nbeguier / cassh Goto Github PK
View Code? Open in Web Editor NEWSSH CA administration via CLI and GUI
Home Page: https://medium.com/leboncoin-engineering-blog/cassh-ssh-key-signing-tool-39fd3b8e4de7
License: Apache License 2.0
SSH CA administration via CLI and GUI
Home Page: https://medium.com/leboncoin-engineering-blog/cassh-ssh-key-signing-tool-39fd3b8e4de7
License: Apache License 2.0
This error occurs when LDAP is disable on both server and client.
When you add a key, you can see explicitly that the status
is Pending
$ cassh status
{
"expiration": "1970-01-01 01:00:00 (UTC+0000)",
"realname": "Firstname Lastname",
"ssh_key_hash": "2048 e8:00:ed:f3:ae:8c:d1:65:e6:3b:48:8f:d5:84:fd:f5 ",
"status": "PENDING",
"username": "username"
}
After an admin "activate" a user, same result, we can clearly see the status:
$ cassh status
Please type your LDAP password (user=Xavier Krantz):
{
"expiration": "1970-01-01 01:00:00 (UTC+0000)",
"realname": "Xavier Krantz",
"ssh_key_hash": "2048 e8:00:ed:f3:ae:8c:d1:65:e6:3b:48:8f:d5:84:fd:f5 ",
"status": "ACTIVE",
"username": "username"
}
However, currently there is no way to know if the key is signed ...
Even if we can guess it, since we have an expiration date that is defined in the future:
$ cassh status
{
"expiration": "2017-08-26 11:29:19 (UTC+0000)",
"realname": "Firstname Lastname",
"ssh_key_hash": "2048 e8:00:ed:f3:ae:8c:d1:65:e6:3b:48:8f:d5:84:fd:f5 ",
"status": "ACTIVE",
"username": "username"
}
It could be nice to have an explicit field for quick understanding, especially for users who are not very familiar with CLI and ssh practices. Maybe a new field or update the status
filed to SIGNED
?
Add ip, user agent, version, account and wrong inputs
Also, disable logs for /ping and /health
Return wrong key !!
/cluster/status only for now
Use token in conf and use it to log in
Is it possible to use startTLS with LDAP authentication? My LDAP server has an SSF of 256 and requires secure connections.
Extract tools functions into a separate library
It should be possible to enable http only for the WebUI
127.0.0.1:41578 - - [09/Jul/2017 12:04:07] "HTTP/1.1 GET /admin/user" - 200 OK
do_ca_sign: unable to open "/tmp/tmpDAkVaX": No such file or directory
So, I have set up the cassh server, and created a key, but I have no idea how to deploy the files necessary to be able to use my newly created and signed key on an SSH server.
Could somebody write up some quick instructions on the following:
Quick start incomplete and pretty messy
It would be really great to be able to specify all configuration attributes via environment variables. For example to the path to settings.txt for cassh-web.
Further more it would be also super handy to be able to define keys as paths to files. This would allow keys to be mounted in kubernetes as secrets and the rest of the configuration could reside in a ConfigMap.
Both changes would allow a fast and consistent configuration and deployment of all the components in a Kubernetes cluster.
Thanks,
Thomas
[user]
name = nbeguier
realname = Nicolas Beguier
pubkey_path = /root/.ssh/id_rsa
url = http://172.17.0.2:8080
auth = None # None or ldap
For instance, postgres passwd and hostname
Client already give version in header : HTTP_CLIENT_VERSION
A Server Class that has the CASSH specific methods
And finally the Tools class could be removed and these methods would go back as functions :
pg_connection
get
post
sql_to_json
and tools might me renamed as cassh_utils
How to test our ssh signed key
keys are not display properly :
"ssh_key_hash": "2048 e8:47:77:a6:ea:aa:7d:26:67:24:ba:3a:52:b6:3f:ce ",
"ssh_key_hash": "2048 SHA256:R8NwvNikoqVR9DMwvNikoqVR9DdOSwvNikoqVR9D roberto@roberto-ThinkPad-T470p (RSA)\n",
"ssh_key_hash": "256 SHA256:hf44FmQ8YdbeEdO+u7geOKv",
It could be better to split this into category :
and show the length.
Why not add a rate to help the admin to validate a key
There is no way to check the web interface of the web ui.
HEAD / is the only way, but that's log too much.
$ cassh admin abricot status
Please type your LDAP password (user=[email protected]):
{
"expiration": "2017-09-22 10:02:56",
"realname": "[email protected]",
"ssh_key_hash": "2048 9c:22:1xxxxxb:d2:3b ",
"status": "ACTIVE",
"username": "abricot"
}
config.debug = False
This is a feature request.
In addition to LDAP authentication, it would be possible to authenticate users with OpenID Connect. This would make it possible to integrate cassh into environments where Google Accounts are used to authenticate users (and, of course, other environments that employ an identity provider which supports OpenID Connect).
TODO are in every help messagein lbcssh script
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.