Installing Synchronization Scripts

Lee Painter

We have a number of different packages for installing scripts that provide integration with OpenSSH server's public key authentication and the JADAPTIVE Key Server.

The easiest method to configure an OpenSSH server is to use the AuthorizedKeysCommand and AuthorizedKeysCommandUser configuration settings supported by OpenSSH since version 6.8. Our packages will install the necessary scripts and make the configuration change required to support this method if your server is running OpenSSH 6.8 or greater. 

If you are installing on a server with an earlier version of OpenSSH you will not be able to use the AuthorizedKeysCommand option; however, you can still install the package to take advantage of the manual synchronization scripts. This just requires a little more setup on each account you want to configure for key management. 


Pre-requisites

The scripts require curl to execute HTTPS requests. You should install this prior to attempting to install these scripts

Debian/Ubuntu

apt-get install curl

Centos/Redhat

yum install curl


Download & Installation

We have provided shortcut links to the latest packages on your key server. Both packages have a dependency on Curl and the OpenSSH server.

Debian/Ubuntu

Download the package from https://<hostname>/scripts/jadaptive.deb or from our cloud server https://gateway.sshtools.com/scripts/jadaptive.deb

Install using:

dpkg -i jadaptive-keyserver-scripts-<version>.deb

Centos/Redhat

Download the package from https://<hostname>/scripts/jadaptive.rpm or from our cloud server https://gateway.sshtools.com/scripts/jadaptive.rpm

Install using:

rpm -i jadaptive-keyserver-scripts-<version>.noarch.rpm


Testing Curl

Once the scripts are installed you need to configure the key server location. Before you edit the configuration, it is recommended you test the curl command against your key server. If you are not running a valid SSL certificate you may need to adjust the configuration. We recommend at all times that you maintain a valid SSL certificate on your key server.

Execute the following command

curl https://<keyserver>/ping

This should result in a response like follows:

curl https://ks1/ping
PONG

If you receive errors relating to the certificate like below you should in the first instance fix the certificate issue on your key server by installing an up-to-date SSL certificate. 

curl https://ks1/ping
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

If you need to bypass this you can check again using the -k switch to ignore certificate errors

curl -k https://ks1/ping
PONG

If you need to use the -k switch then make a note to adjust the ALLOW_INSECURE_GATEWAY option in the next section.

 

Configuration

You should now edit the /etc/default/jadaptive-keyserver file. 

nano /etc/default/jadaptive-keyserver

Change the GATEWAY_HOST environment variable to point to the hostname of your key server.

If you noted earlier that you need to set ALLOW_INSECURE_GATEWAY you should change this to y

# Configuration for jadaptive-keyserver-scripts
#

# Gateway host
#
# The default hostname or IP address of the gateway from which to retrieve keys.
#
GATEWAY_HOST=ks1

# Allow incorrect SSL certificates when connecting to the
# GATEWAY_HOST.
#
# Default: N
# Recommended: N - To avoid MITM. The gateway is your trusted keystore!
#
ALLOW_INSECURE_GATEWAY=n

Finally, you can now test the keyserver scripts

Execute the following command for an account you want to manage keys for

keyserver-sync /root root

Then login to the Key Server Administration CLI and execute 

remote-accounts

You should now see this account and host in the remote-accounts listing

# remote-accounts
Account Hostname
------- --------
root ks1

You are now ready to start configuring access as described in our article Configuring a Remote Account.