{"id":20253509,"url":"https://github.com/chanzuckerberg/blessclient","last_synced_at":"2025-04-07T05:15:39.578Z","repository":{"id":33275634,"uuid":"145165965","full_name":"chanzuckerberg/blessclient","owner":"chanzuckerberg","description":"Go client to negotiate SSH certificates","archived":false,"fork":false,"pushed_at":"2025-03-13T01:50:36.000Z","size":19404,"stargazers_count":64,"open_issues_count":12,"forks_count":17,"subscribers_count":43,"default_branch":"main","last_synced_at":"2025-03-30T05:32:43.467Z","etag":null,"topics":["certificate","czi","rsync","scp","ssh","ssh-agent"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chanzuckerberg.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-17T20:57:00.000Z","updated_at":"2025-02-17T15:43:18.000Z","dependencies_parsed_at":"2022-08-07T20:17:34.670Z","dependency_job_id":"48f1aaff-d067-431f-8f5d-d2f0949f06d0","html_url":"https://github.com/chanzuckerberg/blessclient","commit_stats":null,"previous_names":[],"tags_count":74,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chanzuckerberg%2Fblessclient","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chanzuckerberg%2Fblessclient/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chanzuckerberg%2Fblessclient/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chanzuckerberg%2Fblessclient/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chanzuckerberg","download_url":"https://codeload.github.com/chanzuckerberg/blessclient/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247595335,"owners_count":20963943,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","czi","rsync","scp","ssh","ssh-agent"],"created_at":"2024-11-14T10:25:01.166Z","updated_at":"2025-04-07T05:15:39.500Z","avatar_url":"https://github.com/chanzuckerberg.png","language":"Go","readme":"# blessclient\n[![codecov](https://codecov.io/gh/chanzuckerberg/blessclient/branch/master/graph/badge.svg)](https://codecov.io/gh/chanzuckerberg/blessclient) [![Gitter chat](https://badges.gitter.im/gitterHQ/gitter.png)](https://gitter.im/chanzuckerberg/blessclient)\n\n**Please note**: If you believe you have found a security issue, _please responsibly disclose_ by contacting us at [security@chanzuckerberg.com](mailto:security@chanzuckerberg.com).\n\n----\n\nInspiration for this project comes from [lyft/python-blessclient](https://github.com/lyft/python-blessclient).\nWe decided to write in Go because it is much easier to distribute a statically linked binary to a large team than having to deal with python environments. Some features from [lyft/python-blessclient](https://github.com/lyft/python-blessclient) are currently missing but will be added over time while others are purposefully excluded.\n\n## Versions\nWe are currently in the process of releasing a new major version of blessclient that will replace [netflix/bless](https://github.com/Netflix/bless) for a version that relies on federated identity.\n\n### v0.x.x - deprecation notice\nThis version will soon be deprecated.\nFor the time-being `brew install blessclient` will still point to `v0.x.x`\n\nYou can use homebrew to install with\n```\nbrew tap chanzuckerberg/tap\nbrew install blessclient@1\n```\n\nWe will keep a v0 branch around for high priority fixes until migrated fully to `v1.x.x`.\n\n### v1.x.x - in active development\nMore to come.\n\n## Install\n\n### Linux + macOS\nWe recommend using [homebrew](https://brew.sh/):\n```\nbrew tap chanzuckerberg/tap\nbrew install blessclient@1\n```\n\n### WSL\nWe have tested on WSL Ubuntu-18. A couple extra steps are required:\n```\nsudo apt update \u0026\u0026 sudo apt install xdg-utils\nbrew tap chanzuckerberg/tap\nbrew install blessclient@1\n```\n\n## Usage\n\nAt a high level:\n1. [Install](#install) blessclient\n1. If you don't have an SSH key, generate one with `ssh-keygen -t rsa -b 4096`\n1. [Import](#import-config) or generate a blessclient config. You can find an example config [here](examples/config.yml).\n1. Run `blessclient run` and make sure there are no errors\n1. Modify your [ssh config](#sshconfig) to be bless compatible\n1. ssh, scp, rsync as you normally would\n\n### Config\n\nBy default, `blessclient` looks for configs in `~/.blessclient/config.yml`. You can always override this `blessclient run -c /my/new/config.yml`\nSome more information on the config can be found [here](pkg/config/config.go).\n\nThere is a built-in method to facilitate the generation of blessclient configs:\n\n#### Import-config\n\nA few options here:\n- `blessclient import-config git@github.com:/..../teamA/blessconfig.yml`\n- `blessclient import-config https://www.github.com/..../teamA/blessconfig.yml`\n- `blessclient import-config /home/user/.../teamA/blessconfig.yml`\n- `blessclient import-config s3::https://s3.amazonaws.com/bucket/teamA/blessconfig.yml`\n\nThis command uses [go-getter](https://github.com/hashicorp/go-getter) to fetch a config and thus supports any source that [go-getter](https://github.com/hashicorp/go-getter#supported-protocols-and-detectors) supports.\n\nYou can see an example config with dummy values [here](examples/config.yml). Download the example, modify the values, and `blessclient import-config \u003cpath\u003e` it to get started.\n\n### .ssh/config\n\nThis is the nice part about blessclient - in general, you can write an ssh config to transparently use blessclient. scp, rsync, etc should all be compatible!\n\nSuch an ssh config could look like:\n\n```\nMatch OriginalHost bastion.foo.com exec \"blessclient run\"\n  IdentityFile ~/.ssh/id_rsa\n\nHost 10.0.*\n  ProxyJump bastion.foo.com\n  User admin\n\nHost bastion.foo.com\n  User admin\n```\n\nThis ssh config does a couple of interesting things -\n\n- It transparently requests an ssh certificate if needed\n- It transparently does a ProxyJump through a bastion host (assuming 10.0.* is an ipblock for machines behind the bastion)\n\n## Common Errors\n\n### Unsafe RSA public key\nBless lambda is rejecting your key because because it is not cryptographically sound. You can generate a new key `ssh-keygen -t rsa -b 4096` and use that instead.\n\n### SSH client 7.8 can't connect with certificates\nThere are a couple of outstanding bugs related to openSSH client 7.8\n- https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1790963\n- https://bugzilla.redhat.com/show_bug.cgi?id=1623929\n- https://bugs.archlinux.org/task/59838\n\nYou can check your version with\n```\nssh -V\n```\n\n## Commands\n\n### run\n`run` will run blessclient and attempt to fetch an SSH certificate from the CA. It requires blessclient to be properly configured beforehand.\n\n### import-config\n`import-config` will import blessclient configuration from a remote location and configure your local blessclient.\n\n### token\n`token` will print, json formatted, your oauth2/oidc id_token and access_token. This command requires blessclient to be properly configured beforehand. This command is not typically part of a common workflow.\n\nThe output will be written to stdout. The output is json formatted and looks like\n```json\n{\n  \"version\": 1,\n  \"id_token\": \"\u003cstring\u003e\",\n  \"access_token\": \"\u003cstring\u003e\",\n  \"expiry\": \"2020-07-20T12:18:02-04:00\"\n}\n```\nWhen running this command, no other output will be written to stdout.\n\n### version\n`version` will print blessclient's version.\n\n## Other\n### Deploying BLESS\nThere are already [several](https://github.com/lyft/python-blessclient#run-a-bless-lambda-in-aws) [great](http://marcyoung.us/post/bless-part1/) [guides](https://www.tastycidr.net/a-practical-guide-to-deploying-netflixs-bless-certificate-authority/) on how to run a BLESS lambda. If you take a moment to skim through these, you'll notice that setting up a successful BLESS deployment requires thorough knowledge of AWS Lambda and IAM. Even then, you'll probably spend hours digging through CloudWatch logs (and who likes doing that).\n\nTo further simplify this process, we've put together a terraform [provider](https://github.com/chanzuckerberg/terraform-provider-bless) and [module](https://github.com/chanzuckerberg/cztack/tree/master/bless-ca) to automate BLESS deployments.\n\n## Contributing\nContributions and ideas are welcome! Please don't hesitate to open an issue, join our [gitter chat room](https://gitter.im/chanzuckerberg/blessclient), or send a pull request.\n\nGo version \u003e= 1.12 required.\n\nThis project is governed under the [Contributor Covenant](https://www.contributor-covenant.org/version/1/4/code-of-conduct) code of conduct.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchanzuckerberg%2Fblessclient","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchanzuckerberg%2Fblessclient","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchanzuckerberg%2Fblessclient/lists"}