From 603f7cb08bca86744949a709c04952c845d6f28d Mon Sep 17 00:00:00 2001 From: Josh Rahm Date: Fri, 24 Feb 2023 16:55:07 -0700 Subject: Initial commit to keyper. --- README.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 README.md (limited to 'README.md') diff --git a/README.md b/README.md new file mode 100644 index 0000000..53e3638 --- /dev/null +++ b/README.md @@ -0,0 +1,44 @@ +Keyper +------ + +A very simple program to be used with sshd to transfer keys to authorized +servers. Mostly to be used with the Dracut module `acquire-key-over-ssh` for +machines to acquire their encryption keys securely over ssh from a secure +server. (It technically just is a way to dump a file upon login to an ssh +connection.). + +To set this up, run the following on the keyserver, replacing `` +with the public key of the authorized user: + +```bash +$ gcc -o keyper keyper.c +$ sudo su +# useradd keyper +# cp keyper /home/keyper +# cd /home/keyper +# chsh -s /home/keyper/keyper keyper +# mkdir .ssh +# echo 'environment="KEYPER_FILE=keyper-key" ' >> .ssh/authorized_keys +# chown -R keyper:keyper .ssh/ +# chmod 700 .ssh +# head -c 512 /dev/urandom | base64 -w0 > keyper-key +``` + +Make sure `PermitUserEnvironment` is set to "yes" in sshd\_config. + +TL;DR this sets up a user, keyper, sets its shell to "keyper", which reads a +file based on an environement variable. Then it sets up an authorized key and +sets the environment based on the authorized ssh key. Thereby multiple different +keys can be served different authorized keys. + +There are some weird things that can happen with a binary key. For example, +carridge returns may be removed, so to avoid these, the above commands +base64-encode the key. + +On the client, run: + +``` +$ ssh keyper@keyserver > /tmp/key +$ sudo luksAddKey /dev/ /tmp/key +$ shred /tmp/key +``` -- cgit