[a44857437]

Do we need to use the Signing API to sign using the /etc/ssh/ca_users_key.pub? If yes - what are user/principals to use? Can't seem to find a combination that will let me SSH into other port without password prompt.

You should use the curl command directly, with the proper settings...

---

I'm stuck on support user on the host, any hint on what to do next?

cat /etc/ssh/auth_principals/zzinter
zzinter_temp

try zzinter_temp principals

And then use the sudo privs for signing another one?

mine says empty principal name btw

I think the sudo script as zzinter on the host (Not the docker) is a rabbit hole. It doesn't work, as the variable names in the script are all wrong.

I feel there is some way to bypass the restriction of signing as the root_user principal on the fast_api site

I think you're right

[insect1285]

>You should use the curl command directly, with the proper settings...


Right... I am. The "proper settings" is what I can't seem to figure out. Pretty sure I have the correct pub key. Can't figure out "correct" user/principals.

[a44857437]

>You should use the curl command directly, with the proper settings...


Right... I am. The "proper settings" is what I can't seem to figure out. Pretty sure I have the correct pub key. Can't figure out "correct" user/principals.

Did you manage to get it working with the support user and principal?

[insect1285]

>You should use the curl command directly, with the proper settings...


Right... I am. The "proper settings" is what I can't seem to figure out. Pretty sure I have the correct pub key. Can't figure out "correct" user/principals.

Did you manage to get it working with the support user and principal?

no

[a44857437]

>You should use the curl command directly, with the proper settings...


Right... I am. The "proper settings" is what I can't seem to figure out. Pretty sure I have the correct pub key. Can't figure out "correct" user/principals.

Did you manage to get it working with the support user and principal?

no

Try that first

[r1x0n]

Is the "mgraham" user useful?

[insect1285]

Tried all these pairs:

./sign_mod.sh id_ed25519.pub bmcgregor support > test_cert1
./sign_mod.sh id_ed25519.pub bmcgregor webserver > test_cert2
./sign_mod.sh id_ed25519.pub bmcgregor analytics > test_cert3
./sign_mod.sh id_ed25519.pub bmcgregor security > test_cert4

./sign_mod.sh mgraham.pub mgraham support > test_cert5
./sign_mod.sh mgraham.pub mgraham webserver > test_cert6
./sign_mod.sh mgraham.pub mgraham analytics > test_cert7
./sign_mod.sh mgraham.pub mgraham security > test_cert8


./sign_mod.sh ca_users_key_global.pub bmcgregor support > test_cert9
./sign_mod.sh ca_users_key_global.pub bmcgregor webserver > test_cert10
./sign_mod.sh ca_users_key_global.pub bmcgregor analytics > test_cert11
./sign_mod.sh ca_users_key_global.pub bmcgregor security > test_cert12

./sign_mod.sh ca_users_key_global.pub mgraham support > test_cert13
./sign_mod.sh ca_users_key_global.pub mgraham webserver > test_cert14
./sign_mod.sh ca_users_key_global.pub mgraham analytics > test_cert15
./sign_mod.sh ca_users_key_global.pub mgraham security > test_cert16

None worked for me. I must be missing something obvious

[n00be]

I'm stuck on support user on the host, any hint on what to do next?

cat /etc/ssh/auth_principals/zzinter
zzinter_temp

try zzinter_temp principals

thank you x1rx for zzinter_temp principals hint, now what is next please?

zzinter@ssg:~$ sudo -l
Matching Defaults entries for zzinter on ssg:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User zzinter may run the following commands on ssg:
    (root) NOPASSWD: /opt/sign_key.sh

zzinter@ssg:~$ cat /opt/sign_key.sh
#!/bin/bash

usage () {
    echo "Usage: $0 <ca_file> <public_key_file> <username> <principal> <serial>"
    exit 1
}

if [ "$#" -ne 5 ]; then
    usage
fi

ca_file="$1"
public_key_file="$2"
username="$3"
principal="$4"
serial="$5"

if [ ! -f "$ca_file" ]; then
    echo "Error: CA file '$ca_file' not found."
    usage
fi

if [[ $ca == "/etc/ssh/ca-it" ]]; then
    echo "Error: Use API for signing with this CA."
    usage
fi

itca=$(cat /etc/ssh/ca-it)
ca=$(cat "$ca_file")
if [[ $itca == $ca ]]; then
    echo "Error: Use API for signing with this CA."
    usage
fi

if [ ! -f "$public_key_file" ]; then
    echo "Error: Public key file '$public_key_file' not found."
    usage
fi

supported_principals="webserver,analytics,support,security"
IFS=',' read -ra principal <<< "$principal_str"
for word in "${principal[@]}"; do
    if ! echo "$supported_principals" | grep -qw "$word"; then
        echo "Error: '$word' is not a supported principal."
        echo "Choose from:"
        echo "    webserver - external web servers - webadmin user"
        echo "    analytics - analytics team databases - analytics user"
        echo "    support - IT support server - support user"
        echo "    security - SOC servers - support user"
        echo
        usage
    fi
done

if ! [[ $serial =~ ^[0-9]+$ ]]; then
    echo "Error: '$serial' is not a number."
    usage
fi

ssh-keygen -s "$ca_file" -z "$serial" -I "$username" -V -1w:forever -n "$principals" "$public_key_name"

got "Empty principal name" message every time when run /opt/sign_key.sh with any ca_file  

[r1x0n]

I'm stuck on support user on the host, any hint on what to do next?

cat /etc/ssh/auth_principals/zzinter
zzinter_temp

try zzinter_temp principals

thank you x1rx for zzinter_temp principals hint, now what is next please?

zzinter@ssg:~$ sudo -l
Matching Defaults entries for zzinter on ssg:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User zzinter may run the following commands on ssg:
    (root) NOPASSWD: /opt/sign_key.sh

zzinter@ssg:~$ cat /opt/sign_key.sh
#!/bin/bash

usage () {
    echo "Usage: $0 <ca_file> <public_key_file> <username> <principal> <serial>"
    exit 1
}

if [ "$#" -ne 5 ]; then
    usage
fi

ca_file="$1"
public_key_file="$2"
username="$3"
principal="$4"
serial="$5"

if [ ! -f "$ca_file" ]; then
    echo "Error: CA file '$ca_file' not found."
    usage
fi

if [[ $ca == "/etc/ssh/ca-it" ]]; then
    echo "Error: Use API for signing with this CA."
    usage
fi

itca=$(cat /etc/ssh/ca-it)
ca=$(cat "$ca_file")
if [[ $itca == $ca ]]; then
    echo "Error: Use API for signing with this CA."
    usage
fi

if [ ! -f "$public_key_file" ]; then
    echo "Error: Public key file '$public_key_file' not found."
    usage
fi

supported_principals="webserver,analytics,support,security"
IFS=',' read -ra principal <<< "$principal_str"
for word in "${principal[@]}"; do
    if ! echo "$supported_principals" | grep -qw "$word"; then
        echo "Error: '$word' is not a supported principal."
        echo "Choose from:"
        echo "    webserver - external web servers - webadmin user"
        echo "    analytics - analytics team databases - analytics user"
        echo "    support - IT support server - support user"
        echo "    security - SOC servers - support user"
        echo
        usage
    fi
done

if ! [[ $serial =~ ^[0-9]+$ ]]; then
    echo "Error: '$serial' is not a number."
    usage
fi

ssh-keygen -s "$ca_file" -z "$serial" -I "$username" -V -1w:forever -n "$principals" "$public_key_name"

How do i escape docker?

[JonathanC0mradeJames]

Step for root.

Do the following step as root in the container.

Hidden Content

You must register or login to view this content.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Reputation System Rules 5.1) You are not allowed to ask for, buy, sell, or trade reputation (You may ask after a deal is made, only exception)