SSH Keys Management (SKINS)

Version 1.55

Feature
Finished

New User command: CMD_SSH_KEYS CMD_API_SSH_KEYS Ability to manage ssh keys via User Level, and by Admins/Resellers Levels. This command is not domain dependent. More info to come. Benefits: - Ability to ssh to other servers without needing a password. - Ability to allow others to ssh to your account, without giving them a password (they give you their key) - Possibly cronjobs for rsync to push files to remote accounts seamlessly. =================== ACTIONS ================ CREATE: action=create id=id (any name you want to give it for id_rsa.pub or id=test for test_rsa.pub). comment=somesimplecomment (passwd=secretpass OR blank/empty for no password on the key, useful for script automation.) (passwd2=secretpass) type=rsa keysize=1024|2048|4096 (default selected 2048) Note if you use name=id, this will be what's used for outbound ssh connections. The remote server would need the id_rsa.pub file on their end. For the type, use rsa. The other option of dsa is dropped with OpenSSH 7.0+ so DA won't create it but will show it if exists, and rsa1 also not supported all. ================ GLOBAL CREATE ability for a Reseller to add a key and apply it to all of their Users. Option to also apply it to all future Users, when created. May ignore the "ssh" option for Users, adding the key regardless. The key would not work until ssh is enabled for the given account (shell needs to be set by DA, and AllowUsers set by DA in sshd_config for that User) Similarly, Admins added to all Resellers/Users created by them... perhaps an option for every single account on the box. The global list is stored at: /home/reseller/.ssh/global_keys with one key per line, eg: id1_rsa=who=all id2_rsa=who=selected&select0=useryes id2_rsa=who=except&select0=userno where "who=all" means it's added to all Users below this Reseller, and will be added to all Users when they're created. Similarly, who=selected means only the selected Users are affected. Newly created Users would not get this key. Lastly, who=except would mean all Users except the selected Users. Newly created Users would get this key. to set a current id_rsa.pub file to be globa, use: action=set_global id=id_rsa who=all|selected|except (select0=fred, select1=george) ================ AUTHORIZE: This will add the given pub info to the ~/.ssh/authorized_keys, either from an existing id_rsa.pub, or pasted value. action=authorize ------- type=paste text=ssh-rsa AADATAQ== test@comment.com ---- or: type=id id=id (option0=name%3DOPTNAME%26value%3DOPTVALUE) (option1=name%3DOPTNAME) Regarding the option0, option1, they are optional. They specify the key's options such as IP or command restrctions. See man sshd(8) for info on the options/values. Note the %3D is the encoding of = and %26 is the encoding of &. The option0 entries are double-encoded in the final post string. The options that do not have values must not have values set, and options that DO have values MUST have values set (again, 'man sshd') eg: json=yes&action=authorize&type=id&id=demo_rsa&option0=name%3Dfrom%26value%3d1.2.3.4 ---- or (used by Enhanced) action=select authorize=<anything> select0=e3:66:d5:37:f0:a8:35:a6:6c:55:d6:4b:56:68:0e:31 (select1=68:58:e9:08:76:91:f4:9e:28:1f:d2:39:eb:c2:bb:69) ================ DELETE action=delete type=authorized_keys|public select0=e3:66:d5:37:f0:a8:35:a6:6c:55:d6:4b:56:68:0e:31 (select1=68:58:e9:08:76:91:f4:9e:28:1f:d2:39:eb:c2:bb:69) where type=authorized_keys, removed the entry from the: ~/.ssh/authorized_keys and type=public removes the 2 files: ~/.ssh/name_rsa ~/.ssh/name_rsa.pub the type=public has an option value (check box, enabled by default): clean=yes it will also delete the keys with that matching fingerprint from the authorized_keys file. Note that newer OS's will show a different SHA fingerprint format. This doesn't change anything as it's only used as an index. =================== JSON CMD_SSH_KEYS?json=yes&enabled_users=yes with optional &fingerprint=07:af:73:de:8f:ab:59:d3:f7:49:50:72:c1:48:51:1d to only show this global_keys entry. By default, you should use enabled_users=no, for a faster main page load for Resellers+. returns: { "authorized_keys": { "07:af:73:de:8f:ab:59:d3:f7:49:50:72:c1:48:51:1d": { "comment": "descriptive@comment.com", "data": "AAAAB3NzaC1...JJw==", "fingerprint": "07:af:73:de:8f:ab:59:d3:f7:49:50:72:c1:48:51:1d", "keysize": "2048", "type": "ssh-rsa" }, "ec:b3:44:98:6e:f9:b3:23:70:7c:87:04:3f:af:30:45": { "comment": "all@comment.com", "data": "AAAAB3NzaC1...fsw==", "fingerprint": "ec:b3:44:98:6e:f9:b3:23:70:7c:87:04:3f:af:30:45", "keysize": "2048", "type": "ssh-rsa" } }, "global_keys": { "ec:b3:44:98:6e:f9:b3:23:70:7c:87:04:3f:af:30:45": { "users": { "sshonalready": { "enabled": "yes" }, "sshuser2": { "enabled": "yes" }, "sshuser3": { "enabled": "yes" } }, "who": "all" } }, "key_options": { "command": "value", "environment": "value", "from": "value", "no-X11-forwarding": "checkbox", "no-agent-forwarding": "checkbox", "no-port-forwarding": "checkbox", "no-pty": "checkbox", "permitopen": "value", "tunnel": "value" }, "keysize": { "0": { "text": "1024", "value": "1024" }, "1": { "selected": "yes", "text": "2048", "value": "2048" }, "2": { "text": "4096", "value": "4096" } }, "public_keys": { "all_rsa": { "comment": "all@comment.com", "data": "AAAAB3NzaC1...fsw==", "fingerprint": "ec:b3:44:98:6e:f9:b3:23:70:7c:87:04:3f:af:30:45", "keysize": "2048", "timestamp": "1539761813", "type": "ssh-rsa" }, "allexcept_rsa": { "comment": "json@comment.com", "data": "AAAAB3NzaC1...Kow==", "fingerprint": "ab:d6:60:d3:e8:75:c0:82:de:52:91:61:aa:22:e7:c9", "keysize": "2048", "timestamp": "1539761558", "type": "ssh-rsa" }, "gui_rsa": { "comment": "descriptive@comment.com", "data": "AAAAB3NzaC1...JJw==", "fingerprint": "07:af:73:de:8f:ab:59:d3:f7:49:50:72:c1:48:51:1d", "keysize": "2048", "timestamp": "1540022670", "type": "ssh-rsa" }, "id_rsa": { "comment": "test@key.com", "data": "AAAAB3NzaC1...BHw==", "fingerprint": "59:09:0c:a1:f5:69:12:89:72:79:ed:45:11:1b:f4:3d", "keysize": "2048", "timestamp": "1539757117", "type": "ssh-rsa" } }, "users": [ "sshonalready", "sshuser2", "sshuser3" ] } ============ If a Reseller or Admin, the json will include a top-level array global_keys, with each key that is set to be global, with info. As well as "users", a list of all current Users under this account (just a dump of the users.list file) { ... "global_keys": "users": [ "fred", "george" ] ... } The call made by a normal User will not have the global_keys nor users array. ============= SKINS new files: user/ssh_keys.html user/ssh_keys_edit.html files_user.conf: CMD_SSH_KEYS=user/ssh_keys.html CMD_SSH_KEYS_EDIT=user/ssh_keys_edit.html Edited: user/show_domain.html added new line: |*if USERSSH="ON"| <a href="/CMD_SSH_KEYS">SSH Keys</a><br> |*endif|

Interested to try DirectAdmin? Get a 30-day Free Trial!