 'qstat' commands to palm via the SUP,
you must use the hostname 'palm'.
- You can use 'ssh-add -l' to list the fingerprints of keys that
are currently added to the ssh-agent your current shell is using; you
can use ssh-add -d key_file_name to delete keys from the ssh-agent.
- When generating your SUP key, if you're prompted for
your Password first, then you connected to the NAS/Columbia SUP host
and not the NCCS SUP host. The NCCS sup host (sup.nccs.nasa.gov) will ask for your
PASSCODE
first.
- If you accidentally try to use NAS/Columbia's SUP host instead of the NCCS's, you will see either a "Host key verification failed." or a "Permission denied (publickey,keyboard-interactive)." error message.
|
