Securing a VPS with LATCH (I)

After seeing the great acceptation of the last 3 posts in my blog, I've thought that it would be great translating them to English.
First of all, I'd want to remark that I'm not a native English speaker, so I apologize in advance for any mistake I make.

Well, let's go!

Latch logo

In this 3 posts we are going to explain how to secure a Virtual Private Server by using Latch.

I think that there is a question that should be answered in the first place.

What is LATCH?

Latch is a service offered by Eleven Paths which offers us the possibility of setting a "Lock" to our digital accounts only by using our mobile phones, adding a very simple security layer.

For a complete presentation, feel free to visit their web page.

After this presentation, we are ready to start securing our VPS.
We are going to use Latch to prevent unauthorized logins via SSH to our server.

Creating our application

The first thing we need to do is sign up as developers at the Latch web page.
After registering our developer account we need to create an application in our main menu:
Creating an application

We have to give it a name, and if we want, add an image.
There are two fields which are important to us in this moment: Application ID and Secret, so keep this page opened or save them in a secure place.

Registering our account

Once we've got our Latch developer account and our Latch application it's time to pair our SSH user account with our Latch application.

All the scripts that appear in these posts are based in Alejandro Ramos' scripts, written in this page

prettyprint-bash linenums nowrap
#!/bin/bash
if [ "$2" == "debug" ]; then set -x; fi
applicationId="PHKYXXXXXXXXXXXXX"
secretkey="TBKqEXXXXXXXXXXXXXXXXXXXXXXX"
URL="/api/0.6/pair/$1"
LATCH="/home/LATCH/latch.accounts"
if [ -z "$1" ]; then
 echo -e "\nUsage: SITE LATCH-REG <pair-key>\n"
 exit 0
fi
if [ `grep "^$USER:" $LATCH | wc -l` -ne 0 ]; then
 echo -e "\nAlready registered\n"
 exit 0
fi
requestSignature+="GET\n"
date=`date -u '+%Y-%m-%d %H:%M:%S'`
requestSignature+="$date\n\n$URL"
signed=`echo -en "$requestSignature" | openssl dgst -sha1 -hmac "$secretkey" -binary|sed -e 's|.*= \(.*\)|\1|g'`
b64signed=`echo -n "$signed"|base64`
auth_header="Authorization:11PATHS $applicationId $b64signed"
date_header="X-11Paths-Date: $date"
JSON=`wget -q --no-check-certificate -O - --header "$auth_header" --header "$date_header" "https://latch.elevenpaths.com$URL"`
accountid=`echo "$JSON" | sed -e 's|.*accountId":"\(.*\)"}.*|\1|'| sed -e 's|\(.*\)".*|\1|g'`
if [ -z $accountid ]; then
 echo "Error."
else
 echo "$USER:$accountid" >> $LATCH
 echo -e "\nDone.\n"
fi

I'm not going to detail the way Latch requests are created, as they are widely documentated in the official docs and SDK.
Also notice that the "Application ID" and "Secret Key" fields are modified, so be sure that you fill them with your app information.

Once it's written, we will save it in a place that we will remember. As an example, I will use /home/LATCH/reg.sh.
As you can see in the 5th line of the script, a latch.accounts file will be created at /home/LATCH/latch.accounts. It will contain all user:token pairs.

Also, the script is written in order to detect which user is executing it via the $USER variable.

Now we've got all the setup for the pairing, so let's go!

We need to download the Latch application for our phone:

Once it is installed, we need to log in with our credentials (the same e-mail and password you used when you registered your developer account) and our Paired Services Control Panel will appear.

Now we need to add a service, so we press the "Add service" button and "Generate a Pairing Code".
It will generate a secret code that will be available for the next 60 seconds.

To pair our ssh account with our Latch application, we need to run the script with this syntax:

./reg.sh code

Example:

Pairing account
In my case it says that the user had already been registered, as I've run it previously

It's that easy, really!

Now you will see the pairing confirmation in your phone, and we will be able to Lock/Unlock the service whenever we want.

The next step is setting up the server in order to act according to the Latch Application state.

We will see it in the next post: Securing a VPS with LATCH (II). Server behaviour