Oracle key vault to Manage server SSH public keys (Part - 2)

Hello Friend's,

In This Post is continuation to discussion we started in part 1 about how to manage server ssh public keys with OKV , Now lets start with Part 2

So let's get started

Step 1 : Generate ssh keys


[oracle@dm01db01 okvrestcli]$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:a/jD9DFpo2nBJW7f/tUus5l9XSmU7luGCx/LjChhRrc oracle@dm01db01.database.com
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|              .  |
|       ....  o   |
|      .oSo..o   .|
|       =*E*  o..o|
|      +++B *.o.o=|
|       +* + B.O*o|
|       .oo o.O*++|
+----[SHA256]-----+

Step 2 In most cases, the public key is likely not in the PKCS8 format. Therefore, prior to using it, we must transform it into this format.


[oracle@dm01db01 okvrestcli]$ ssh-keygen -e -m PKCS8 -f /home/oracle/.ssh/id_rsa.pub > /home/oracle/.ssh/id_rsa-pkcs8.pub
[oracle@dm01db01 okvrestcli]$
[oracle@dm01db01 okvrestcli]$ cat /home/oracle/.ssh/id_rsa-pkcs8.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsdtnZ5QNpmjCy6SrsHUZ
7oX+IEVk6yyKP64p/VDUAVBJYzbWIBiBhnR2QCoz0UgkM06+9gbSv3vNYLEac2xA
XwYKpNExn/8RU1JXvEWgzXnPAolthY0fKeLuPouKt1ASjZKmyjWwe32BWr0U/R+R
onDyu9uuNm8/mYi7WvQcn8A3GWprlcE9wB2TfQrV0whuz1hTbXJC1DlKTTRiIFEa
8ORxMJhY3zHJS4jTzYxxTtz8e6HL3XhbuO+/Uh43PJsC/ukqQlnS6lYWM2EXElMK
Izu5Q5Dnfqb0OMIGXa6Ij1xJuGji0wPIY7rj9QZ7Of4G4b8AxHQwy3ayuEehbkba
TQIDAQAB
-----END PUBLIC KEY-----

Step 3 : Upload the key


[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv managed-object public-key register --generate-json-input > /tmp/upl.json
[oracle@dm01db01 okvrestcli]$ cat /tmp/upl.json
{
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#RSA",
      "length" : "#1024,2048,3072,4096(RSA)",
      "sshUser" : "#VALUE",
      "mask" : [ "#SIGN", "#VERIFY", "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", "#TRANSLATE_ENCRYPT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP", "#TRANSLATE_UNWRAP" ],
      "privateKeyUUID" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "deactivationDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "processStartDate" : "#NOW|YYYY-MM-DD HH:mm:ss",
        "protectStopDate" : "#NOW|YYYY-MM-DD HH:mm:ss"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}
[oracle@dm01db01 okvrestcli]$ vi /tmp/upl.json
[oracle@dm01db01 okvrestcli]$
[oracle@dm01db01 okvrestcli]$ cat /tmp/upl.json
{
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "register",
    "options" : {
      "object" : "/home/oracle/.ssh/id_rsa-pkcs8.pub",
      "algorithm" : "RSA",
      "length" : "2048",
      "mask" : [ "ENCRYPT" ],
      "sshUser" : "oracle",
      "attributes" : {
        "name" : {
          "value" : "ORACLE-PUBKEY",
          "type" : "text"
        },
        "activationDate" : "NOW",
        "deactivationDate" : "2040-12-30 00:00:00"
      }
    }
  }
}
[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv managed-object public-key register --from-json /tmp/upl.json
{
  "result" : "Success",
  "value" : {
    "uuid" : "79A5AF0A-98A4-4F68-BF29-C6C5A6802CD3"
  }
}
[oracle@dm01db01 okvrestcli]$

Keep the existing unique identifier (UUID) as it serves as the identification for the OKV key. Currently, the key exists in OKV but is not connected to any wallet. Previously, an SSH wallet named "oracle_ssh_wallet" was created, and the endpoint was given permission to manage it. The next step involves associating the key with the "oracle_ssh_wallet" wallet.

Step 4 : We will now include this key in the oracle_ssh_wallet wallet.


[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv managed-object wallet add-member --generate-json-input > /tmp/addm.json
[oracle@dm01db01 okvrestcli]$
[oracle@dm01db01 okvrestcli]$ cat /tmp/addm.json
{
  "service" : {
    "category" : "managed-object",
    "resource" : "wallet",
    "action" : "add-member",
    "options" : {
      "uuid" : "#VALUE",
      "wallet" : "#VALUE"
    }
  }
}
[oracle@dm01db01 okvrestcli]$ vi /tmp/addm.json
[oracle@dm01db01 okvrestcli]$ cat /tmp/addm.json
{
  "service" : {
    "category" : "managed-object",
    "resource" : "wallet",
    "action" : "add-member",
    "options" : {
      "uuid" : "79A5AF0A-98A4-4F68-BF29-C6C5A6802CD3",
      "wallet" : "Oracle_SSH_Wallet"
    }
  }
}
[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv managed-object wallet add-member --from-json /tmp/addm.json { "result" : "Success" }

Step 5 : To confirm, we can display the contents of the wallet using the REST API commands.


[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv manage-access wallet list-objects --generate-json-input > /tmp/List.json
[oracle@dm01db01 okvrestcli]$ cat /tmp/List.json
{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "list-objects",
    "options" : {
      "wallet" : "#VALUE",
      "limit" : "#VALUE",
      "excludeWalletMembership" : "#TRUE|FALSE"
    }
  }
}
[oracle@dm01db01 okvrestcli]$ vi /tmp/List.json
[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv manage-access wallet list-objects --from-json /tmp/List.json
{
  "result" : "Success",
  "value" : {
    "fetchedObjectCount" : "1",
    "managedObjects" : [ {
      "creatingEndpoint" : "DM01DB01",
      "creationDate" : "2024-03-08 22:43:21",
      "deactivationDate" : "2040-12-30 00:00:00",
      "displayName" : "SSH Key for user: oracle, Fingerprint: SHA256:a/jD9DFpo2nBJW7f/tUus5l9XSmU7luGCx/LjChhRrc",
      "name" : "ORACLE-PUBKEY",
      "protectStopDate" : "",
      "state" : "Active",
      "type" : "Public Key",
      "uuid" : "79A5AF0A-98A4-4F68-BF29-C6C5A6802CD3",
      "walletMembership" : [ "Oracle_SSH_Wallet" ]
    } ]
  }
}

Step 6 : You can also use the `okvutil` tool from the endpoint to retrieve the key from OKV. The `okvutil` is the tool used by the SSH daemon to retrieve keys from OKV, so it is expected to work effectively for this purpose.


[oracle@dm01db01 okvrestcli]$ /extra/okvutil/bin/okvutil list
Unique ID                               Type            Identifier
79A5AF0A-98A4-4F68-BF29-C6C5A6802CD3    Public Key      SSH Key for user: oracle, Fingerprint: SHA256:a/jD9DFpo2nBJW7f/tUus5l9XSmU7luGCx/LjChhRrc

Step 7 : Let's attempt to retrieve the SSH key from OKV (Oracle Key Vault) before setting up the SSH daemon. Once we have the key, we'll transform it into an RSA format suitable for use in the authorized_keys file.


[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv managed-object public-key get --output_format TEXT --uuid 79A5AF0A-98A4-4F68-BF29-C6C5A6802CD3 > /tmp/ssh_pkcs8.pub
[oracle@dm01db01 okvrestcli]$ cat /tmp/ssh_pkcs8.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsdtnZ5QNpmjCy6SrsHUZ
7oX+IEVk6yyKP64p/VDUAVBJYzbWIBiBhnR2QCoz0UgkM06+9gbSv3vNYLEac2xA
XwYKpNExn/8RU1JXvEWgzXnPAolthY0fKeLuPouKt1ASjZKmyjWwe32BWr0U/R+R
onDyu9uuNm8/mYi7WvQcn8A3GWprlcE9wB2TfQrV0whuz1hTbXJC1DlKTTRiIFEa
8ORxMJhY3zHJS4jTzYxxTtz8e6HL3XhbuO+/Uh43PJsC/ukqQlnS6lYWM2EXElMK
Izu5Q5Dnfqb0OMIGXa6Ij1xJuGji0wPIY7rj9QZ7Of4G4b8AxHQwy3ayuEehbkba
TQIDAQAB
-----END PUBLIC KEY-----

[oracle@dm01db01 okvrestcli]$ ssh-keygen -i -f /tmp/ssh_pkcs8.pub  -m PKCS8
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCx22dnlA2maMLLpKuwdRnuhf4gRWTrLIo/rin9UNQBUEljNtYgGIGGdHZAKjPRSCQzTr72BtK/e81gsRpzbEBfBgqk0TGf/xFTUle8RaDNec8CiW2FjR8p4u4+i4q3UBKNkqbKNbB7fYFavRT9H5GicPK72642bz+ZiLta9ByfwDcZamuVwT3AHZN9CtXTCG7PWFNtckLUOUpNNGIgURrw5HEwmFjfMclLiNPNjHFO3Px7ocvdeFu4779SHjc8mwL+6SpCWdLqVhYzYRcSUwojO7lDkOd+pvQ4wgZdroiPXEm4aOLTA8hjuuP1Bns5/gbhvwDEdDDLdrK4R6FuRtpN
[oracle@dm01db01 okvrestcli]$
[oracle@dm01db01 okvrestcli]$ cat /home/oracle/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCx22dnlA2maMLLpKuwdRnuhf4gRWTrLIo/rin9UNQBUEljNtYgGIGGdHZAKjPRSCQzTr72BtK/e81gsRpzbEBfBgqk0TGf/xFTUle8RaDNec8CiW2FjR8p4u4+i4q3UBKNkqbKNbB7fYFavRT9H5GicPK72642bz+ZiLta9ByfwDcZamuVwT3AHZN9CtXTCG7PWFNtckLUOUpNNGIgURrw5HEwmFjfMclLiNPNjHFO3Px7ocvdeFu4779SHjc8mwL+6SpCWdLqVhYzYRcSUwojO7lDkOd+pvQ4wgZdroiPXEm4aOLTA8hjuuP1Bns5/gbhvwDEdDDLdrK4R6FuRtpN oracle@dm01db01.database.com

Step 8 : Set up the SSH daemon to obtain keys straight from OKV.

Now we'll setup ssh to automatically obtain the public key when an ssh client attempts to connect.

For this, we use the AuthorizedKeysCommand and AuthorizedKeysCommandUser parameters from the sshd daemon's sshd_config file.

AuthorizedKeysCommand provides a program that will be used to look up the user's public key.

The program must be owned by root, not editable by group or others, and supplied with an absolute path.

Otherwise, you will get traces in /var/log/secure like "error: Unsafe AuthorizedKeysCommand "... okv_ssh_ep_lookup_authorized_keys". Incorrect ownership or modes for the directory... bin

For the demonstration, I will establish an oracle user on the same server and link the opc account to the oracle account using ssh.

[root@dm01db01 ~]# systemctl restart sshd

For debug purpose, I started sshd daemon in debug mode. The traces show the call of /opt/okvutil/bin/okv_ssh_ep_lookup_authorized_keys program when connection as oracle (ssh oracle@okv000c298a500a) user are made.


[root@dm01db01 ~]# tail -f /var/log/secure
Mar  9 13:16:11 dm01db01 sudo[425130]: pam_unix(sudo:session): session opened for user root by root(uid=0)
Mar  9 13:16:11 dm01db01 su[425135]: pam_unix(su-l:session): session opened for user oracle by root(uid=0)
Mar  9 14:17:32 dm01db01 sshd[439700]: Accepted password for oracle from 192.168.136.1 port 52399 ssh2
Mar  9 14:17:33 dm01db01 systemd[439712]: pam_unix(systemd-user:session): session opened for user oracle by (uid=0)
Mar  9 14:17:34 dm01db01 sshd[439700]: pam_unix(sshd:session): session opened for user oracle by (uid=0)
Mar  9 14:49:16 dm01db01 sshd[447441]: Accepted password for root from 192.168.136.1 port 53531 ssh2
Mar  9 14:49:16 dm01db01 sshd[447441]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar  9 23:33:04 dm01db01 sshd[1469]: Received signal 15; terminating.
Mar  9 23:33:04 dm01db01 sshd[574231]: Server listening on 0.0.0.0 port 22.
Mar  9 23:33:04 dm01db01 sshd[574231]: Server listening on :: port 22.
Previous
Next Post »