{"id":13619658,"url":"https://github.com/google/hiba","last_synced_at":"2025-04-14T16:32:20.777Z","repository":{"id":42082865,"uuid":"401256895","full_name":"google/hiba","owner":"google","description":"HIBA is a system built on top of regular OpenSSH certificate-based authentication that allows to manage flexible authorization of principals on pools of target hosts without the need to push customized authorized_users files periodically.","archived":false,"fork":false,"pushed_at":"2024-11-07T14:29:49.000Z","size":149,"stargazers_count":371,"open_issues_count":1,"forks_count":15,"subscribers_count":11,"default_branch":"main","last_synced_at":"2024-11-07T14:32:27.414Z","etag":null,"topics":["authorization","ssh"],"latest_commit_sha":null,"homepage":"https://github.com/google/hiba","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-30T07:38:37.000Z","updated_at":"2024-10-29T16:28:45.000Z","dependencies_parsed_at":"2023-01-31T08:16:28.052Z","dependency_job_id":"d57e2124-864b-410a-be4a-62e9d40e2018","html_url":"https://github.com/google/hiba","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fhiba","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fhiba/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fhiba/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fhiba/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/hiba/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223638106,"owners_count":17177737,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization","ssh"],"created_at":"2024-08-01T21:00:46.544Z","updated_at":"2024-11-08T05:31:44.414Z","avatar_url":"https://github.com/google.png","language":"C","readme":"# HIBA: Host Identity Based Authorization\n\nPronounce: /hiːba/\n\n## What is HIBA\n\nHIBA is a system built on top of regular OpenSSH certificate-based\nauthentication that allows to manage flexible authorization of principals on\npools of target hosts without the need to push customized authorized_users files\nperiodically.\n\nThe authorization is performed directly on the target host based on the user\ncertificate content and the local host identity only. Not accessing external\nservices makes it suitable for low dependency, last resort, SSH access.\n\nFor more details on how authorization is computed, see\n[PROTOCOL.authorizations](https://github.com/google/hiba/blob/main/PROTOCOL.authorizations).\n\n## Concepts\n\nHIBA defines two concepts: host identity and grants. See\n[PROTOCOL.extensions](https://github.com/google/hiba/blob/main/PROTOCOL.extensions)\nfor the exact specifications.\n\n### Host identity\n\nThis is a custom extension attached to host certificates that describes the main\nproperties of a target host. The format is flexible and only mandates one\nfield, `domain`, to help isolate different pools of hosts managed using the\nsame CA keys.\n\nAn example of a host identity could be:\n\n* domain: dmz.example.com\n* owner: frontend-team\n* location: US\n\n### Grants\n\nThis is also a custom extension, attached to user certificates that describes\nwhich hosts this certificate should be accepted on. The grant contains a set of\nconstraints that a host must match for the access to be authorized. These\nconstraints are compared to the host identity at connection time by the hiba-chk\nhelper. Due to the flexible nature of the host identity, the following\nsemantics apply:\n\n* Any field present in the grant and missing for the host identity is\n  considered invalid and will prevent access.\n* Any field missing from the grant and present in the host identity is\n  ignored for authorization purposes (equivalent to a wildcard).\n\n### Mechanism\n\nHIBA relies on a few properties provided by OpenSSH:\n\n* Certificate based authentication: a HIBA grant is a custom extension attached\n  to the certificate. This means the CA is responsible for verifying the scope\n  of the grant before attaching it.  Similarly, the host identity is attached to\n  the host certificate by the CA and must represent the target host.\n* AuthorizedPrincipalsCommand: this option of the sshd_config allows invoking an\n  external tool to dynamically generate the content of authorized_users. This\n  option is used to invoke `hiba-chk`, which knows how to extract the HIBA\n  extensions from user and host certificates and grants or denies access based\n  on the comparison.\n\n### GRL (Grant Revocation List)\n\nHIBA allows revoking individual grants rather than the whole certificate. See\n[PROTOCOL.grl](PROTOCOL.grl) for more information.\n\nNote: revocations at the grant granularity are not yet supported. The rationale\nfor not prioritizing these: full SSH certificate revocation is already supported\nby OpenSSH, only the finer granularity is lacking. Also, it is good practice\nto rely on short lived certificates, which often expire before the revocation\nlist makes it to the target host.\n\n## Prerequisites\n\nHIBA works on top of OpenSSH certificates. It relies on:\n\n* The AuthorizedPrincipalsCommand option that was added to OpenSSH 6.9\n* The `%u` and `%k` tokens that were added to OpenSSH 7.4\n\nFor compilation, configuration and installation instructions, see\n[INSTALL.md](https://github.com/google/hiba/blob/main/INSTALL.md).\n\n## Developers\n\nThe HIBA library can be used to add support for HIBA to a certificate authority.\n\nNote: None of this code is thread safe, and it is the responsibility of\nthe caller to ensure proper locking when accessing individual HIBA structures.\n\n### Generating HIBA enabled certificates\n\nHIBA enabled certificates are generated using the HIBA API defined in\n[extensions.h](https://github.com/google/hiba/blob/main/extensions.h) and the\nOpenSSH API defined in\n[sshkey.h](https://github.com/openssh/openssh-portable/blob/master/sshkey.h).\n\n* Using libhiba:\n  * Import or generate the required HIBA extensions (identity or grant)\n  * Serialize them into an sshbuf\n* Using libssh:\n  * Import or generate the SSH public key\n  * Attach generated extensions\n  * Sign the certificate with the CA private key\n  * Serialize it\n\nFor a simple local test setup see the\n [testing](https://github.com/google/hiba/blob/main/INSTALL.md#testing)\nsection of [INSTALL.md](https://github.com/google/hiba/blob/main/INSTALL.md).\n\n### Reading HIBA enabled certificates\n\nHIBA extensions can be extracted from existing certificates by relying on\nOpenSSH to decode/verify the certificate, extracting the HIBA extensions and\ninterpreting them with HIBA.\n\n* Using libssh:\n  * Import certificate\n  * Verify certificate signature\n  * List and extract relevant extensions\n* Using libhiba:\n  * Parse extensions\n  * Extract extensions' content\n\nlibhiba provides convenience functions to parse and extract HIBA extensions\ndirectly from a certificate, but it does not verify the certificate. It assumes\nthe certificate was validated by a prior stage.\n\n### Example CA\n\nSee the [CA](https://github.com/google/hiba/blob/main/CA.md) documentation for\na basic example of how the tools provided with HIBA can be used to manage\nextensions and certificates.\n","funding_links":[],"categories":["C","Apps"],"sub_categories":["*SSH* keys / Authentication"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fhiba","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fhiba","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fhiba/lists"}