dcu / onetouch-ssh Goto Github PK

Authy OneTouch for SSH

License: MIT License

Makefile 0.07% Go 99.93%

onetouch-ssh's Introduction

OneTouch SSH

OneTouch SSH protects a users's SSH login via a OneTouch approval. If anyone tries to SSH with your account into a protected machine, you'll receive a OneTouch notification allowing you to Approve or Deny access.

If there is no response to the OneTouch request within a set time, your Authy registered device will instead request confirmation via an SMS delivered Authy OneCode.

Without OneTouch or SMS verification, access will not be granted.

Prerequisites

Install Go https://golang.org/doc/install and make sure both your GOROOT and GOPATH environmetal variables are set.

Create an SSH key

Open a terminal on your local computer and enter the following:
ssh-keygen -t rsa -C "[email protected]"
Just press <Enter> to accept the default location and file name
Enter, and re-enter, a passphrase when prompted.

This keypair should be saved in your ~/.ssh/ folder with the filename you chose.

Install OneTouch SSH

go get github.com/dcu/onetouch-ssh

Configure API key

Get an Authy key from your Authy dashboard.

The next step is to run this command to setup your environment.

onetouch-ssh init

Add Users

Type the following command:

onetouch-ssh add-user <email> <country code> <phone number> <public key>

NOTE: You can add keys in one of two ways.

File Path

onetouch-ssh add-user [email protected] 1 4155551234 ~/.ssh/id_rsa.pub

Pasted Key

onetouch-ssh add-user [email protected] 1 4155551234 ssh-rsa AAM8sBlW9CmrCQRFAAB3NzaC1yc2EAAHELPAADAQABAAABAQCyFQwZ2pVKfNS5iztqwaoNFaGpbLGvngQIMZgIsf+AUfGFt3c9Y4STUCKd0642miDvb6XPLINgAVPVJGzEZbZoU/+gUGGlNb+UNIVERSEFACTORY/NsE/sWqx2wuK93nvIoJXP7V+4jet9mKITt0B5aBH0mdmtY3AZS2JsksrzIcjDYldLwo+nIVFE4c4f+T7m9M8sBlW9CmrCQRF7nMbkVgSQ3Npt2IiMJaJ/1gWBxycSgMVMFiUS1Q2P3znUsBGp7p9CGssq02+NavML3sXFASyBSZ [email protected]

Next you can start adding the users using the form. Type Ctrl-c to finish.

Enable

To enable OneTouch for SSH just type:

onetouch-ssh enable

And that's it, you can try to ssh to the server.

Usage

When you try to connect to the ssh server it'll send you a push notification with a limited period of time to approve:

$ ssh ssh.server.com
Sending approval request to your device... [sent]

If the user doesn't approve the request before the time expires an Authy OneCode delivered via SMS is asked as a fallback.

$ ssh ssh.server.com
Sending approval request to your device... [sent]
You didn't confirm the request. A text-message was sent to your phone.
Enter security code:

Executing Commands

When you try to run commands it'll display info about the command, the server IP and client IP.

Git Integration

When you try to push or fetch from git it won't display anything but you'll receive a push notification in your phone with the info. The information includes the server IP, client IP, geo location, branch, repository name.

Troubleshooting

Make sure your key and AuthyID are listed in the authorized_keys file

cat ~/.ssh/authorized_keys

Make sure the users you want to allow access to are listed in your users.list

cat ~/.authy-onetouch/users.list

onetouch-ssh's People

Contributors

Stargazers

Watchers

Forkers

pirogoeth josh-authy kolargol kuadrosx vrooze edgoracn

onetouch-ssh's Issues

OpenBSD: invalid argument

I got issue after successful auth:

onetouch-ssh shell XXXXX  
Sending approval request to your device... [sent]
You've been logged in successfully.
invalid argument

on the app i see "Login on to: exit 1" so i suspect it cannot get hostname on BSD? And as a result exit code 1, users are unable to login.

Allow to use onetouch-ssh to protect all users in the system

Add interactive mode to add users

something like:

onetouch-ssh add-user -i

onetouch-ssh add-user -i [email protected]

Automated tests?

We should attempt to add unit and integration tests for this. It would make pushing new releases easier. But, the only problem I can see is building forked sources since Go likes to get all pull-happy with source trees...

Ideas?

Add back the progress bar when waiting for onetouch approval

Error: Public Key was not found

I set up onetouch-ssh on centos 7 vm. When trying to log in, I see request was sent and I get notification on my cell. When I click approve button on my cell, I get Error message on the phone saying: There was an error processing the request: Public Key was not found. Is there some setting I am missing on Authy side? Using code works correctly if I wait long enough...

Add command to remove a user

Add command to check the status of a user

requires dcu/go-authy#2

Validate format of the public key before adding it

Add command to list the users

Update commands documentation

Authy API changed? Onetouch-ssh no longer working.

So, extra work this morning, onetouch wasn't working so I had to go in through the garage :)

Sending approval request to your device... Post https://api.authy.com//onetouch/json/users/<redacted>/approval_requests: invalid request :path "//onetouch/json/users/<redacted>/approval_requests"ME@MINE:~$

Guess Authy changed the API?

Add command to disable the addon

Idea: add support for a backup code in case of an emergency

authorized_keys should not be overwrite

Detect when the SMS/Voice request was ignored

Add support for multi keys

This is actually just removing a control that we have in the code.

invalid approval request response: User not found

ssh ::
Sending approval request to your device... invalid approval request response: User not found.Connection to :: closed.

user is in users.list and visible in the auty dashboard too!

Bug: Log files are created and owned by single user

Hi,

onetouch-ssh creates /tmp/onetouch.log that is owned by currently running user, making it impossible to run by any other user in the system. Here is proposed patch for this:

kolargol@32707a5

It create /tmp/onetouch-ssh-UID.log that do not conflict with other users.

Add support for voice authentication

Handler panic on connection.

When the connection is initiated and the program tries to send the approval request, it panics.

Sending approval request to your device... panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x0 pc=0x5080e8]

goroutine 1 [running]:
panic(0x8c3260, 0xc820010100)
        /home/sean/.gimme/versions/go1.6.1.linux.amd64/src/runtime/panic.go:464 +0x3e6
github.com/dcu/go-authy.NewApprovalRequest(0xc8202f6870, 0x7f71e979d1a8, 0x0, 0x0)
        /home/sean/.go/src/github.com/dcu/go-authy/approval_request.go:53 +0x1d8
github.com/dcu/go-authy.(*Authy).SendApprovalRequest(0xc8200dbec0, 0x7ffcb1cb0b8a, 0x7, 0xc8203ee180, 0x17, 0xc8203bc1e0, 0xc8203bc210, 0x0, 0x0, 0x0)
        /home/sean/.go/src/github.com/dcu/go-authy/api.go:142 +0x27b
github.com/dcu/onetouch-ssh/ssh.(*Verification).SendOneTouchRequest(0xc8200dbee0, 0x2b, 0x0, 0x0)
        /home/sean/.go/src/github.com/dcu/onetouch-ssh/ssh/verification.go:117 +0x731
github.com/dcu/onetouch-ssh/ssh.(*Verification).Run(0xc8200dbee0, 0x0, 0x0)
        /home/sean/.go/src/github.com/dcu/onetouch-ssh/ssh/verification.go:45 +0x6c
github.com/dcu/onetouch-ssh/cmd.glob.func6(0xbd5320, 0xc8201021f0, 0x1, 0x1)
        /home/sean/.go/src/github.com/dcu/onetouch-ssh/cmd/shell.go:47 +0x8d
github.com/spf13/cobra.(*Command).execute(0xbd5320, 0xc8201021a0, 0x1, 0x1, 0x0, 0x0)
        /home/sean/.go/src/github.com/spf13/cobra/command.go:565 +0x85a
github.com/spf13/cobra.(*Command).ExecuteC(0xbd5120, 0xbd5320, 0x0, 0x0)
        /home/sean/.go/src/github.com/spf13/cobra/command.go:651 +0x55c
github.com/spf13/cobra.(*Command).Execute(0xbd5120, 0x0, 0x0)
        /home/sean/.go/src/github.com/spf13/cobra/command.go:610 +0x2d
github.com/dcu/onetouch-ssh/cmd.Execute()
        /home/sean/.go/src/github.com/dcu/onetouch-ssh/cmd/root.go:42 +0x27
main.main()
        /home/sean/.go/src/github.com/dcu/onetouch-ssh/main.go:26 +0x14

Earlier today I was connecting from Putty and the connection would drop immediately without showing any logs.

I'm just filing this bug for historical purposes as I'm going to try to fix it right now.

Ninja edit: Going to attempt to determine if this bug is introduced here or in go-authy.

Non-key based logins are ignored by onetouch-ssh

In case sshd allows both key and key-less access onetouch-ssh will not be enforced on clients who connect without a key.

One potential solution is to use ForceCommand in /etc/ssh/sshd_config to require call to onetouch-ssh upon login.

I had configured my /etc/ssh/sshd_config in the following way:

Match User valexeev
  ForceCommand /home/valexeev/.authy-onetouch/login.sh

With login.sh containing:

#!/bin/sh
/usr/local/bin/onetouch-ssh shell AUTHYID

It should be possible to create a non-user dependent script that will check SSH environment variables to determine correct AUTHYID.

`go get` fails -- undefined: authy.NewAuthyApi

I'm trying to build this, but alas, the build fails:

# github.com/dcu/onetouch-ssh
.go/src/github.com/dcu/onetouch-ssh/user.go:93: undefined: authy.NewAuthyApi

I tried downloading your go-authy library first and rebuilding, but still nothing:

root@gamma:~# go get github.com/dcu/go-authy
root@gamma:~# go get github.com/dcu/onetouch-ssh
# github.com/dcu/onetouch-ssh
.go/src/github.com/dcu/onetouch-ssh/user.go:93: undefined: authy.NewAuthyApi

Could this be some idiocy with my environment?

Add pam support on linux

https://godoc.org/github.com/msteinert/pam#example-package--Authenticate