Code's corner‎ > ‎

SSH Key management with SKM

SKM ( SSH Key Management ) is a LAMP application that enables a team of system administrators to centrally manage and deploy ssh keys. This app is intended to be used in rather large environnements where access to unix accounts are handled with ssh keys.
SKM allows you to store the public keys. You can organise these keys with group of keys called keyring.
SKM will deploy the keys and/or keyrings to specified unix accounts.

To help you better understand, here is a screenshot of the main interface.

If you click on any these hosts, you will see ssh key/account associations as shown here :

If you want to try it out, I setup a demo here :

You can create hosts, assign keys, create keyrings etc.... but you won't be able to deploy these keys. The MySQL is refreshed every night.

Installation instructions :

I ) Preparing the server :

In order for skm to work properly, you need to setup a LAMP ( Linux Apache MySQL PHP ) server. I have skm working on Fedora 4 and Ubuntu 8.04. I guess it should run on any LAMP servers.

Create a directory named 'skm' where you want the site to be. Let's say in /usr/local/skm.

In Apache2, create a file called skm.conf in /etc/apache2/conf.d/ with the following lines :

Alias /skm/ "/usr/local/skm/"
<Directory "/usr/local/skm/">
    Options None
    AllowOverride None
    Order allow,deny
    Allow from all

II ) Unpacking the archive :

Download the latest skm package from the bottom of this page.
Change directory to /usr/local/ and do a tar -zxvf skm-<date>.tgz
Change directory to /usr/local/skm

III ) Creating the database :

To create the database, run the following command :
 mysql -u my_admin_user -p my_admin_user_password < /mythtv/MyData/scripts/skm_creation.sql

This SQL will create the database and all the tables. It also creates and grant priviledges to skmadmin user. 
As the default password is demo, change it to whatever you like using phpMyAdmin for example.

IV ) Configuring skm :
Edit the file and change skmadmin password with the new password.

Now let me explain how skm security works. In order for the LAMP server to be able to push ssh keys to all servers, its public key needs to be uploaded on all 'client' servers. In order to do that, add the LAMP public key ($HOME/my_user/.ssh/ to the root /root/.ssh/authorized_keys2 file of the 'client' server.
Now you can see that there is a HUGE security risk in doing that. If somebody gets access to the skm user on the LAMP server, it gets access to all 'client' servers. Therefore, the private key of the LAMP user needs to be encrypted. I decided to use pgp to encrypt the $HOME/my_user/.ssh/id_rsa file. You can use gpg --gen-key to initially create your gpg key. On my machine, I used Apache as user. The homedir is /var/www. we encrypt the file with gpg --encrypt /var/www/.ssh/id_rsa and we select user Apache. Don't loose the password ;-). 

Once it is encrypted, you need to update the security table of skm in the database. 
I use phpMyAdmin. First select your database, then the 'security' table. Then click the 'insert' (1) tab to create a new record :
You leave this id field empty. Select MD5 for the function (2) and type in your password (3).

Once this is done, if you browse your table, it should look like this :

When you are done, you end up with a private key file encrypted with pgp and a password encrypted with MD5 to decrypt this file. In skm, when you deploy keys, you will be prompted for a password. When you provide it to skm, mysql will encrypt it and try to match it with the one in the database, then use it to decrypt the private key file. Finally it will use the decrypted private key file to initiate an ssh connection to the 'client' server. Once the deployment is done, the file is encrypted again.

V ) Note regarding the way skm manages the ssh keys

skm does not store any private key for security purposes. The only information stored in its database is the password needed to decrypt skm private key file. skm CANNOT deploy to a host if its public key is not already on the host. Therefore, it is a good idea to include a standardize authorized_keys2 file in all new server installation that contains the skm user public key.

Jerome Boismartel,
Nov 21, 2008, 1:28 PM
Jerome Boismartel,
Mar 17, 2010, 7:47 AM
Jerome Boismartel,
Mar 19, 2010, 6:17 AM
Jerome Boismartel,
Aug 4, 2010, 8:14 AM
Jerome Boismartel,
Jun 6, 2011, 8:54 AM
Jerome Boismartel,
Apr 15, 2012, 2:25 PM
Jerome Boismartel,
Jun 8, 2012, 1:10 PM