Change ssh-keys add behavior (rational for it).

Discussion in 'General' started by msokolowski, Oct 20, 2020.

  1. msokolowski

    msokolowski New Member

    I have site that needs 4 different user per site, i need everyone to authorize by ssh-key to own account.
    But is ISPConfig every shell user gets all ssh-keys in his ~/.ssh/authorized_keys file.
    So anyone can login in anyone account.

    It is a bug or desired way of work ? What is rationale behind it ?
    Code that makes it is in: server/plugins-available/shelluser_base_plugin.inc.php, Line: 416 (current develop tree)
    Code:
           
    $ssh_users = $app->db->queryAllRecords("SELECT ssh_rsa FROM shell_user WHERE parent_domain_id = ?", $this->data['new']['parent_domain_id']);
    if(is_array($ssh_users)) {
        foreach($ssh_users as $sshu) {
            if($sshu['ssh_rsa'] != '') $sshrsa .= "\n".$sshu['ssh_rsa'];
        }
    }
    
    I can of course change this file - but it will be overwritten by update.
     
  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    you can create 4 different ssh users for the same site, each with their own ssh keys.
    then have them log in as eg [email protected], [email protected].
    they'll all have the same access, but each one will start in their own home folder /home/user1 /home/user2 etc, they'll also be a default user/home folder created, /home/web## where ## is the webid for that site.
     
  3. msokolowski

    msokolowski New Member

    Yes i know, but it's not answering my question.
    Case is as fallows: i have 3 users: u1, u2, u3 each one has corresponding keys: k1(u1), k2(u2), k3(u3).
    But in ~/.ssh/authorized_keys of:
    • u1 i have all keys: k1(his), k2, k3
    • u2 i have keys: k1, k2(his), k3
    • u3, i have keys: k1, k2, k3(his)
    This is result of PHP code in engine, that i posted.

    I'm asking why ? (what is the reason) of putting all keys user keys in every user authorized_key file.
    ( it works that way so can login with key of u2 to account of u1 and u3 )
     
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Just tested, this is not what happens (or I misunderstand your description?).

    I had a shell user for a site with an ssh key added to it - the authorized_keys file for this user is the concatenation of /root/.ssh/authorized_keys (because that is the default 'Jailkit authorized_keys template' setting in server config), the 'ssh_rsa' field for this client in the database, and the ssh key I specified.

    I created a new shell user, with no key set. This user resulted in only the contents of /root/.ssh/authorized_keys and the 'ssh_rsa' field of the client, it did not have the other user's key included.
     
  5. msokolowski

    msokolowski New Member

    Misunderstand. I can think about valid reason to add root & client key.
    I'm asking about users with ssh keys.

    Why when i add 2 users (user1, user2) with 2 different keys both users are getting both keys in authorized_keys, so it's possible to login to:
    • user1 with keys: client, root, user1 key (his), user2 key (not his)
    • user2 with keys: client, root, user1 key (not his), user2 key (his)
    What is reason for this cross key addition, and what can i do to disable it ?
     
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Ok, so the only difference in my test is that my second "new shell user" did not have an ssh key set. I'll retest that momentarily....
     
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    If that is what's actually going on, it's simply a bug.
     
  8. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I still can't reproduce this. I added a key to my new test user, and both authorized_keys files were correct, with root's key, the client's key, and the contents of the individual user's ssh_key. I then updated the ssh key field in my first user, and again they are both correct.

    Try enabling debug logging for the server, change one of your shell user's info (password or add a comment to ssh_key or something), then run server.sh from the cli and see what it shows.
     
  9. msokolowski

    msokolowski New Member

    OK so updated ISPConfig to latest stable, and i have site: beta2-adm[...]
    I have 3 users, with (fake) keys:
    1. c1s_beta2_adm_mr, key: "ssh-rsa user_mr [email protected]."
    2. c1s_beta2_adm_ms, key "ssh-ed25519 user_ms msokolowski@WAW-MS"
    3. c1s_beta2_adm_pp, key: "ssh-rsa user_pp pparsniak@carbon"
    After updating last user (change key) and running "server.sh" from command line:
    Contents o of file "var/www/clients/client1/web30/home/c1s_beta2_adm_pp/.ssh/authorized_keys"
    As in start of this thread, first line of included sniped gets keys for all users from that site (only filters by "domain_id"). Why ?
     
  10. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Say, are you using jailkit? I am, and that may be the difference (different server plugin writing the authorized_keys file with vs. without jailkit).
     
  11. msokolowski

    msokolowski New Member

    No jailkit.
     
  12. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

  13. msokolowski

    msokolowski New Member

    Bu i think that intentional - in non jail there is ssh key directly from current user, and nonjail there is query for all users.
     
  14. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I would guess it is not; the reason for this thread was to provide a rational for it, and none have been put forth, so I imagine it is simply a bug.
     
  15. msokolowski

    msokolowski New Member

    I can make account on git, but if i can make proposition put mode of operation in the settings.
     
  16. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    So you want this behaviour? Effectively a client level SSH key field. The field it already in the database, and functions as you'd like, I didn't find anywhere in the UI to edit it, though.
     
  17. msokolowski

    msokolowski New Member

    I don't want this, but maybe someone use this as is now. And will say this is bug after it will change.
     
  18. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    i'm not sure i can see a rationale for keeping that sort of behaviour, if they can login with their own key, surely that's already, in effect, a client level login, sure, ls may show different owner names for files/folders, but the uid and gid are still the same.
    sure, it mean's that someone may be able to login using their own key and someone else's username, but what's the point? if they're using their own key anyway, why not just use their own username?. more importantly, if you can only go by the login name shown in auth.log, rather than by the key used, you have no idea who really logged in and did something when auditing/troubleshooting problems caused by a manual change.
    whilst you can't stop someone with a valid key seeing the other usernames available for that account (just ls in /var/www/<domain>/home/ ) from a security standpoint, i can't see any upside in allowing a key to use any of the other usernames to successfully login
     

Share This Page