Secure Shell (SSH) is mainly used for managing most of the world’s web servers. It creates a secure channel on top of an unsecured network by using the client-server model. The problem arises with the increase in the number of clients that leads to a
corresponding increase in the maintenance work for the server administration. This thesis offers an insight into this problem and the solution to it. The SSH Configuration Interface (SSH CI) is one possible solution to simplify the process. It’s a client-server application that provides a simple but intuitive user interface (UI) to the users, so they can upload their public key directly to the server. The server thereon handles the request and, thus, excludes the need of an administration interaction from this process.
The SSH protocol uses encryption to secure the connection between a client and a server. It’s mainly used to log into a remote machine and execute commands, but there are other useful features available like tunneling and forwarding of Transmission Control Protocol (TCP) ports. An SSH connection supports multiple methods of authentication, the most common being the public key authentication. The advantage of it over a simple password, for example, is security and flexibility. Public key authentication provides a security level that even extremely long passwords can’t offer. In a situation where multiple users have access to the same account on the server by using SSH key authentication, it is easy to revoke access to any of them just by deleting their public key from the server. No password has to be shared across the users.
Table of Contents
1 Introduction
2 Technologies
2.1 Multitier Architecture
2.1.1 Back-end
2.1.2 Front-end
2.2 Persistence Layer
2.2.1 Novell’s Library for LDAP
2.3 NLog Framework
2.4 Security Layer
2.5 Tools
3 Architecture
3.1 User Activity
3.2 Physical Deployment Model
3.3 Application Structure
3.3.1 MVC
3.3.2 Programming Model
3.3.3 Request Lifecycle
3.3.4 Dependency Injection
3.3.5 Improved Service Registration Mechanism
3.4 Data Access
3.4.1 Directory Service
3.4.2 Directory Service compared to DBMS
3.4.3 Authentication and Authorization
3.5 Configurations
4 Implementation
4.1 Hosting Environment
4.2 Error Handling
4.3 Logging
4.4 Identity Framework with LDAP
4.5 Key Storage Mechanism
4.6 Key Monitoring
4.7 Key Upload/Update
4.8 Key Delete
5 Security
5.1 Google reCaptcha v3
5.2 Open-Redirect Attack
6 Conclusion
6.1 Discussion
Objectives and Topics
This thesis addresses the administrative burden associated with managing SSH access for multiple users on shared Linux virtual machines. The primary goal is to design and implement a self-service web portal that allows users to independently upload their public SSH keys, thereby reducing the need for direct manual intervention by system administrators.
- Development of a user-friendly, web-based SSH configuration interface.
- Integration of Lightweight Directory Access Protocol (LDAP) for secure user authentication and authorization.
- Implementation of robust security measures, including Google reCaptcha v3 and protection against common web vulnerabilities.
- Automation of server-side key management through a loosely coupled, scalable software architecture.
- Utilization of dependency injection and custom installers to ensure maintainability and modularity.
Auszug aus dem Buch
3.3.4 Dependency Injection
SSH CI heavily relies on Dependency Injection. ASP.NET Core has built-in support for DI which is a software design pattern used for achieving Inversion of Control (IoC) between classes and their dependencies. It is an imperative technique for building modern, loosely coupled applications. The end applications are more unit-testable, modular, and maintainable as result. In a scenario similar as in fig. 3.7, class A is directly dependent on Class B. This might be a problem when trying to replace B with a different implementation, class A must be modified. In a large project with multiple classes depending on B, the code becomes strewed across the application. This kind of implementation significantly complicates the unit testing. Class B has to be involved in the unit testing of class A which breaks the unit testing principles.
Nevertheless, DI addresses this problem by using an interface to abstract away the dependency implementation as demonstrated with an example from SSH CI, fig. 3.8. Registration of the dependency is done in the service container provided by the framework. In ASP.NET Core they are registered in the application’s "Startup" class, in the “ConfigureServices” method, however, in SSH CI the container is distributed across several “Installer” classes for establishing a more structured service registration mechanism. Therefore, a more maintainable application is achieved. This approach will be discussed in section 3.3.5. As a result, it’s easy to change the implementation that “AccountController” uses without modifying the controller.
Summary of Chapters
1 Introduction: Discusses the motivation for automating SSH key management and the limitations of manual administration in multi-user environments.
2 Technologies: Provides an overview of the technical stack, including ASP.NET Core MVC, LDAP, and NLog, used to build the solution.
3 Architecture: Explains the core system design, including the multitier architecture, the MVC pattern, and the service registration mechanism.
4 Implementation: Details the practical realization of the portal, covering hosting, error handling, LDAP integration, and key management scripts.
5 Security: Analyzes the implementation of security features such as Google reCaptcha v3 and the mitigation of Open-Redirect attacks.
6 Conclusion: Evaluates the completed project, discusses limitations, and suggests potential future improvements.
Keywords
SSH, Linux, Web Portal, Automation, LDAP, ASP.NET Core, MVC, Dependency Injection, Security, reCaptcha, Public Key Authentication, System Administration, Scalability, Middleware, User Management
Frequently Asked Questions
What is the core focus of this thesis?
The work focuses on designing and implementing an automated self-service portal that allows users to manage their own SSH public keys for accessing shared Linux virtual machines, reducing manual administrative tasks.
What are the primary thematic areas covered?
Key topics include web application architecture (MVC), dependency injection, identity management via LDAP, automated script execution for key storage, and web security measures.
What is the main objective of the proposed system?
The objective is to minimize system administrator involvement in the SSH key distribution process by providing a scalable, secure, and user-friendly interface for students to manage their access themselves.
Which scientific or technical methods are applied?
The thesis utilizes a client-server architectural approach, implements an asynchronous programming model for scalability, and employs established design patterns like Dependency Injection and the Options Pattern for clean configuration management.
What is discussed in the main part of the thesis?
The main part covers the system architecture, the implementation details—specifically how Identity Framework is integrated with LDAP—and the security layer, detailing how various vulnerabilities are mitigated.
Which keywords best characterize the work?
Key terms include SSH, Automation, LDAP, ASP.NET Core, MVC, Dependency Injection, and Security.
How does the application ensure that only authorized users can access the portal?
The system uses LDAP to authenticate users and verifies their enrollment in specific courses before granting them access to the portal or allowing them to manage their SSH keys.
Why was Google reCaptcha v3 selected for this project?
reCaptcha v3 was chosen because it is transparent to the user, monitoring interactions in the background and assigning risk scores to requests, which effectively prevents bot-driven brute-force attacks.
How is the system design made maintainable?
Maintainability is achieved through a modular architecture where services are registered using distributed installer classes and dependency injection, allowing for easy updates and OS-independent migration.
- Quote paper
- Gheorghe Mironica (Author), 2020, SSH Configuration Interface. Design and Implementation of a “student self-service portal” for accessing to Linux-VMs, Munich, GRIN Verlag, https://www.grin.com/document/1147465
