Securing a VPS with LATCH (II). Server behaviour

LATCH LOGO

Now we've got our SSH account paired with a Latch application, we only need to tell the server how to act according to the state.

To do this we're going to use another script (again based on Alejandro Ramos work in this post:

prettyprint-bash linenums nowrap
#!/bin/bash
applicationId="PHKYXXXXXXXXXX"
secretkey="TBKqEXXXXXXXXXXXXXXXXXXXXXXXXXX"
LATCH="/home/LATCH/latch.accounts"
account=`grep "^$USER:" $LATCH |cut -d: -f2`
if [ -z `echo "$account"|cut -d: -f2`  ]; then exit 0; fi
 
URL="/api/0.6/status/$account"
requestSignature+="GET\n"
date=`date -u '+%Y-%m-%d %H:%M:%S'`
requestSignature+="$date\n\n$URL"
signed=`echo -en "$requestSignature" | openssl dgst -sha1 -hmac "$secretkey" -binary|sed -e 's|.*= \(.*\)|\1|g'`
b64signed=`echo -n "$signed"|base64`
auth_header="Authorization: 11PATHS $applicationId $b64signed"
date_header="X-11Paths-Date: $date"
 
JSON=`wget -q --no-check-certificate -O - --header "$auth_header" --header "$date_header" "https://latch.elevenpaths.com$URL"`
status=`echo -e "$JSON" | sed -e 's|.*status":"\(.*\)","name.*|\1|g'`
 
if [ "$status" == "off" ]; then
   echo -e "Login disabled by LATCH\n"
   pkill ssh
elif [ "$status" == "on" ]; then
   exit 0
else
   echo -e "LATCH error. Try again\n"
   pkill ssh
fi

As you can see, you need to enter again your ApplicationId and your secret key.
You also need to modify the latch.accounts file if you modified it in the registering script.

Let's explain a little bit the behaviour of the script:

In case LATCH returns that the account is unlocked, the script will do nothing.

Else, even if LATCH returns that it's locked or there is an error during the process, it will kill the SSH process (it's restarted automatically), and it will show a message telling the user what has happened.

As you can see, it's a very simple script.
Now we need to get it executed every time the user logs in via SSH.

The first thing we will do is going to the user folder in the VPS (generally /root), and there we'll write
nano .bashrc

The file should exist, so we will append this line at the end of the script:

/home/LATCH/./stat.sh

This will be run every time the user logs in, so it will detect the user which is running it, check the Application status, and act as we've set it before.

In addition, in case that we have set the status as Locked, we will receive a push notification to our phone telling us that someone has tried to log in impersonating us.

AS you can see, with some simple steps we've managed to secure SSH login into our VPS.

EXTRA. Unpairing accounts

It's possible that for any reason a user needs to unpair its account from LATCH.
In order to do that, we will use the third method provided by LATCH's API: unpair.

The script will be:

prettyprint-bash linenums nowrap
#!/bin/bash
if [ "$1" == "debug" ]; then set -x; fi
applicationId="PHKYXXXXXXXXXXXXX"
secretkey="TBKXXXXXXXXXXXXXXXXXXX"
LATCH="/home/LATCH/latch.accounts"
account=`grep "^$USER:" $LATCH |cut -d: -f2`
URL="/api/0.6/unpair/$account"
 
if [ -z "$account" ]; then echo -e "Error.";  exit 0; fi
 
requestSignature+="GET\n"
date=`date -u '+%Y-%m-%d %H:%M:%S'`
requestSignature+="$date\n\n$URL"
 
signed=`echo -en "$requestSignature" | openssl dgst -sha1 -hmac "$secretkey" -binary|sed -e 's|.*= \(.*\)|\1|g'`
b64signed=`echo -n "$signed"|base64`
auth_header="Authorization:11PATHS $applicationId $b64signed"
date_header="X-11Paths-Date: $date"
 
JSON=`wget -q --no-check-certificate -O - --header "$auth_header" --header "$date_header" "https://latch.elevenpaths.com$URL"`
grep -v "^$USER:" $LATCH > /tmp/$$.tmp
mv /tmp/$$.tmp $LATCH
echo -e "\nDone.\n"

Again, make any modification according any variation you've made in the first two scripts.

Running it is as simple as
./unreg.sh

And with this command we will have our account unpaired from the LATCH application.

I hope this tutorials are being useful to you!