SSH Configuration Interface. Design and Implementation of a “student self-service portal” for accessing to Linux-VMs

Contents

Acknowledgments

Abstract

1 Introduction

2 Technologies
2.1 Multitier Architecture
2.1.1 Back-end
2.1.2 Front-end
2.2 Persistence Layer
2.2.1 Novell's Library for LDAP
2.3 NLog Framework
2.4 Security Layer
2.5 Tools

3 Architecture
3.1 User Activity
3.2 Physical Deployment Model
3.3 Application Structure
3.3.1 MVC
3.3.2 Programming Model
3.3.3 Request Lifecycle
3.3.4 Dependency Injection
3.3.5 Improved Service Registration Mechanism
3.4 Data Access
3.4.1 Directory Service
3.4.2 Directory Service compared to DBMS
3.4.3 Authentication and Authorization
3.5 Configurations

4 Implementation
4.1 Hosting Environment
4.2 Error Handling
4.3 Logging
4.4 Identity Framework with LDAP
4.5 Key Storage Mechanism
4.6 Key Monitoring
4.7 Key Upload/Update
4.8 Key Delete

5 Security
5.1 Google reCaptcha v3
5.2 Open-Redirect Attack

6 Conclusion
6.1 Discussion

List of Code Snippets

List of Figures

Bibliography

Acknowledgments

I would like to thank everyone who supported me during the development phase of this project and the thesis as a whole.

- Prof. Dr. Stefan Traub for providing a challenging and interesting topic and the constant support during the whole process.
- Prof. Dr.-Ing. Philipp Graf for the support provided during the elaboration phase of this thesis.
- Brecht Baekelandt for providing a decent guide for advancing the application's architecture and answering all my technical questions.

Abstract

Secure Shell (SSH) is mainly used for managing most of the world's web servers. It creates a secure channel on top of an unsecured network by using the client-server model. The problem arises with the increase in the number of clients that leads to a corresponding increase in the maintenance work for the server administration. This thesis offers an insight into this problem and the solution to it.

The SSH Configuration Interface (SSH CI) is one possible solution to simplify the process. It's a client-server application that provides a simple but intuitive user inter­face (UI) to the users, so they can upload their public key directly to the server. The server thereon handles the request and, thus, excludes the need of an administration interaction from this process.

1 Introduction

The SSH protocol uses encryption to secure the connection between a client and a server. It's mainly used to log into a remote machine and execute commands, but there are other useful features available like tunneling and forwarding of Transmission Control Protocol (TCP) ports. An SSH connection supports multiple methods of authentication, the most common being the public key authentication. The advantage of it over a simple password, for example, is security and flexibility. Public key authentication provides a security level that even extremely long passwords can't offer. In a situation where multiple users have access to the same account on the server by using SSH key authentication, it is easy to revoke access to any of them just by deleting their public key from the server. No password has to be shared across the users.

In order to establish an SSH connection, there is a standard procedure. The client must generate an SSH key pair.

“Each SSH key pair includes two keys:

- A public key that is copied to the SSH server(s). Anyone with a copy of the public key can encrypt data that can then only be read by the person who holds the corresponding private key. Once an SSH server receives a public key from a user and considers the key trustworthy, the server marks the key as authorized in its authorized_keys file. Such keys are called authorized keys.
- A private key that remains (only) with the user. The possession of this key is proof of the user 's identity. Only a user in possession of a private key that corresponds to the public key at the server will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed. The private keys used for user authentication are called identity keys.” [12]

Thus, the user is able to log into the server via an SSH client without any password and therefore start a Shell session. An SSH client is a program that handles the establishment of the connection and authentication to the SSH server. The most commonly used clients for Windows and Linux are PuTTY and OpenSSH respectively.

1 Introduction

This is a relatively easy and quick process, however, when there are multiple new users to be granted access to the server, the process becomes cumbersome and error- prone. In such circumstances, where a remote virtual machine is shared across multiple users, this becomes a problem that every single organization is going to face as it grows.

The SSH Configuration Interface is an attempt to solve this problem by introducing a cross-platform web-based application that uses the latest web standards and best practices. The purpose of this platform is to partially exclude the system administra­tion from this equation since this is a non critical task that has to be repeated over and over again. The goal is that the user will be able to access a portal via any browser and log in. The user's credentials will be firstly checked against a whitelist, which is a Lightweight Directory Access Protocol (LDAP) directory service. The authorization process follows, it will checks whether the user is enrolled in a specific course. This will limit the user's access to the portal and prevent unauthorized usages. If the previous two steps are completed successfully, the user is redirected to the home page of the application. When he uploads his public key, an account with a limited lifetime will be generated on the SSH server.

As a result, an SSH connection with the server can be started. Thus, on the first sight, the server's administrator's job is reduced to a minimum, that is the application maintenance. Despite the fact that this looks as a relative easy to implement solution, there are pitfalls, obstacles and security issues that have to be addressed. Moreover, as with any other modern distributed application, achieving a loosely coupled and scalable system is a considerable challenge. In this thesis the obstacles and pitfalls of the roadmap for developing such a system will be discussed, as well as the custom solution to them.

2 Technologies

2.1 Multitier Architecture

SSH CI is a three-tier application that implements the client-server model, section 3.2. It is a distributed application that divides tasks to be executed on the client and the server-side. The client-server relationship relies on the request-response communica­tion model. The client sends the request, the server processes it and sends back the response. This architecture is going to be discussed more in detail in section 3.2.

2.1.1 Back-end

Asp.Net Core MVC

The back-end of SSH CI is entirely written in C# 8.0 using the ASP.NET Core MVC framework and Identity framework. C# (pronounced "See Sharp") is a modern, object-oriented, and type-safe programming language. C# has its roots in the C family of languages and will be immediately familiar to C, C++, Java, and JavaScript programmers [4]. ASP.NET Core MVC is a rich framework for building web apps and APIs using the Model-View-Controller (MVC) pattern [3] which is explained in section 3.3.1. It is an open-source, highly testable framework and provides a patterns- based way to build dynamic websites, which helps to achieve a clean separation of concerns. It gives full control over markup and uses the latest web standards. It supports features such as Dependency Injection (section 3.3.4), Model Binding, Rout­ing, and Model Validation that are explained in section 3.3.3 respectively. ASP.NET Core Identity is a framework that refers to the security part of the application. The core features are the middlewares that it offers for supporting the authorization and authentication process. Therefore, an authorization policy can be created and config­ured to block unauthorized access throughout the whole application. Moreover, it offers functionality for email confirmation, managing the users, roles, claims, tokens, and much more. The Identity framework is typically configured using a Database for the persistence layer.

Nevertheless, in the SSH CI project, it was configured to work along with an LDAP directory service instead. LDAP is discussed in section 3.4.1.

Alternatives

The closest matching alternative worth considering is Java with the Spring MVC framework. Both languages are object-oriented and are a subset of C++. The transition from one to another is very smooth, both including similar features and have similar syntax. Which one suits better, depends on the application's requirements, usage. In a scenario where the best practices and guidelines are followed, both platforms can bring a comparable result.

2.1.2 Front-end

In the MVC pattern, the Views are considered as the presentation layer. ASP.NET Core MVC comes with Razor. It is a markup syntax for integrating server-side code into HTML pages. Therefore, the code is resolved on the server-side, and HTML pages are rendered and then sent to the client. The Razor syntax consists of Razor markup, C#, and HTML [7]. In addition to Razor, SSH CI makes use of jQuery and Bootstrap. jQuery is a fast, small, and feature-rich JavaScript library that makes things like HTML document traversal and manipulation, event handling, animation, and Ajax much simpler with an easy-to-use API that works across a multitude of browsers [10]. Bootstrap is a free and open-source CSS framework directed at responsive, mobile-first front-end web development [14]. It contains CSS design templates for UI components.

2.2 Persistence Layer

In a typical three-tier application, the persistence layer is covered by a relational or non-relational database management system (DBMS). However, in the case of SSH CI, that is handled by an LDAP directory service. The relation between LDAP and a directory service is similar to Structured Query Language (SQL) and a relational database. LDAP protocol and directory services are explained more in detail in section 3.4.2.

2.2.1 Novell's Library for LDAP

ASP.NET Core does not provide any library for accessing an LDAP directory by default. For the older ASP.NET framework, a built-in library [8] was available for accessing Microsoft Active Directory. The newer framework is a complete rewrite of the old one, hence, it became cross-platform. Thus, the existing library got obsolete and unavailable since it was designed for the Windows operating system (OS). However, the solution came from a third-party library. The most suitable one is Novell's LDAP library [13]. It works with any LDAP-compatible directory service.

2.3 NLog Framework

Logging errors in an application server is important. An application log is simply a file that contains specific information. It can be used for data collection, for user experience (UX) improvement or simply for issues investigation like in SSH CI. In ASP.NET Core there is no built in support for file or database logging. A viable solution is NLog, a third-party framework. Logging with NLog is discussed in section 4.3.

2.4 Security Layer

The security layer in SSH CI consists mainly of Google's reCaptcha service [11] and other security controls. ReCaptcha is a CAPTCHA system (section 5.1). It helps web hosts to detect bots and distinguish between human and automated interaction with the website. Moreover, additional security measures were taken against Brute-force and Open Redirect attacks (section 5.2).

2.5 Tools

The SSH CI is fully developed, tested, and debugged with Microsoft Visual Studio integrated development environment (IDE). It is an indispensable IDE for C# devel­opment that is equipped with all the C# environment-related tools like IntelliSense, database schema designer, version control system, and many others. IntelliSense is an intelligent code completion embedded tool that speeds up the development process and reduces common typos and mistakes. The application is versioned and tracked with Git and hosted on GitHub. Finally, the testing phase of the development cycle was arranged on the target operating system, which is Linux.

The operating system was emulated by using Oracle VM VirtualBox. It is a tool that allows users to emulate a physical computer and provides the functionality of it.

3 Architecture

3.1 User Activity

The SSH CI is a user friendly and intuitive application. The interaction between the user and the application is estimated to be around 2 to 3 minutes. Firstly, the user has to access the web application with any web-browser. The server checks if any authentication cookie has been provided in the HTTP request header. The cookie authentication is described more in detail in section 3.4.3. If no cookie was found, that means the user is not logged in, and he will be automatically redirected to the login page where he can authenticate. The submitted request is analyzed by an external CAPTCHA system, thereafter, the credentials are validated by the server. If the previous two steps were completed successfully, the user is redirected to the home page where he can manipulate his private key. Whenever the user performs any actions regarding his key, specific scripts will be launched that will manipulate the key. On each action, his behavior is scanned by the CAPTCHA system. Suspicious actions may lead the user to be logged out of the system. The graphical illustration of the whole process can be observed in fig. 3.1.

Abbildung in dieser Leseprobe nicht enthalten

Figure 3.1: Interaction between the system and the user - activity diagram

3.2 Physical Deployment Model

The SSH CI is a three-tier application that implements the client-server model. The system is split between the presentation tier, business logic tier, and the data tier as can be seen in fig. 3.2.

- The business logic tier is where the logic of the application is implemented. It is located on the application server side. It is responsible for all the decision making, for rendering the views for the presentation layer, and for interacting with the data layer.
- The data tier is where all the user's data is stored. In the SSH CI scenario, the LDAP directory stores the data. The data tier communicates only with the business logic layer via TCP/IP protocol on port 636, which is the default port of any directory service for Transport Layer Security (TLS) connections.
- The presentation tier is the front-end layer. It consists mainly of the UI. The user interface is accessible through a web browser and it acts as a mediator between the end-user and the business layer of the application. The presentation layer logic, is distributed across the client and the server. On the client side the Javascript code is running in the web browser, on the server-side, the Razor markup, which is integrated in the HTML pages.

Abbildung in dieser Leseprobe nicht enthalten

Figure 3.2: SSH CI - deployment diagram

As described previously, SSH CI implements the client-server model. The client is the end user 's browser and the server, the web server. The communication between the two is of type request-response. The exchanged messages are called Hypertext Transfer Protocol (HTTP) messages and are sent over TCP/IP protocol. As HTTP is a stateless protocol, each request-response is isolated from each other. In the context of a protocol, stateless means that the server is not required to track the state over multiple requests and does not retain any information. In a non-persistent connection, the client always requests, and the server responds.

- An HTTP request consists mainly of the request line, the header, and the message body. The header contains the request line that specifies the HTTP method, the path, and the protocol. The method indicates what kind of action should be done on the server, the path is generally the desired part of the Uniform Resource Locator (URL) that comes after the domain. Finally, the protocol denotes the HTTP version.
- An HTTP response has at the basis the same components as the request except there is a response line instead of a request line. The response line contains the protocol and status code. In the response header, the server passes additional information about the response. Lastly, the response body can contain a HTML page, Javascript Object Notation (JSON) or an Extensible Markup Language (XML) formatted result.

3.3 Application Structure

3.3.1 MVC

In SSH CI, the MVC architectural pattern is implemented and it separates the appli­cation into three main components: Models, Views, and Controllers as illustrated in fig. 3.3. By using this pattern, the separation of concerns is achieved. It ensures that the application is scalable, testable and loosely coupled.

- The model in MVC is the set of classes that encapsulates the business object and the logic to perform the create, read, update, and delete (CRUD) operations on it.
- The view is responsible for presenting the model through the UI. In SSH CI, Razor views are used and they combine minimum logic which relates to presenting the content.
- Controller is the component that handles user interaction, manipulates the model, and selects the appropriate view to render it.

Abbildung in dieser Leseprobe nicht enthalten

3.3.2 Programming Model

When an HTTP request comes in, the framework assigns one thread from the thread pool to the request. The thread pool itself is managed by the framework. Nevertheless, the way the threads are used depends on the implemented programming model. In the case of synchronous implementation, the assigned tasks will block the thread. The next incoming requests are going to be queued and wait for the thread to free up, which may lead to the server responding with HTTP Error 503 status code (Service unavailable). The programming model implemented in SSH CI is Asynchronous. Whenever a request reaches the server, the framework assigns a thread to the request as well. However, all the input/output (IO) operations will be performed asynchronously. This returns the thread to the thread pool until the IO operation returns, thus, other requests can be served in the meantime. An IO operation can be performed on a file, database, or a web API. The asynchronous programming model allows a small number of threads to handle a much larger number of requests. Subsequently, the primary benefit of asynchronous code is scalability.

3.3.3 Request Lifecycle

As discussed earlier, SSH CI is stateless since it's a server-side web application that uses HTTP protocol for communication. Each HTTP request has its own lifecycle. As shown in fig. 3.4, the lifecycle consists of following states:

Abbildung in dieser Leseprobe nicht enthalten

Figure 3.4: SSH CI application lifecycle - activity diagram.

[...]