Automating SSH Key Generation for Secure Server Access

It is possible to automate the generation of an SSH key pair during server provisioning and provide users with the resulting private key (.pem file) for SSH access.

Here’s a basic outline of how it might work using a combination of command-line tools and cloud-init:

  1. During server provisioning, run a script that executes ssh-keygen, which generates a new SSH key pair. The -m PEM option can be used to ensure the private key is generated in the PEM format:
1

ssh-keygen -m PEM -t rsa -b 4096 -C "your_email@example.com" -f keypair.pem

This command will generate a new RSA SSH key pair with a key size of 4096 bits. The -C option is used to add a comment, which is typically set to the user’s email address. The -f option specifies the filename for the private key.

  1. Once the key pair is generated, the public key (keypair.pem.pub) can be added to the ~/.ssh/authorized_keys file of the user account that will be used for SSH access:
1

echo "$(cat keypair.pem.pub)" >> ~/.ssh/authorized_keys
  1. The private key (keypair.pem) can be securely transferred to the user. This should be done over a secure channel, such as HTTPS, to prevent the private key from being intercepted during transit. It’s important to inform the user that they need to set the correct permissions for the private key file after they receive it:
1

chmod 600 keypair.pem
  1. The user can then use the provided private key to SSH into the server:
1

ssh -i keypair.pem user@server_ip

Please note that this is a simplified outline and might need to be adjusted based on your specific use case and server environment. Additionally, while this approach can streamline the process of providing SSH access, it’s important to handle SSH keys with care due to their sensitive nature. Mismanagement of SSH keys can lead to unauthorized access and other security issues.

Generating the Key

Step 1, which involves the generation of the SSH key pair, would typically be run on a local machine or a secure server that’s responsible for managing the server provisioning process.

The reasoning behind this is that you need to ensure the security of the private key. If you generate the key pair directly on the server being provisioned, you’ll need to securely transfer the private key off the server. This can potentially expose the private key, which is a security risk.

In the outlined approach, you would generate the key pair on a secure machine, add the public key to the authorized_keys file on the server being provisioned, and then securely provide the private key to the user.

Private Key

The private key of an SSH key pair should never be stored on the server. Only the public key is added to the authorized_keys file on the server. When a user attempts to SSH into the server, they use their private key, which is kept on their local machine. The server uses the corresponding public key to verify the user’s identity.

This way, even if the server is compromised, an attacker wouldn’t have access to user private keys, and therefore, would not be able to use them to gain unauthorized access to other systems or data.

The private key should be securely transferred to the end user and should never be shared or transmitted over insecure channels. It’s also essential that users understand they must protect their private keys and not share them, as possession of the private key is equivalent to proof of identity in the context of SSH.

Storing Sensitive Data

You can store private keys in AWS Secrets Manager. This service is designed to protect access to applications, services, and IT resources. It enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Here’s a basic outline on how to store the SSH private key:

  1. Generate the SSH key pair as mentioned before.

  2. Once you have the private key, you can save it as a secret in AWS Secrets Manager. You can do this via the AWS Management Console, AWS CLI, or AWS SDKs.

In the AWS CLI, the command might look like this:

1

aws secretsmanager create-secret --name SSHPrivateKey --secret-string file://path_to_your_private_key.pem

Please replace SSHPrivateKey with the name you want for this secret and path_to_your_private_key.pem with the path to your private key file.

  1. You can then retrieve the private key when needed, using the AWS CLI or AWS SDKs:
1

aws secretsmanager get-secret-value --secret-id SSHPrivateKey
  1. The private key can then be used by the application or user to SSH into the server.

Remember, AWS charges for the storage and usage of secrets in Secrets Manager. Make sure to understand and consider these costs before implementing this solution.

Also, ensure that appropriate IAM permissions are in place to protect access to the secrets. Only trusted entities should have the permissions to store and retrieve secrets.