SSH Standing Accounts integration | Entitle

Overview

Through the SSH Standing Accounts integration option, only regular (existing) users are given SSH access to the machine.

Prerequisites

The account with which you wish to integrate with Entitle can be either one of two options:

1. A root account possesses the authority to generate SSH keys, such as via ssh-keygen, and is capable of creating user accounts and modifying user files.
2. An alternative account with the privilege to execute specific executables (listed below) using Sudo, without requiring a password:
   1. cat - read file contents.
   2. tee - write to a file.
   3. getent - list users on the machine.
   4. service - restart services.
   5. mkdir - create a directory.
   6. rm - delete a file.
   7. stat - check file age.
   8. service or systemctl (depends on your system) - reloads the SSH service after updating who can and can't access the server.
      
      
   • The privilege can be granted to the user by modifying the system's sudoers settings. Entitle highly recommends doing this with the visudo executable (which requires an editor to be installed) to protect the Linux machine from becoming inoperable.
   • Below is an example of modifying sudoers to allow passwordless execution for a single executable:
     <username> ALL=(root) NOPASSWD: <executable path>
   • The executable path can be identified by running 'which <executable name>.

General guidelines

• The access is done by manipulating the SSH configuration file on the target machine: etc/ssh/sshd_config. Note that the user must have read and write access to this file.
  • A user that is given access will be added to the file mentioned above with the keyword AllowUsers. For example, AllowUsers username.
• The integration controls access by creating and updating a whitelist of permanent standing accounts in the above-mentioned configuration file.
• Optional: The configuration enables an array of permanent standing accounts, for whom access will stay persistent throughout the lifetime of the integration.
• The (service account) user specified in the configuration on behalf of the operations will be made and will be automatically added to the list of permanent standing accounts.

  ℹ️

  It is optional to provide Entitle with a list of permanent standing accounts, as it automatically creates a list. In case you choose to provide the list of accounts, they will be added to the existing ones.

• Even if the access to a permanent standing account is revoked externally, it will be recreated the next time a give/revoke access is made. Therefore, if you wish to revoke access to a permanent standing account, you will need to delete and create a new integration with other permanent standing accounts.

Set up SSH to work with Entitle

ℹ️

All that is needed to integrate SSH with Entitle is the username and key of a Sudo user. One way of generating the key will be explained in the following steps; however, there are other ways to achieve the same result.

Generate SSH keys

1. Open the computer terminal.
2. Generate an SSH key using the ssh-keygen command:

$ ssh-keygen

• After running ssh-keygen, you will receive two keys: id_rsa and id_rsa.pub (or the respective files you provided).

  ℹ️

  In this guide, when prompted for the private key, please provide the id_rsa file. When prompted for the public key, provide the id_rsa.pub file.

  • To use the private key with Entitle, you need to replace all new lines with \n characters. You can achieve this by using sed command for Linux users only:

  Bash

  sed 's/$/\\n/' <key_path> | tr -d '\n'
  

3. Replace <key_path> with the name of your private key file
4. Below is an example of how a private SSH key will look.

Set up SSH key authentication on the target machine

1. Open the terminal on the target machine.
2. Navigate to the /.ssh directory for the specific user (e.g., /home/username/.ssh). Keep in mind that this user is the same one you will set in the Example JSON configuration.
3. Within the /.ssh directory, create a file named authorized_keys, and paste the public key generated in step 2 to the authorized keys file. You can achieve this by echoing the public key into the file:

~ echo "public_key_content" > /home/username/.ssh/authorized_keys

🚧

Important information

Failure to place the public key in the authorized_keys file will result in SSH authentication failure. This is because the private key won't match with any public key.

Creating the integration in Entitle

1. Log in to Entitle and go to the Integrations page.

2. After clicking the Add Integration button, type SSH Standing Accounts in the Application field.

3. Choose the Default Approval Workflow for your integration.

4. Don’t forget to set the Save on field with your configuration, i.e., your own hosted agent or Entitle’s cloud.

   

5. In the connection JSON:

   • Assign the machine's IP address or domain name to the host field.
   • Paste the private key previously generated as the value for the key field.

     ℹ️

     In the connection JSON, it's essential to swap each new line with \n character.

   • Set the user field to the username to which the keys were mapped.
   • If provided, set the list of permanent_standing_accounts in the relevant field. Otherwise, use the consequent connection JSON.

     ✅

     Example Connection JSON

     JSON

     {
         "host": "<IP or domain name>",
         "key": "<Private-key>",
         "user ": "<username>",
         "permanent_standing_accounts": ["a", "b"] 
     }
     	or
     {
         "host": "<IP or domain name>",
         "key": "<Private-key>",
         "user ": "<username>"
     }
     

6. Click Save.

✅

What's next?

Make sure your setup is complete by testing your integration.