Sign your scripts

Sun 30 June 2013 by admin

Remote command execution from one host to another is nothing new in more complex infrastructure. It is usually going to happen at low user level privilege and it's also password less ssh communication based on ssh keys. But what happens when ssh keys leaked or this account was compromised, now it gives us ability to escalate privileges on remote hosts. One way to prevent from happening this scenario is to allow execute only specific commands by entering them in authorized_keys file by command statement. Another way is to use PKI and signed all scripts (the same way as in MS Powershell). How it can be done is mentioned in:

https://www.usenix.org/system/files/login/articles/105516-Schaumann.pdf

you can download bash wrapper command from

https://github.com/jschauma/sigsh

and put them into command statement in authorized_keys just like that:

command="/usr/local/bin/sigsh.sh -p /bin/bash -c /usr/local/etc/cert.tmp"

Now you can post command to execute on remote system by:

ssh -tt witalis@<host>  < /home/witalis/test.sh_signed

it will be interpreted as bash commands.

So now I could review all commands that should be executed on remote site by signing them, each modification won't be executed.


Easy way to create SSL certificates

Sun 29 January 2012 by admin

Everytime I have to create CSR or self-signed SSL certificate, I need to know complex syntax of openssl. Lately I've found easy solution to this drawback. RedHat Linux distributions all have in common dir /etc/pki which include all generated, installed keys. In location /etc/pki/tls/certs we ...

read more