Protect your servers, using Ledger Nano S.
Stop users from using weak passwords!

Stuart Johnson facd86c49b formatting 3 months ago
.gitignore ae9e496e9a add server list 7 months ago
Dockerfile e2f83b3417 fix ubuntu version 4 months ago
README.md facd86c49b formatting 3 months ago
entrypoint.sh 436ac6f7b3 fix enviroment vars 7 months ago
menu ae9e496e9a add server list 7 months ago
menu_connect 895c92ed54 rework ssh copy to host 7 months ago
server-setup.sh 895c92ed54 rework ssh copy to host 7 months ago
server.list ae9e496e9a add server list 7 months ago
ssh-copy-id.patch 895c92ed54 rework ssh copy to host 7 months ago
ssh_config 42dc270ef8 first commit 7 months ago

README.md

Ledger SSH System Admin

Protect your servers, using Ledger Nano S.
Stop users from using weak passwords!

To setup your Ledger Nano S

Install the SSH/PGP Agent application See first part of this guide

To login from a Linux Client

If you havn't got this project yet:

git clone https://github.com/logicethos/SSH-Ledger-Login.git
cd SSH-Ledger-Login.git

Create a server.list file, with your servers like this:

[<user>@]host1[:port] my-server-name1
[<user>@]host2[:port] my-server-name2

Build

docker build -t ledger-ssh .

Now run it. If you need an alternative login name, add that as an argument.

docker run --rm -it --privileged -v /dev/bus/usb:/dev/bus/usb ledger-ssh [user]

Setup Server

Copy & execute server_setup.sh As root:

wget https://raw.githubusercontent.com/logicethos/SSH-Ledger-Login/master/server-setup.sh
bash server_setup.sh

Restart OpenSSH

/etc/init.d/ssh restart

Add users (using optional sysadmin)

useradd -m -s /bin/bash -G keyset,sysadmin <user>

set up a tempory password.

passwd <user>

Update existing users (using optional sysadmin)

usermod -a -G keyset,sysadmin <user>
The three user groups:
keyset    Signals to sshd, that password entry is allowable for a new user to upload public key
keyonly   Signals to sshd, this is a key holder, so no password allowable
sysadmin  Allow passwordless sudo for system admins

Users added to the group 'keyset', will be required to upload a public key from the Ledger when they connect. After they have done this, they will be automatically removed from 'keyset', and added to 'keyonly' group. No more passwords. Users added to the sysadmin group, will get password-less sudo (i.e full root access).