I currently have a few different services running on my home server and for simplicity, I have a single VM manage the certificates via certbot and just copy them across the network using SCP.
The ssh connections are key secured but since I'm running it automated, the keys themselves don't require a password which obviously isn't ideal.
The keys are only stored in the root account of the VM that manages certbot but I'd still like an option where the script could copy the files across without me having to essentially have an unsecured method for root access to other systems on my network if someone gained access to one of them.
My router only enables the user for certbot on a Saturday evening, which allows my VM to ssh in and run a script that disables the firewall rule that blocks port 80, runs the certbot renew command, enables the firewall rules again and disables the certbot user. I'm comfortable enough with this since there's only a maximum 15 minute window each week where the router user is enabled.
It's the copying of the certificates that's the problem as obviously with it being carried out as root, the accounts are active at all times.
#!/bin/bash
ssh [email protected] "/system script run certbotenable"
#ufw allow 80
certbot renew
#ufw delete allow 80
systemctl restart apache2
ssh [email protected] "/system script run certbotdisable"
scp /etc/letsencrypt/live/sazed.mydomain.com/cert.pem root@sazed:/etc/pve/local/pveproxy-ssl.pem
scp /etc/letsencrypt/live/sazed.mydomain.com/privkey.pem root@sazed:/etc/pve/local/pveproxy-ssl.key
scp /etc/letsencrypt/live/rashek.mydomain.com/cert.pem root@rashek:/root/ssl/fullchain.pem
scp /etc/letsencrypt/live/rashek.mydomain.com/privkey.pem root@rashek:/root/ssl//privkey.key
ssh root@sazed "service pveproxy restart"
I found a package called restricted-ssh-commands that has solved my issue for the sazed machine which is a proxmox server. I've now restricted that key to only allow the two specific scp commands in my script and it's working like a charm. Rashek is a little more complicated. It's a HomeAssistant appliance that doesn't have the restricted-ssh-commands package available. I plan on setting it up to pull the files from the machine that downloads the certificates once I can work out what command I'd need to allow.
I was able to use the command="/bin/echo Command was: $SSH_ORIGINAL_COMMAND" parameter in authorized_keys to find out the command I needed to add to the restricted-ssh-commands config on the proxmox server (it turns out that
scp /etc/letsencrypt/live/sazed.mydomain.com/cert.pem root@sazed:/etc/pve/local/pveproxy-ssl.pem
scp /etc/letsencrypt/live/sazed.mydomain.com/privkey.pem root@sazed:/etc/pve/local/pveproxy-ssl.key
ssh root@sazed "service pveproxy restart
needs an /etc/restricted-ssh-commands/root config file of
^scp -t /etc/pve/local/pveproxy-ssl.pem
^scp -t /etc/pve/local/pveproxy-ssl.key
^service pveproxy restart
However, the rashek server is actually a Home Assistant appliance that doesn't have the restricted-ssh-commands package available.
I COULD initiate a pull command and have restricted-ssh-commands installed on the server that is pulling down the certificates, but the command="/bin/echo Command was: $SSH_ORIGINAL_COMMAND" isn't generating the same output as before.
obviously doing a pull, the command is different.
root@vin ~ 19:09:37 # scp /etc/letsencrypt/live/sazed.mydomain.com/cert.pem root@sazed:/etc/pve/local/pveproxy-ssl2.pem
Command was: scp -t /etc/pve/local/pveproxy-ssl2.pem
root@vin ~ 19:09:52 # scp root@sazed:/etc/letsencrypt/live/sazed.mydomain.com/cert.pem /etc/pve/local/pveproxy-ssl2.pem
protocol error: bad mode
Granted, I'm running both those commands from the same server but I just need the format of the command that scp user@host:/path/to/remote-file /path/to/local/file would pass to the remote server so I can add that command to the restricted-ssh-commands config file.
Sorry, I have a tendency to ramble, I hope that all makes sense. Essentially, I want to restrict that key to ONLY be allowed to copy the specific files I have in my script, and restart the proxmox server.