Monday, August 15, 2016

Securely share dynamic secrets between Linux computers

Securely share dynamic secrets between Linux computers



I needed to set up password-less ssh access between a cluster of AWS Linux computers via CloudFormation.  Although ssh-copy-id was designed to help with this, it still presumes you have a login password which complicates things with design-time scripting, like CloudFormation.

Here was the solution I came up with (using a generic example of a random secret file):

On first server:

PRIVATEFILE=/tmp/secret.txt
 PRIVATEPASSWORD=myrandompassword
PUBLICTOKEN=globallyuniquepublicstring
PUBLICCURLIOTOKEN=v2ioebm0

CURLIO=$( ( gpg --cipher-algo AES256 --symmetric --yes --batch --passphrase=${PRIVATEPASSWORD} -c ${PRIVATEFILE} && curl -F "file=@${PRIVATEFILE}.gpg" https://curl.io/send/${PUBLICCURLIOTOKEN} ) 2>&1 | grep ^https )

test -n ${CURLIO} && ( curl -s "https://scry.in/api.php?action=shorturl&format=simple&keyword=${PUBLICTOKEN}&url=${CURLIO}" > /dev/null ) && rm "${PRIVATEFILE}.gpg"


On some other server(s):

PRIVATEFILE=/tmp/secret.txt
 PRIVATEPASSWORD=myrandompassword
PUBLICTOKEN=globallyuniquepublicstring

curl -s $( curl -s "https://scry.in/${PUBLICTOKEN}" | grep -oh https.*" | head -1 | sed -e s/"$// ) | gpg --quiet --no-use-agent --yes --batch --passphrase=${PRIVATEPASSWORD} -o ${PRIVATEFILE}


Notes:

  1. This is obviously best for sharing dynamic secrets that arent known ahead of time when creating the CloudFormation script (like ssh keys).  Static secrets could have been simply hard-coded into the CloudFormation script directly.
  2. Youll want to protect your CloudFormation script since it will have the gpg password hard-coded.
  3. The space in front of the PRIVATEPASSWORD environment variable is to avoid saving it in the bash history.  Feel free to avoid the environment variable altogether and just insert the password into the commands where referenced.
  4. The PUBLICCURLIOTOKEN is randomly generated when you visit https://curl.io/ (right after "send/" in the example code snippet on the homepage).  Feel free to use the one in my example above -- I dont think it ever expires.
  5. For PUBLICTOKEN I recommend using the GUID from http://www.guidgen.com/

Available link for download