{"id":19526251,"url":"https://github.com/dberzano/sshcertauth","last_synced_at":"2025-02-26T01:44:58.039Z","repository":{"id":2026353,"uuid":"2962635","full_name":"dberzano/sshcertauth","owner":"dberzano","description":"Use certificate authentication in HTTPS to authorize SSH connections","archived":false,"fork":false,"pushed_at":"2014-03-11T15:43:23.000Z","size":388,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-08T15:32:44.935Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dberzano.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2011-12-12T07:37:56.000Z","updated_at":"2014-03-11T15:43:23.000Z","dependencies_parsed_at":"2022-07-18T08:31:02.241Z","dependency_job_id":null,"html_url":"https://github.com/dberzano/sshcertauth","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dberzano%2Fsshcertauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dberzano%2Fsshcertauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dberzano%2Fsshcertauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dberzano%2Fsshcertauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dberzano","download_url":"https://codeload.github.com/dberzano/sshcertauth/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240777563,"owners_count":19855857,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-11T01:09:10.758Z","updated_at":"2025-02-26T01:44:57.843Z","avatar_url":"https://github.com/dberzano.png","language":"PHP","readme":"sshcertauth\n===========\n\nThis is *sshcertauth*, a set of **server-side** PHP and Bash scripts that enable\nusers to use their X.509 certificate to get the authorization to perform SSH.\n**No software is required to be installed on the client.**\n\n\nRationale\n---------\n\nThese server-side only scripts address the problem of giving SSH access to a\nuser who already happens to have a proper X.509 certificate. The user can, in\nprinciple, connect directly using its RSA private key, but *the server does\nnot have prior knowledge of its public counterpart*.\n\nBy installing these scripts only onto a server, we can leverage sshd and apache2\nto perform a  two-step authentication, where the user:\n\n * points a browser to a web page (say: `https://hostname/auth`), where he/she\n   is given the authorization to use SSH;\n * connects to the host with `ssh -i /path/to/my_rsa_key.pem user@hostname`.\n\nThe authorization given by the web browser relies on the fact that, while\nauthenticating through HTTPS by presenting a client certificate, client also\ncommunicates the public key.\n\n*sshcertauth* does the work of:\n\n * extracting the public key from the certificate in a HTTPS connection;\n * adding the key into the list of authorized keys read by sshd.\n\nEach key might also be given an expiration: passed that, the key is going to be\ndeleted from the authorized keys list and the user will need to obtain the\nauthorization again.\n\nAdding each SSH public key by hand can be a painful process when dealing with a\nlarge number of users (like the Grid). If they already have a set of trusted\ncredentials, like a X.509 private key and certificate, it is a good thing to\nexploit it for authentication; and if users don't have to install a new software\nto use the system, it would be even better. This is exactly what I purpose with\n*sshcertauth*.\n\n\nAlternatives\n------------\n\n*[gsissh][1]*, is a modified version of both *ssh* (client) and *sshd* (server)\nwhich directly supports certificate authentication, mostly used for the Grid.\n\n*sshcertauth* is meant to be a lighter alternative to that approach. We should\nnote however that *gsissh*, being a Grid software, requires the user to issue a\n[proxy certificate][2] which will be used for the authentication. It is then a\ndifferent thing, rather than an alternative, even if there are cases in which\nthey are mostly interchangeable in functionalities.\n\nSince a proxy certificate has a very limited validity in time, also in this\ncase the authorization to use SSH (and all services requiring a proxy\ncertificate) has to be removed from time to time.\n\n*sshcertauth* is to be preferred where it is unfeasible, or complicated, or\njust annoying for the user to install \"special\" software in addition to the\ntools he/she already knows: it requires only a web browser and the SSH client.\n\nAs said, *gsissh* supports all the extended features of a proxy certificate, while\nsshcertauth only supports plain X.509 (as HTTPS only supports that). If Grid\nfunctionality is required on the remote host, *gsissh* is then the proper\nsolution.\n\nSo *sshcertauth* cannot be definitely considered a replacement for *gsissh*.\n\n\nServer configuration\n--------------------\n\n*sshcertauth* has been developed with the [do not reinvent the wheel][3]\nphilosophy:\n\n\u003e You shouldn't reinvent the wheel. Unless you plan on learning more about\n\u003e wheels, that is.\n\nInstead of rewriting a new tool integrating everything, we have decided to rely\non some special configuration bits of:\n\n * sshd\n * apache2 with mod_ssl\n * sudo (and the sudoers file)\n * crontab\n\n*sshcertauth* only provides a single PHP script (with some libraries) and a\nsingle shell script to add some missing authentication intelligence.\n\nIn order to enable some specially required functionality, some PAM and LDAP\nconfiguration might have to be performed as well.\n\n### Where can I find the installation procedure?\n\n * [How to configure a sshcertauth server, step by step][4]\n\n\nAuthor\n------\n\nDario Berzano, \u003cdario.berzano@cern.ch\u003e\n\n\n [1]: http://grid.ncsa.illinois.edu/ssh/\n [2]: http://www.ietf.org/rfc/rfc3820.txt\n [3]: http://www.codinghorror.com/blog/2009/02/dont-reinvent-the-wheel-unless-you-plan-on-learning-more-about-wheels.html\n [4]: http://newton.ph.unito.it/~berzano/w/doku.php?id=proof:sshcertauth\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdberzano%2Fsshcertauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdberzano%2Fsshcertauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdberzano%2Fsshcertauth/lists"}