[clug] Remote Authentication for Linux

[jm]

On 1/9/21 15:10, Bob Edwards via linux wrote:
> On 1/9/21 2:55 pm, jm via linux wrote:
>> This is a planing issue. Here's more of the gory details I was hoping to
>> spare people from.
>>
>> It's more a "everything is out of date before it sees the light of day"
>> problem. My work creates an IoT (for want of a better word) device.
>> These can spend several months in a warehouse or someone's ute before
>> getting install. The device gets powered on and then sits around
>> sometimes for weeks before the person doing the installation decides to
>> do the installation. In the meantime, the software is out of date and
>> the disk has filled up. The user accounts to get into the device are out
>> of date (staff churn). I'm the only one now who has an account that is
>> in the pre-installed image on the device before installation is
>> complete. The remote management software won't run with a full /var
>> partition so someone has to log into the device to free up the disk
>> space. The management software will then make changes to stop the disk
>> filling as part of the installation process as well as other things.
>>
>> There are two changes I'm trying to make,
>>
>> 1) Remove the bug in future pre-installed images so that the disk
>> doesn't fill, and,
>>
>> 2) Remove the dependency on local accounts in case something like this
>> happens again and to future proof it against staff churn.
>>
>> It's this second one I'm hoping that someone has a good suggestion on
>> how to do. I'd rather avoid a shared user account as that could be a
>> point of weakness.
>>
>> Jeff.
>
> If I were doing this (don't know about how it will work with /var full),
> I'd consider the wretched phone-home solution.
>
> Set up a cron job on the device to regularly open an SSH connection,
> using SSH keys, to a secure maintenance server with a well-known,
> long-lasting DNS name, or IP address. Do this with a port-forward and,
> say, once a day or so for a short period of time (eg. 5 mins).
>
> Then, when you need to do some maintenance, do an SSH back into the
> device over the port-forward, so it can only be accessed from your
> (secure) maintenance node, again using SSH keys.
>
> Alternatively, slightly more complex, consider doing it using SSH
> over web-sockets over HTTPS, which will/should pass through more
> firewalls.
>
> You end up with a simple situation where each end must trust the other
> before any access is granted.
>
> cheers,
> Bob Edwards.

My current thinking is a two pronged approach. Leave the current ssh
config untouched and may be update the local users with a method similar
to what you out line. This is the back up. If all goes to hell - More
than usual. Start a second ssh server on another port with uses some
other method of authentication, the one I've been asking questions
about. This way access can be granted on a changing basis as need and
should something become misconfigure the original ssh using local only
authentication can be used as a fall back.

I'm still taking suggestions for this remote authentication ssh server
so if anyone wants to add one to the list or has any experience with
this please say something.

I'll have to check how common and how bad the clock skew is as if this
isn't a problem it may open up more/better possibilities, such as, ssh
certs.

One of the manages like the idea of authenticating off of our email
provider which suggests OAuth2 (we went over to the darkside and use a
well known company for this). This seems to suggest from a bit of light
read, and I may have misunderstood, that the device would need to be
able to make a web request against the provider which would have to be
thought about deeply.

Lots to investigate.

Jeff.