KeyBox is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users.
Administrators can login using two-factor authentication with FreeOTP or Google Authenticator. From there they can manage their public SSH keys or connect to their systems through a web-shell. Commands can be shared across shells to make patching easier and eliminate redundant command execution.
KeyBox layers TLS/SSL on top of SSH and acts as a bastion host for administration. Protocols are stacked (TLS/SSL + SSH) so infrastructure cannot be exposed through tunneling / port forwarding. More details can be found in the following whitepaper: The Security Implications of SSH. Also, SSH key management is enabled by default to prevent unmanaged public keys and enforce best practices.
Prerequisites
- Java JDK 1.7 or greater http://www.oracle.com/technetwork/java/javase/overview/index.html
- Browser with Web Socket support http://caniuse.com/websocketsNote: In Safari if using a self-signed certificate you must import the certificate into your Keychain. Select 'Show Certificate' -> 'Always Trust' when prompted in Safari
- Maven 3 or greater ( Only needed if building from source ) http://maven.apache.org
- Install FreeOTP or Google Authenticator to enable two-factor authentication with Android or iOS
To Run Bundled with Jetty
If you're not big on the idea of building from source...
Download keybox-jetty-vXX.XX.tar.gz
https://github.com/skavanagh/KeyBox/releases
Export environment variables
for Linux/Unix/OSX
export JAVA_HOME=/path/to/jdk
export PATH=$JAVA_HOME/bin:$PATH
for Windows set JAVA_HOME=C:\path\to\jdk
set PATH=%JAVA_HOME%\bin;%PATH%
Start KeyBoxfor Linux/Unix/OSX
./startKeyBox.sh
for Windows startKeyBox.bat
How to Configure SSL in Jetty (it is a good idea to add or generate your own unique certificate)http://wiki.eclipse.org/Jetty/Howto/Configure_SSL
Using KeyBox
Open browser to https://<whatever ip>:8443
Login with
username:admin
password:changeme
Steps:
- Create systems
- Create profiles
- Assign systems to profile
- Assign profiles to users
- Users can login to create sessions on assigned systems
- Start a composite SSH session or create and execute a script across multiple sessions
- Add additional public keys to systems
- Disable any adminstrative public key forcing key rotation.
- Audit session history