This repo holds scripts that can be used to configure the SSH Deamon on a Linux instance to look for public keys in DynamoDB before the .ssh/.authorized_keys file in users homedir.

The current version of the scripts assume a table with the name ssh-access is created in eu-west-1

• The table must be readable by the EC2 instances using the solution
• The table should not be writable from said instances

• The table must have primary key string named userid
• Public keys must be stored in a String Array attribute named public_keys
• Public key entries must be in OpenSSH format (ie. just like they are in an authorized_keys file)

Example item:

{
  "email": "cp@keycore.dk",
  "name": "Christian Petersen",
  "public-keys": [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtz0Ltu6BS+qVF0kygolgix++vR3R/ll+H07iYkpsIdOA4ByVDQdQ8Gvt7xqzZMAjo1UVP0g4g+i7bq5QbdzHcauHS0nISqr2pyrEkjkvJG3byZ1JINUW6AjZKVQSBNgArVFpmMFsQjN5MEAXSfaK9ZeiA57QO+DGvcC4Wm1JSBJnK+rqsloaLt3ucFE3Kxs65H5WWAAxTCrQHvL/siGQNkpO/F8zoFBIkyyvlt6eQC3CPPId4dPWswranneQopBlH07j19HOZcpqrWF+uuaRi1FODikAoL2O6/PuyHnW985SBcFO/GPU8pCUhMEt5Z7Cxhc80nmoOpMgDJqcRkged imported-openssh-key"
  ],
  "userid": "cp"
}

Note:

• email attributes is NOT used by current version of scripts - and thus pretty optional

To install run the setup.sh script - which performs these steps:

Note:

• setup.sh assumes remaining files from this repo is present
• setup.sh executes all commands with sudo

1. Create folder /opt/ssh-dynanmo/
2. Move script files to /opt/ssh-dynamo/
3. Create symlinks to scripts in /usr/local/bin and /usr/local/sbin/
4. Grant execution rights to scripts chmod a+x ...
5. Make a backup of the existing sshd config /etc/ssh/sshd_config (this backup is used for uninstallation)
6. Run the script configure-ssh.sh which replaces 2 lines inside /etc/ssh/sshd_config
7. Run the script create-machine-users.sh which reads all items from the dynamodb table and creates local users

Note: SSH service will be restarted for changes to take effect - this is done by configure-ssh.sh

Used to change configuration of SSH Deamon to call our scripts on login.

Changes SSH configuration by setting 2 options

• AuthorizedKeysCommand => authorized_keys_command
• AuthorizedKeysCommandUser => root

Restarts SSH Service after changing config

Note: From the SSH manual:

"If the AuthorizedKeysCommand does not successfully authorize the user, authorization falls through to the AuthorizedKeysFile."

The scripts can be installed using AWS EC2 Simple System Manager by following theese steps:

1. Create a SSM Document using the json files in the ec2_ssm folder
2. Execute a SSM Run Command
   • A Run Command is executed on a selection of EC2 instances (could be all with a specific tag value)

The ec2_ssm folder contains ready made document definitions to install and uninstall the scripts

TODO: Insert aws cli command to create document and run command here

During the login process the following scripts are used

The solution is comprised for 6 different scripts (each just a few lines)

This is the main script executed by SSH Deamon for each login - it has two basic steps:

• Input validation and sanitation of usernames (ssh is more picky than others)
• Call the list-ssh-keys-for-user command and loop through each line of response to echo it

Called by the authorized_keys_command script for each login - has only one step:

• Use AWS CLI to call dynamodb get-item for given userid
  • Fetch only attribute named public-keys
  • Print each array entry on a separate line using pipe / awk

Note:

• This script is hardcoded to use eu_west_1 - change if needed
• This script is hardcoded to use a table named: ssh-access - future versions might move this to tag or something similar. For now - change if needed

During installation this is done once - but based on you user change frequency this should be done regularly - suggested methods:

• Schedule a call to create-machine-users.sh using CRON at whatever schedule seems right to you
• Use AWS SSM to schedule a recurrent task

Note: Future versions might allow for auto-creation of users at login time - but currently this is not supported!

Called without parameters and will use list-ssh-keys-for-user script to loop through all users in DynamoDB and create local users where needed

Note

• Currently this script calls grant-sudo-to-user for each created user - this will be more configurable in the future

Called by create-machine-users.sh script - has just one step:

• Use AWS CLI to scan DynamoDB table for userid's and output each result on separate line using pipe / awk

Note:

• This script is hardcoded to use eu_west_1 - change if needed
• This script is hardcoded to use a table named: ssh-access - future versions might move this to tag or something similar. For now - change if needed

Called by create-machine-users.sh script - has just one step:

• Update /etc/sudoers.d/ with a new entry for specified user

• User deletion
• Automatic user creation on login
• Configurable group membership / sudo access