Install SSH Host Client

Install Pritunl Zero SSH host client

The Pritunl Zero SSH host client is available on most Linux distributions. The client is a small Python script used to retrieve the SSH host certificate from the Pritunl Zero server. The source code is available in the pritunl-zero-client repository.

Usage

After the client is installed it will run every minute from the /etc/cron.d/pritunl-ssh-host file. When the certificate is less then 10 minutes from expiration a new host certificate will be requested from the Pritunl Zero server. Host verification is with a DNS based HTTP challenge similar to the Lets Encrypt verification process. Although the host tokens should be kept private a compromised host token will not effect the validity of host certificates. An attacker will still need a valid DNS entry on the authority domain pointing to their server to retrieve a host certificate.

Configuration

First the HTTP challenge port 9748 must be open for the Pritunl Zero server. Use the commands below to configure the required settings, these commands can be automated and run multiple times. It is important to add the tokens first as once a certificate is retrieved a new one will not be retrieved until it expires. Once done a certificate will be retrieved in a minute when the cron script runs. The command sudo pritunl-ssh-host can be run to verify it is working. The command sudo pritunl-ssh-host renew can be used to force a certificate renewal. The server hostname must be set to the first part of the servers DNS record. For the server server-one.pritunl.com the hostname will be server-one. The domain portion is set in the Pritunl Zero authority settings.

sudo pritunl-ssh-host config add-token YDtJcjNEs2kjijKIaUDl0WpFS69QAjxs
sudo pritunl-ssh-host config hostname server-one
sudo pritunl-ssh-host config server zero-demo-user.pritunl.com

Automated Route 53 DNS Entry

The host client can automatically update Route 53 records to the public IP address of the host. To do this the Python 2.7 Boto 3 library must be installed. The host does not need to be on AWS for this feature. The safest way to handle AWS credentials is with IAM Roles, the AWS credential commands below can be ignored if the instance has an IAM role configured. The AWS credentials will need permission to read the hosted zones and make changes to the configured zone. The host domain will be the hostname + '.' + route_53_zone. The Route 53 record will be updated every hour.

sudo pritunl-ssh-host config aws-access-key AWS_ACCESS_KEY
sudo pritunl-ssh-host config aws-secret-key AWS_SECRET_KEY
sudo pritunl-ssh-host config route-53-zone pritunl.com

Linux

sudo tee -a /etc/pacman.conf << EOF
[pritunl]
Server = https://repo.pritunl.com/stable/pacman
EOF

sudo pacman-key --keyserver hkp://keyserver.ubuntu.com -r 7568D9BB55FF9E5287D586017AE645C0CF8E292A
sudo pacman-key --lsign-key 7568D9BB55FF9E5287D586017AE645C0CF8E292A
sudo pacman -Sy
sudo pacman -S --noconfirm pritunl-ssh-host
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/amazonlinux/1/
gpgcheck=1
enabled=1
EOF

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y install pritunl-ssh-host
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/amazonlinux/2/
gpgcheck=1
enabled=1
EOF

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y install pritunl-ssh-host
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1
EOF

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y install pritunl-ssh-host
sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb http://repo.pritunl.com/stable/apt jessie main
EOF

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7568D9BB55FF9E5287D586017AE645C0CF8E292A
sudo apt-get update
sudo apt-get --assume-yes install pritunl-ssh-host
sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb http://repo.pritunl.com/stable/apt stretch main
EOF

sudo apt-get install dirmngr
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7568D9BB55FF9E5287D586017AE645C0CF8E292A
sudo apt-get update
sudo apt-get --assume-yes install pritunl-ssh-host
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/fedora/27/
gpgcheck=1
enabled=1
EOF

sudo dnf -y install gpg
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo dnf -y install pritunl-ssh-host
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/fedora/28/
gpgcheck=1
enabled=1
EOF

sudo dnf -y install gpg
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo dnf -y install pritunl-ssh-host
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/7/
gpgcheck=1
enabled=1
EOF

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y install pritunl-ssh-host
sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb http://repo.pritunl.com/stable/apt trusty main
EOF

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7568D9BB55FF9E5287D586017AE645C0CF8E292A
sudo apt-get update
sudo apt-get --assume-yes install pritunl-ssh-host
sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb http://repo.pritunl.com/stable/apt xenial main
EOF

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7568D9BB55FF9E5287D586017AE645C0CF8E292A
sudo apt-get update
sudo apt-get --assume-yes install pritunl-ssh-host
sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb http://repo.pritunl.com/stable/apt artful main
EOF

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7568D9BB55FF9E5287D586017AE645C0CF8E292A
sudo apt-get update
sudo apt-get --assume-yes install pritunl-ssh-host
sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb http://repo.pritunl.com/stable/apt bionic main
EOF

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7568D9BB55FF9E5287D586017AE645C0CF8E292A
sudo apt-get update
sudo apt-get --assume-yes install pritunl-ssh-host