Posts: 89
Threads: 2
Joined: Feb 2024
08-04-2024, 03:49 PM
(This post was last modified: 08-04-2024, 03:50 PM by a44857437.)
(08-04-2024, 03:46 PM)insect1285 Wrote: Do we need to use the Signing API to sign using the /etc/ssh/ca_users_key.pub? If yes - what are user/principals to use? Can't seem to find a combination that will let me SSH into other port without password prompt.
You should use the curl command directly, with the proper settings...
(08-04-2024, 03:25 PM)whipped Wrote: (08-04-2024, 03:06 PM)Unbutton8074 Wrote: (08-04-2024, 03:01 PM)a44857437 Wrote: (08-04-2024, 02:13 PM)x1rx Wrote: (08-04-2024, 01:52 PM)orwell1984 Wrote: I'm stuck on support user on the host, any hint on what to do next?
cat /etc/ssh/auth_principals/zzinter
zzinter_temp
try zzinter_temp principals
And then use the sudo privs for signing another one?
mine says empty principal name btw
I think the sudo script as zzinter on the host (Not the docker) is a rabbit hole. It doesn't work, as the variable names in the script are all wrong.
I feel there is some way to bypass the restriction of signing as the root_user principal on the fast_api site
I think you're right
Posts: 5
Threads: 0
Joined: Aug 2024
>You should use the curl command directly, with the proper settings...
Right... I am. The "proper settings" is what I can't seem to figure out. Pretty sure I have the correct pub key. Can't figure out "correct" user/principals.
Posts: 89
Threads: 2
Joined: Feb 2024
(08-04-2024, 03:53 PM)insect1285 Wrote: >You should use the curl command directly, with the proper settings...
Right... I am. The "proper settings" is what I can't seem to figure out. Pretty sure I have the correct pub key. Can't figure out "correct" user/principals.
Did you manage to get it working with the support user and principal?
Posts: 5
Threads: 0
Joined: Aug 2024
(08-04-2024, 04:00 PM)a44857437 Wrote: (08-04-2024, 03:53 PM)insect1285 Wrote: >You should use the curl command directly, with the proper settings...
Right... I am. The "proper settings" is what I can't seem to figure out. Pretty sure I have the correct pub key. Can't figure out "correct" user/principals.
Did you manage to get it working with the support user and principal?
no
Posts: 89
Threads: 2
Joined: Feb 2024
(08-04-2024, 04:02 PM)insect1285 Wrote: (08-04-2024, 04:00 PM)a44857437 Wrote: (08-04-2024, 03:53 PM)insect1285 Wrote: >You should use the curl command directly, with the proper settings...
Right... I am. The "proper settings" is what I can't seem to figure out. Pretty sure I have the correct pub key. Can't figure out "correct" user/principals.
Did you manage to get it working with the support user and principal?
no
Try that first
Posts: 10
Threads: 0
Joined: Aug 2024
Is the "mgraham" user useful?
Posts: 5
Threads: 0
Joined: Aug 2024
Tried all these pairs:
./sign_mod.sh id_ed25519.pub bmcgregor support > test_cert1
./sign_mod.sh id_ed25519.pub bmcgregor webserver > test_cert2
./sign_mod.sh id_ed25519.pub bmcgregor analytics > test_cert3
./sign_mod.sh id_ed25519.pub bmcgregor security > test_cert4
./sign_mod.sh mgraham.pub mgraham support > test_cert5
./sign_mod.sh mgraham.pub mgraham webserver > test_cert6
./sign_mod.sh mgraham.pub mgraham analytics > test_cert7
./sign_mod.sh mgraham.pub mgraham security > test_cert8
./sign_mod.sh ca_users_key_global.pub bmcgregor support > test_cert9
./sign_mod.sh ca_users_key_global.pub bmcgregor webserver > test_cert10
./sign_mod.sh ca_users_key_global.pub bmcgregor analytics > test_cert11
./sign_mod.sh ca_users_key_global.pub bmcgregor security > test_cert12
./sign_mod.sh ca_users_key_global.pub mgraham support > test_cert13
./sign_mod.sh ca_users_key_global.pub mgraham webserver > test_cert14
./sign_mod.sh ca_users_key_global.pub mgraham analytics > test_cert15
./sign_mod.sh ca_users_key_global.pub mgraham security > test_cert16
None worked for me. I must be missing something obvious
Posts: 2
Threads: 0
Joined: Jun 2024
(08-04-2024, 04:20 PM)mmkz Wrote: (08-04-2024, 02:13 PM)x1rx Wrote: (08-04-2024, 01:52 PM)orwell1984 Wrote: I'm stuck on support user on the host, any hint on what to do next?
cat /etc/ssh/auth_principals/zzinter
zzinter_temp
try zzinter_temp principals
thank you x1rx for zzinter_temp principals hint, now what is next please?
zzinter@ssg:~$ sudo -l
Matching Defaults entries for zzinter on ssg:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User zzinter may run the following commands on ssg:
(root) NOPASSWD: /opt/sign_key.sh
zzinter@ssg:~$ cat /opt/sign_key.sh
#!/bin/bash
usage () {
echo "Usage: $0 <ca_file> <public_key_file> <username> <principal> <serial>"
exit 1
}
if [ "$#" -ne 5 ]; then
usage
fi
ca_file="$1"
public_key_file="$2"
username="$3"
principal="$4"
serial="$5"
if [ ! -f "$ca_file" ]; then
echo "Error: CA file '$ca_file' not found."
usage
fi
if [[ $ca == "/etc/ssh/ca-it" ]]; then
echo "Error: Use API for signing with this CA."
usage
fi
itca=$(cat /etc/ssh/ca-it)
ca=$(cat "$ca_file")
if [[ $itca == $ca ]]; then
echo "Error: Use API for signing with this CA."
usage
fi
if [ ! -f "$public_key_file" ]; then
echo "Error: Public key file '$public_key_file' not found."
usage
fi
supported_principals="webserver,analytics,support,security"
IFS=',' read -ra principal <<< "$principal_str"
for word in "${principal[@]}"; do
if ! echo "$supported_principals" | grep -qw "$word"; then
echo "Error: '$word' is not a supported principal."
echo "Choose from:"
echo " webserver - external web servers - webadmin user"
echo " analytics - analytics team databases - analytics user"
echo " support - IT support server - support user"
echo " security - SOC servers - support user"
echo
usage
fi
done
if ! [[ $serial =~ ^[0-9]+$ ]]; then
echo "Error: '$serial' is not a number."
usage
fi
ssh-keygen -s "$ca_file" -z "$serial" -I "$username" -V -1w:forever -n "$principals" "$public_key_name"
got "Empty principal name" message every time when run /opt/sign_key.sh with any ca_file 
Posts: 10
Threads: 0
Joined: Aug 2024
(08-04-2024, 04:20 PM)mmkz Wrote: (08-04-2024, 02:13 PM)x1rx Wrote: (08-04-2024, 01:52 PM)orwell1984 Wrote: I'm stuck on support user on the host, any hint on what to do next?
cat /etc/ssh/auth_principals/zzinter
zzinter_temp
try zzinter_temp principals
thank you x1rx for zzinter_temp principals hint, now what is next please?
zzinter@ssg:~$ sudo -l
Matching Defaults entries for zzinter on ssg:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User zzinter may run the following commands on ssg:
(root) NOPASSWD: /opt/sign_key.sh
zzinter@ssg:~$ cat /opt/sign_key.sh
#!/bin/bash
usage () {
echo "Usage: $0 <ca_file> <public_key_file> <username> <principal> <serial>"
exit 1
}
if [ "$#" -ne 5 ]; then
usage
fi
ca_file="$1"
public_key_file="$2"
username="$3"
principal="$4"
serial="$5"
if [ ! -f "$ca_file" ]; then
echo "Error: CA file '$ca_file' not found."
usage
fi
if [[ $ca == "/etc/ssh/ca-it" ]]; then
echo "Error: Use API for signing with this CA."
usage
fi
itca=$(cat /etc/ssh/ca-it)
ca=$(cat "$ca_file")
if [[ $itca == $ca ]]; then
echo "Error: Use API for signing with this CA."
usage
fi
if [ ! -f "$public_key_file" ]; then
echo "Error: Public key file '$public_key_file' not found."
usage
fi
supported_principals="webserver,analytics,support,security"
IFS=',' read -ra principal <<< "$principal_str"
for word in "${principal[@]}"; do
if ! echo "$supported_principals" | grep -qw "$word"; then
echo "Error: '$word' is not a supported principal."
echo "Choose from:"
echo " webserver - external web servers - webadmin user"
echo " analytics - analytics team databases - analytics user"
echo " support - IT support server - support user"
echo " security - SOC servers - support user"
echo
usage
fi
done
if ! [[ $serial =~ ^[0-9]+$ ]]; then
echo "Error: '$serial' is not a number."
usage
fi
ssh-keygen -s "$ca_file" -z "$serial" -I "$username" -V -1w:forever -n "$principals" "$public_key_name"
How do i escape docker?
Posts: 7
Threads: 0
Joined: Aug 2024
Step for root.
Do the following step as root in the container.
Hidden Content
You must register or login to view this content.
Ban reason: Reputation System Rules 5.1) You are not allowed to ask for, buy, sell, or trade reputation (You may ask after a deal is made, only exception) (Permanent)
|
