Just-In-Time SSH User (JITSU) for Advanced SSH Capabilities
Advanced OpenSSH configurations, such as improved auditing, remote user creation, root user checking, and PAM integration
- Updated on May 31, 2024
This article describes various advanced configuration options for OpenSSH, under the assumption that you are familiar with various Linux internals. These configuration details are provided AS IS. SonicWall Cloud Secure Edge (CSE) does not provide support for these capabilities.
CSE JITSU Installer
OpenSSH can be configured to run a script to generate a principals file by leveraging the AuthorizedPrincipalsCommand
option within the OpenSSH config. This is useful for complex role-based access, where having a static principals_file
for each user is not sufficient.
CSE’s Just-In-Time SSH User (JITSU) provisioning and auditing script leverages the AuthorizedPrincipalsCommand
option to enable advanced SSH capabilities, such as improved auditing, remote user creation, and root user checking.
Supported Operating Systems
Currently, the JITSU installer has only been tested on Ubuntu 18.04. We are actively working on testing on other Linux distros.
Installation Steps
Step 1. Download JITSU
1.1 Download the latest release of JITSU to the /opt/banyan-packages
folder.
1.2 Ensure you have assumed root privileges:
user@host$ sudo su -
root@host#
1.3 Download and extract the Tarball installer, and then cd into the directory:
# create folder for the Tarball
mkdir -p /opt/banyan-packages
cd /opt/banyan-packages
# get the jitsu repo - we plan to open source this soon
wget https://docs.banyanops.com/img/feature-guides/infrastructure/ssh-servers/jitsu-0.1.1.zip
unzip jitsu-0.1.1.zip
cd jitsu-0.1.1
Step 2. Install JITSU
2.1 Run the installer:
# run the setup script
./setup-jitsu.sh
# manage using systemctl
systemctl status jitsu
Step 3. Set up SSHD to Trust CSE (previously Banyan) Certificates
3.1 JITSU expects to find the CSE SSH CA in /etc/ssh/banyan_ca.pub
. You can find this certificate by navigating from Settings > Advanced Settings in the Command Center.
3.2 Paste your SSH CA in /etc/ssh/banyan_ca.pub
:
# paste in the Banyan SSH CA
vi /etc/ssh/banyan_ca.pub
Step 4. Create Root and Default Roles Files that SSH AuthorizedPrincipals will check
When users attempt to log in as the user named root
, JITSU will check if they have the proper roles available in their SSH Certificate against the root roles file located in /opt/banyan/root.roles
.
# create the root.roles file
# This is a newline-separated file which lists the Banyan roles required to SSH in as a user named `root`
vi /opt/banyan/root.roles
When users attempt to log in as any user not named root
, JITSU will check if they have the proper roles available in their SSH Certificate against the default roles file located in /opt/banyan/default.roles
.
# create the default.roles file
# This is a newline-separated file which lists the Banyan roles required to SSH in as a user not named `root`
vi /opt/banyan/default.roles
Step 5. Test your setup by logging in as a new user
The first time you log in as a new user, you will get a message saying the new user has been provisioned “just-in-time”.
$> ssh mynewuser@172.31.1.2
Last login: Thu Sep 17 02:55:27 2020 from ip-172-31-75-97.ec2.internal
--------------------------------------------
Your user has been successfully provisioned!
Please log in again to access this server.
--------------------------------------------
When you try again, you will be signed in as mynewuser
.
$> ssh mynewuser@172.31.1.2
Last login: Thu Sep 17 02:55:27 2020 from ip-172-31-75-97.ec2.internal
[mynewuser@ip-172-31-1-2 ~]$
Note that when libnss-ato
is enabled, you cannot create users locally via useradd
. To create local users, first disable libnss-ato
by updating the config file via cp /etc/nsswitch.conf.noato /etc/nsswitch.conf
. Re-enable libnss-ato
when you’re done.
SSH Access Logging
The SSHD daemon logs all access from SSH clients using auditd. On Debian-based flavors of Linux, the logs are typically stored in /var/log/auth.log
. On Fedora-based flavors, logs are at /var/log/secure
.
When a user logs in using their SSHCert you can see their attribute information in the logs.
Jul 3 05:15:58 gitlab-host sshd[21057]: Accepted publickey for vagrant from 73.70.107.123 port 51178 ssh2: RSA-CERT ID carly@banyanops.com L1HF8B12345 (serial 12344) CA RSA SHA256:LGvtbCthk48jqxuggCJKAw6stao7VDIvd2OuRipczcs
Jul 3 05:15:58 gitlab-host sshd[21057]: pam_unix(sshd:session): session opened for user vagrant by (uid=0)
pam_tty_audit
For more advanced audit logging, use Linux PAM modules. Specifically, the pam_tty_audit module can track users’ actions on the terminal and, if configured, capture the exact keystrokes the user makes, and record them in the /var/log/audit/audit.log file.
In order to use the pam_tty_audit
PAM module a system must have auditd installed.
In order to set up this PAM module to record only root user sessions (including when a user elevates to the root user using sudo su -
), a system administrator must add this line:
session required pam_tty_audit.so disable=ubuntu enable=root
at the top of the following files:
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive
/etc/pam.d/sshd
/etc/pam.d/systemd-user
The above files are for Debian-based operating systems like Ubuntu. For Fedora-based systems (like RHEL), the line must also be added to the top of /etc/pam.d/system-auth
and /etc/pam.d/password-auth
.
Once this is done, the following configuration option must also be added to the SSH Daemon config at /etc/ssh/sshd_config
:
UsePAM yes
Restart the SSH daemon after its configuration is changed.
Now all logged user keystrokes can be viewed by running aureport --tty
.
As an example, if the root user logged in an SSH session at around 11:00 o’clock and tried to issue the pwd
command, but then deleted it and issued ls
instead, the aureport --tty
output will look like this:
# aureport --tty -ts today | tail
===============================================
# date time event auid term sess comm data
===============================================
40. 08/28/2014 11:00:27 901 0 ? 76 bash "pwd",<backspace>,<backspace><backspace>,"ls",<ret>,"exit",<ret>
pam_tty_audit
does not support live session auditing - logs may not be visible until the user logs out. Once a user logs our, their entire session is given to audited.
References
- https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/
- https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu
- https://www.freebsd.org/cgi/man.cgi?sshd_config(5)
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
- https://man7.org/linux/man-pages/man8/pam_tty_audit.8.html
Can’t find what you’re looking for?
We’re happy to help. Contact our team.