Blog | G5 Cyber Security

Secure Support Access

G5 Cyber Security

TL;DR

This guide explains how to securely authenticate support engineers accessing client systems using SSH keys and a central key management system. This replaces password-based authentication for better security.

1. Understand the Problem

Allowing support engineers direct access to client servers is necessary, but passwords are vulnerable. SSH keys provide a much stronger method of authentication. We’ll set up a system where:

2. Generate SSH Key Pairs

Each support engineer needs their own key pair. They should do this on their workstation.

  1. Open a terminal or command prompt.
  2. Run the following command to generate a new key pair (replace engineer@example.com with their email address):
ssh-keygen -t rsa -b 4096 -C "engineer@example.com"
  • When prompted, choose a strong passphrase to protect the private key. Do not leave it blank!
  • The command will create two files: id_rsa (the private key – keep this secret!) and id_rsa.pub (the public key).

    • 3. Central Key Management

    We’ll use a jump server to manage the authorized keys.

    1. Choose a Jump Server: Select a secure server that support engineers can access, but isn’t directly exposed to the internet.
    2. Create an authorized_keys file: On the jump server, create a directory (e.g., /home/support/.ssh) and an empty file named authorized_keys within it. Ensure appropriate permissions are set:
    mkdir /home/support/.ssh && chmod 700 /home/support/.ssh && touch /home/support/.ssh/authorized_keys && chmod 600 /home/support/.ssh/authorized_keys
  • Add Public Keys: For each support engineer, append their public key (the contents of id_rsa.pub) to the authorized_keys file on the jump server. Each key should be on a new line.

    • 4. Configure Client Servers

    Modify each client server to allow SSH access only from the jump server.

    1. Edit sshd_config: Open the SSH daemon configuration file (usually located at /etc/ssh/sshd_config) on each client server.
    2. Restrict Access: Add or modify these lines to restrict access:
    AllowUsers support@jump-server-ip

    (Replace support@jump-server-ip with the appropriate username and IP address of your jump server.)

  • Disable Password Authentication: Set these options to disable password authentication:
    • PasswordAuthentication no
    • ChallengeResponseAuthentication no
  • Restart SSH Service: Restart the SSH service on each client server for the changes to take effect. For example, on Debian/Ubuntu: 
    • sudo systemctl restart sshd

    5. Accessing Client Servers

    Support engineers connect through the jump server.

    1. Connect via Jump Server: Engineers SSH into the jump server first: 
    ssh support@jump-server-ip
  • Then to Client Server: From the jump server, connect to the client server. The SSH agent should automatically use their key if it’s loaded (see step 6).

    • 6. Using an SSH Agent

    To avoid repeatedly entering the passphrase, use an SSH agent.

    1. Start the Agent: Start the SSH agent on the engineer’s workstation: 
    eval "$(ssh-agent -s)"
  • Add Private Key: Add their private key to the agent: 
    • ssh-add ~/.ssh/id_rsa
  • The passphrase will be prompted once. After that, connections through the jump server should not require it.
    • Exit mobile version