Giter Club home page Giter Club logo

corevault's Introduction

shortbread

OpenSSH CA signing and publishing Daemon.

Problem

Managing SSH keys has two problems:

  1. Onboarding new users to login to a box usually requires scp'ing keys to the target. Revoking requires removing the key (and remembering to do so).

  2. Users generally just blindly trust hosts the first time they connect. This opens users up to MitM attacks.

To fix these two problems OpenSSH has implemented an SSH CA system. However, it is a command line tool that is rather hard to use. See https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu

Solution

Put Go and HTTP on it! All of these features should work from the go.ssh library: https://godoc.org/code.google.com/p/go.crypto/ssh#Certificate

Onboarding New Users

User story: Alice the admin needs to give access to the prod cluster to Ian the intern.

Alice would post to a URL to sign a public key with constraints like time, or commands.

POST /v1/sign
{
	'certificate': 'prod-servers',
	'username': 'core',
	'validityInterval': '201506231248',
	'rsaPubkey': 'ssh-rsa AAUw==',
}

Then a daemon living on the users laptop would pull down their certificates from the signing machine.

GET /v1/certificates/fingerprint

$CERT_BODY

Unfortunatly Ian's laptop was stolen and he didn't encrypt the disk! We had better revoke his keys:

POST /v1/revoke
{
	'rsaPubkey': 'ssh-rsa AAUw==',

Onboarding New Hosts

Host verificiation would work very similarly. Lets get the user case down first.

corevault's People

Contributors

joshi4 avatar philips avatar jonboulle avatar bcwaldon avatar

Stargazers

MOZGIII avatar

Watchers

James Cloos avatar avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.