From f09310bc91f445412e0caadf3bafb58e92ea2551 Mon Sep 17 00:00:00 2001 From: Lutz Justen Date: Fri, 2 Dec 2022 10:02:44 +0100 Subject: [PATCH] Add Google specific instructions to run without security key touches --- README.md | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 73 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6e892a4..4f73a1a 100644 --- a/README.md +++ b/README.md @@ -178,14 +178,84 @@ set CDC_SCP_COMMAND="C:\path with space\to\scp.exe" -F C:\path\to\ssh_config -i #### Google Specific -For Google internal usage, set the following environment variables to enable SSH -authentication using a Google security key: +For Google internal usage, there are two setups, a simple one that requires +touching the security key for every remote access, and a slightly more complex +one that tunnels all remote access through an SSH tunnel and only requires one +security key touch to set up the tunnel. + +##### Setup Requiring Security Key Touches + +Set the following environment variables to enable SSH authentication using a +Google security key: ``` set CDC_SSH_COMMAND=C:\gnubby\bin\ssh.exe set CDC_SCP_COMMAND=C:\gnubby\bin\scp.exe ``` Note that you will have to touch the security key multiple times during the -first run. Subsequent runs only require a single touch. +first run of each tool as the Linux components have to be deployed first. +Subsequent runs only require a single touch. + +##### Setup Not Requiring Security Key Touches + +This section explains how to run the tools without security key touch for every +action. + +On Linux, generate a host key pair with +``` +mkdir ~/sshd_runner +ssh-keygen -f ~/sshd_runner/ssh_host_ed25519_key -N '' -t ed25519 +``` + +On Windows, create `%USERPROFILE%\sshd_runner\known_hosts` and copy the public +key from `~/sshd_runner/ssh_host_ed25519_key.pub` to it, using `localhost` and +port `50000` (if the port is in use, use another port). The file should look +similar to +``` +[localhost]:50000 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOR1EInlod0Pm853Ew0p4eXaD3V8y9njf6EoyaPfc8ln +``` + +Next, generate an auth key for the Windows machine with +``` +ssh-keygen -f %USERPROFILE%\sshd_runner\id_ed25519 -N "" -t ed25519 +``` +Note the subtle difference `-N ''` vs `-N ""`. + +On Linux, create `~/sshd_runner/authorized_keys` and copy the public key from +`%USERPROFILE%\sshd_runner\id_ed25519.pub` to it. The file should look similar +to +``` +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKleiT/yRhZ9aMutOJ8XaAYX0SPUZHuS50HP4QK5kBft google\user@user-w +``` +On Windows, open an SSH tunnel to the Linux machine through port 50000. +This should require one gnubby touch. +``` +C:\gnubby\bin\ssh.exe -N -L50000:localhost:50000 ..corp.google.com +``` +On Linux, run the SSH server with +``` +/usr/sbin/sshd -D -p 50000 -oHostKey=~/sshd_runner/ssh_host_ed25519_key -oAuthorizedKeysFile=~/sshd_runner/authorized_keys -oListenAddress=localhost:50000 +``` +It runs as user, not as root, and only accepts connections from localhost +through port 50000, so it's secure. + +Now you should be able to run SSH on the Windows machine into the Linux device +without security key touch +``` +C:\Windows\System32\OpenSSH\ssh.exe -p 50000 -i %USERPROFILE%\sshd_runner\id_ed25519 -oUserKnownHostsFile=%USERPROFILE%\sshd_runner\known_hosts user@localhost +``` +Next, set `CDC_SSH_COMMAND` and `CDC_SCP_COMMAND` to use the proper flags +``` +set CDC_SSH_COMMAND=C:\Windows\System32\OpenSSH\ssh.exe -i %USERPROFILE%\sshd_runner\id_ed25519 -oUserKnownHostsFile=%USERPROFILE%\sshd_runner\known_hosts -p 50000 +set CDC_SCP_COMMAND=C:\Windows\System32\OpenSSH\scp.exe -i %USERPROFILE%\sshd_runner\id_ed25519 -oUserKnownHostsFile=%USERPROFILE%\sshd_runner\known_hosts -P 50000 +``` +Note the small `-p` for SSH and the capital `-P` for SCP. + +Now the file transfer tools should work without security key touch, but be sure +to use `localhost` as target host as we're piping the data through the tunnel. +``` +cdc_rsync C:\assets\* user@localhost:~/assets -vr +cdc_stream start C:\assets user@localhost:~/assets +``` ### CDC RSync