{"id":26942465,"url":"https://github.com/connectedcars/auth-wrapper","last_synced_at":"2025-04-02T16:49:10.578Z","repository":{"id":37456793,"uuid":"220715698","full_name":"connectedcars/auth-wrapper","owner":"connectedcars","description":"Simple wrapper that exposes an ssh-agent to all sub processes","archived":false,"fork":false,"pushed_at":"2024-07-23T09:25:12.000Z","size":203,"stargazers_count":4,"open_issues_count":2,"forks_count":1,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-03-25T11:02:26.523Z","etag":null,"topics":["google-cloud-kms","ssh-agent","ssh-key"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/connectedcars.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-09T23:14:52.000Z","updated_at":"2024-07-23T09:20:28.000Z","dependencies_parsed_at":"2024-07-23T11:17:37.612Z","dependency_job_id":null,"html_url":"https://github.com/connectedcars/auth-wrapper","commit_stats":{"total_commits":101,"total_committers":5,"mean_commits":20.2,"dds":"0.29702970297029707","last_synced_commit":"6d787c37495aecaa52a1d0064ebf771a19933f32"},"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/connectedcars%2Fauth-wrapper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/connectedcars%2Fauth-wrapper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/connectedcars%2Fauth-wrapper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/connectedcars%2Fauth-wrapper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/connectedcars","download_url":"https://codeload.github.com/connectedcars/auth-wrapper/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246855489,"owners_count":20844937,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["google-cloud-kms","ssh-agent","ssh-key"],"created_at":"2025-04-02T16:49:09.713Z","updated_at":"2025-04-02T16:49:10.567Z","avatar_url":"https://github.com/connectedcars.png","language":"Go","readme":"# Auth wrapper\n\nCommand wrapper that exposes an ssh-agent to all sub processes with keys and ssh certs backed by Google Cloud KMS or local OpenSSH pem formatted keys.\n\nThis can be used in:\n\n* CI/CD pipelines when checking code out, running package installers pulling code from private repos.\n* Auditing and restricting access to distributed SSH servers in a central location\n\n# Setup\n\nAdd key location to your shell enviroment:\n\nGoogle KMS hosted key:\n\n``` bash\nexport SSH_KEY_PATH=kms://projects/yourprojectname/locations/global/keyRings/yourkeyring/cryptoKeys/ssh-key/cryptoKeyVersions/1\n```\n\nLocal key:\n\n``` bash\nexport SSH_KEY_PATH=build.pem\nexport SSH_KEY_PASSWORD=thepassword\n```\n\n# How to use\n\n## SSH login\n\n``` bash\nauth-wrapper ssh user@ip\nauth-wrapper ssh user@ip 'echo hello'\n```\n\n## Git checkout\n\n``` bash\nauth-wrapper git clone git@github.com:connectedcars/private-module.git\n```\n\n## Docker build\n\n``` bash\nauth-wrapper docker build --progress=plain --ssh default .\n```\n\n# Advanced\n\n## SSH Certs\n\nSigning server:\n\nThe signing server issues a certificate based on an allow list in authorized keys file format:\n\nhttp://man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE_FORMAT\n\nExample file:\n\nauthorized_keys:\n\n``` text\n# Only allow this public key access from 192.168.1.0/24 and to run command \"echo hello\" with principal name \"user1,serverType\"\nrestrict,command=\"echo hello\",from=\"192.168.1.0/24\",principals=\"user1,serverType\" ecdsa-sha2-nistp256 AAAA...C (copy from output of client) user1@company.com\n# Only allow this public key access with principal name \"user2\"\nrestrict,principals=\"user2\" ssh-rsa AAAA...D(copy from output of client) user2@company.com\n# Only allow sftp access with principal name \"user3\"\nrestrict,principals=\"user3\",command=internal-sftp AAAA...E (copy from output of client) user3@company.com\n```\n\nStarting the server:\n\n``` bash\nexport SSH_SIGNING_SERVER_LISTEN_ADDRESS=\":3080\"\nexport SSH_CA_KEY_PATH=\"kms://projects/yourprojectname/locations/global/keyRings/ssh-keys/cryptoKeys/ssh-key/cryptoKeyVersions/1\"\nexport SSH_CA_AUTHORIZED_KEYS_PATH=\"authorized_keys\"\nexport SSH_SIGNING_LIFETIME=\"60m\"\nauth-wrapper\n```\n\nUsing the client:\n\n``` bash\nexport SSH_KEY_PATH=kms://projects/yourprojectname/locations/global/keyRings/yourkeyring/cryptoKeys/ssh-key/cryptoKeyVersions/1\nexport SSH_SIGNING_SERVER_URL=\"http://localhost:3080\"\nauth-wrapper -p user1 ssh 1.2.3.4\nauth-wrapper -p serverType:gw ssh 1.2.3.4 # Use wildcard match\n```\n\nSSH Server:\n\nTo configure a SSH server to trust the signing server CA for a specific user:\n\n~/.ssh/authorized_keys:\n\n``` text\ncert-authority,principals=\"user1,serverType:gw\" ssh-rsa AAAA...(copy from output of signing server) ca key\n```\n\n# Options\n\n## Arguments\n\n* -principals : Principals to request\n\n## Environment variables\n\nClient options:\n\n* SSH_KEY_PATH: Path to SSH key, can be OpenSSH PEM formated key or a url to KMS key\n* SSH_KEY_PASSWORD: Password to key, only used by PEM formated key\n* WRAP_COMMAND: Command to run with the arguments to auth-wrapper\n* SSH_SIGNING_SERVER_URL: Url for the signing server\n* SSH_PRINCIPALS: Principals to request\n\nSigning server options:\n\n* SSH_SIGNING_SERVER_LISTEN_ADDRESS: Listen address in the following format \":8080\"\n* SSH_CA_KEY_PATH: Path to CA signing key, only KMS keys supported at the moment and limited to \"Elliptic Curve P-256 key\nSHA256 Digest\"\n* SSH_CA_AUTHORIZED_KEYS_PATH\": Path to authorized_keys following [AUTHORIZED_KEYS_FILE_FORMAT](http://man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE_FORMAT)\n\n# Google Cloud KMS key setup\n\nCreate keyring and key:\n\n``` bash\n# Create keyring\ngcloud kms keyrings create --location global ssh-keys\n# It needs to be be SHA512 as the ssh client seems to default to this hashing algorithm and KMS pairs key size and hashing algorithms for some reason.\ngcloud kms keys create ssh-key --keyring ssh-keys --location global --default-algorithm rsa-sign-pkcs1-4096-sha512 --purpose asymmetric-signing\n# Give cloud build access to use the key\ngcloud kms keys add-iam-policy-binding ssh-key --keyring=ssh-keys --location=global --member user@company.com --role roles/cloudkms.signerVerifier\n```\n\n# Local key\n\nCurrent the go ssh key implementation does not support the new OpenSSH format so you need to use a PEM formated key:\n\n``` bash\nssh-keygen -f build.key\nssh-keygen -f build.key -m 'PEM' -e \u003e build.pem\n```\n\n# Development\n\n## Release new version\n\n``` bash\nexport GITHUB_TOKEN=\"YOUR_GH_TOKEN\"\ngit tag -a v2.1.1 -m \"Release 2.1.1\"\ngit push origin v2.0.2\ngoreleaser release --clean\n```\n\n## VSCode setup\n\nsettings.json\n``` json5\n{\n    // Golang\n    \"go.useCodeSnippetsOnFunctionSuggest\": true,\n    \"go.useLanguageServer\": true,\n    \"go.alternateTools\": {\n        \"go-languageserver\": \"gopls\"\n    },\n    \"go.buildOnSave\": \"off\",\n    \"go.vetOnSave\": \"off\",\n    \"go.useCodeSnippetsOnFunctionSuggestWithoutType\": true,\n    \"go.docsTool\": \"gogetdoc\",\n    \"editor.codeActionsOnSave\": {\n        \"source.organizeImports\": true\n    }\n}\n```\n\nlaunch.json\n``` json5\n{\n    // Use IntelliSense to learn about possible attributes.\n    // Hover to view descriptions of existing attributes.\n    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387\n    \"version\": \"0.2.0\",\n    \"configurations\": [\n        {\n            \"name\": \"Launch\",\n            \"type\": \"go\",\n            \"request\": \"launch\",\n            \"mode\": \"debug\",\n            \"program\": \"${workspaceFolder}/cmd/authwrapper\",\n            \"env\": {\n                \"SSH_KEY_PATH\": \"kms://projects/yourprojectname/locations/global/keyRings/yourkeyring/cryptoKeys/ssh-key/cryptoKeyVersions/1\",\n                \"SSH_SIGNING_SERVER_URL\": \"http://localhost:3080\",\n                //\"SSH_PRINCIPALS\": \"tlb\",\n\n                \"SSH_SIGNING_SERVER_LISTEN_ADDRESS\": \":3080\",\n                \"SSH_CA_KEY_PATH\": \"kms://projects/yourprojectname/locations/global/keyRings/yourkeyring/cryptoKeys/ssh-key/cryptoKeyVersions/1\",\n                \"SSH_CA_AUTHORIZED_KEYS_PATH\": \"${workspaceFolder}/authorized_keys\",\n                \"SSH_SIGNING_LIFETIME\": \"60m\",\n                \n                //\"SSH_KEY_PATH\": \"kms://projects/yourprojectname/locations/global/keyRings/yourkeyring/cryptoKeys/ssh-key/cryptoKeyVersions/1\",\n                \"GIT_SSH_COMMAND\": \"ssh -vvvv\",\n                \"DOCKER_BUILDKIT\": \"1\",\n                \"PROGRESS_NO_TRUNC\": \"1\",\n                \"SSH_AUTH_SOCK\": \"\"\n            },\n            \"args\": [\n                \"-principals\", \"tlb\",\n                //\"ssh-add\", \"-L\"\n                \"ssh\", \"-p\", \"22\", \"-vv\", \"-l\" ,\"tlb\", \"1.2.4.5\", \"hostname\"\n                //\"bash\", \"-c\", \"docker build --no-cache --progress=plain --ssh=default=$SSH_AUTH_SOCK .\",\n                //\"docker\", \"build\", \n                //\"--add-host=metadata.google.internal:192.168.65.2\", \n                //\"--no-cache\", \n                //\"--progress=plain\", \n                //\"--ssh=default=$SSH_AUTH_SOCK\", \n                //\"--build-arg=WRAP_IMAGE=gcr.io/cloud-builders/docker\",\n                //\"--build-arg=WRAP_COMMAND=/usr/bin/docker\",\n                //\"--build-arg=WRAP_NAME=docker\",\n                //\"--build-arg=SSH_KEY_PATH=kms://projects/yourprojectname/locations/global/keyRings/yourkeyring/cryptoKeys/ssh-key/cryptoKeyVersions/1\",\n                //\".\"\n                //\"git\", \"clone\", \"git@github.com:connectedcars/private-module.git\"\n            ],\n            \"showLog\": true\n        },\n        {\n            \"name\": \"Launch test function\",\n            \"type\": \"go\",\n            \"request\": \"launch\",\n            \"mode\": \"test\",\n            \"program\": \"${workspaceFolder}/cmd/main_test.go\",\n            \"args\": [\"-test.timeout\", \"999s\"]\n        },\n    ]\n}\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconnectedcars%2Fauth-wrapper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fconnectedcars%2Fauth-wrapper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconnectedcars%2Fauth-wrapper/lists"}