Securely share dynamic secrets between Linux computers


I needed to set up password-less ssh access between a cluster of AWS Linux computers via CloudFormation.  Although ssh-copy-id was designed to help with this, it still presumes you have a login password which complicates things with design-time scripting, like CloudFormation.

Here was the solution I came up with (using a generic example of a random secret file):

On first server:

PRIVATEFILE='/tmp/secret.txt'
 PRIVATEPASSWORD='myrandompassword'
PUBLICTOKEN=globallyuniquepublicstring
PUBLICCURLIOTOKEN='v2ioebm0'

CURLIO=$( ( gpg --cipher-algo AES256 --symmetric --yes --batch --passphrase=${PRIVATEPASSWORD} -c ${PRIVATEFILE} && curl -F "file=@${PRIVATEFILE}.gpg" https://curl.io/send/${PUBLICCURLIOTOKEN} ) 2>&1 | grep '^https' )

test -n ${CURLIO} && ( curl -s "https://scry.in/api.php?action=shorturl&format=simple&keyword=${PUBLICTOKEN}&url=${CURLIO}" > /dev/null ) && rm "${PRIVATEFILE}.gpg"


On some other server(s):

PRIVATEFILE='/tmp/secret.txt'
 PRIVATEPASSWORD='myrandompassword'
PUBLICTOKEN=globallyuniquepublicstring

curl -s $( curl -s "https://scry.in/${PUBLICTOKEN}" | grep -oh 'https.*"' | head -1 | sed -e 's/"$//' ) | gpg --quiet --no-use-agent --yes --batch --passphrase=${PRIVATEPASSWORD} -o ${PRIVATEFILE}


Notes:

  1. This is obviously best for sharing dynamic secrets that aren't known ahead of time when creating the CloudFormation script (like ssh keys).  Static secrets could have been simply hard-coded into the CloudFormation script directly.
  2. You'll want to protect your CloudFormation script since it will have the gpg password hard-coded.
  3. The space in front of the PRIVATEPASSWORD environment variable is to avoid saving it in the bash history.  Feel free to avoid the environment variable altogether and just insert the password into the commands where referenced.
  4. The PUBLICCURLIOTOKEN is randomly generated when you visit https://curl.io/ (right after "send/" in the example code snippet on the homepage).  Feel free to use the one in my example above -- I don't think it ever expires.
  5. For PUBLICTOKEN I recommend using the GUID from http://www.guidgen.com/

0 comments:

Post a Comment

Keep it clean and professional...