Installing the required software
- OpenSSH 6.9 or higher
- A command-line utitlity that is able to make HTTP requests such as curl (recommended), or wget
Setting up the CloudGate Key Manager connection script
GETrequest to CloudGate Key Manager. This request needs to contain the following parameters:
The name of the operating system-level account that is being authenticated to. For example, if the user is trying to log in with
firstname.lastname@example.org, the value of this parameter will be
- The fingerprint of the key that the user is using to authenticate.
- The name or ID of the server instance that the user is authenticating to. This can be the instance's host name, or the instance name/ID that was assigned by the cloud service provider. This value needs to correspond to the name/ID that is configured for the instance in CloudGate Key Manager.
Below is an example of a CloudGate Key Manager connection script designed for instances running on Amazon Web Services.
#!/usr/bin/env bash instance=$(/usr/bin/curl -s 'http://169.254.169.254/latest/meta-data/instance-id') /usr/bin/curl --get --max-time 5 --data-urlencode "account=$1" \ --data-urlencode "key=$2" \ --data-urlencode "instance=$instance" \ http://172.17.0.100 \ || echo -n;
- The script uses curl to retrieve the instance's ID from Amazon's EC2 metadata service.
- The script then uses curl again to pass the instance ID, along with information received from the SSH server (see Configuring the SSH server), to CloudGate Key Manager (available at
172.17.0.100in the example above).
- CloudGate Key Manager will evaluate the request, and if the user who owns the key is allowed to access the specified account on the specified instance, it will return the corresponding public key to the script, which in turn will pass it on to the SSH server to complete the authentication procedure.
Note: The script uses a request timeout setting of 5 seconds. If CloudGate Key Manager does not respond within this period, or the request fails for any other reason, the script will return an empty value to the SSH server, causing it to fall back on other authorized keys or authentication methods.
The connection script needs to be installed somewhere on the instance, in a file owned by the
root user that is not writable by either the group or others. For the rest of our examples, we will assume that the script has been saved to /etc/ssh/get_authorized_keys.sh.
Configuring the SSH server
This option specifies whether public key authentication is allowed, and defaults to
- This option specifies the command that needs to be executed to retrieve authorized keys.
- This option specifies the user under whose account the above command is executed.
PubkeyAuthentication yes AuthorizedKeysCommand /etc/ssh/get_authorized_keys.sh %u %f AuthorizedKeysCommandUser root
rootas the user to execute the authorized keys command, the OpenSSH documentation recommends creating a dedicated user for this purpose.