Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/rorycl/sshagentca

An ssh server forwarding agent certificate authority
https://github.com/rorycl/sshagentca

certificate-authority go golang ssh-agent ssh-agent-forwarding ssh-server

Last synced: about 1 month ago
JSON representation

An ssh server forwarding agent certificate authority

Awesome Lists containing this project

README 

          
# sshagentca



version 0.0.9 : 23 August 2023



A server to add ssh user certificates to ssh forwarded agents.



Running the server:



    sshagentca -h

    sshagentca -t  -c  -i  -p 

               



Example client usage using the `briony` key in the docker example at

[`sshagentca-docker`](https://github.com/rorycl/sshagentca-docker),

which has the public key registered in the server settings.yaml:



    $ eval $(ssh-agent)

      Agent pid 2490112



    $ ssh-add briony

      Identity added: briony (briony@test.com)



    $ ssh-add -l

      256 SHA256:Ye3VV0z4vDvAuiZYqw4ji2Ht/JlDTMNlpTZoeZR+bDs briony@test.com (ED25519)



    $ ssh -A -p 2222 127.0.0.1

      acmeinc ssh user certificate service

      

      welcome, briony

      certificate generation complete

      run 'ssh-add -l' to view

      goodbye



    $ ssh-add -l

      256 SHA256:Ye3VV0z4vDvAuiZYqw4ji2Ht/JlDTMNlpTZoeZR+bDs briony@test.com (ED25519)

      256 SHA256:wfFD6xj3qGNCli3WkRda8SMbRP6WwleZWU9dt9oJDZw acmeinc_briony_from:2022-05-24T06:06_to:2022-05-24T09:06UTC (ED25519-CERT)



    $ ssh -p 48084 root@127.0.0.1

      Welcome to Alpine!

      ...

      fd54c3009dc2:~# exit



Note that the login username that the client provides when connecting to

`sshagentca` is ignored - it does not have to match the `name:` in

`settings.yaml`.



Certificates from `sshagentca` can be conveniently used with

[pam-ussh](https://github.com/uber/pam-ussh) to control sudo privileges

on suitably configured servers.



Please refer to the specification at PROTOCOL.certkeys at

https://www.openssh.com/specs.html and the related go documentation at

https://godoc.org/golang.org/x/crypto/ssh.



## Building



```

go get github.com/rorycl/sshagentca

```



The binary will be installed in `~/go/bin/sshagentca` by default.



## Details



The server requires an ssh private key and ssh certificate authority

(CA) private key, with a password required for the CA key at least.

The server will prompt for passwords on startup, or the environmental

variables `SSHAGENTCA_PVT_KEY` and `SSHAGENTCA_CA_KEY` can be set.



Configuration is done in the settings.yaml file and include

certificate settings such as the validity period and organisation name,

the prompt received by the client. Users are configured in the

`user_principals` section, where each user is required to have a name,

ssh public key and list of principals to be set out.



The server will run on the specified IP address and port, by default

0.0.0.0:2222.



If the server runs successfully, it will respond to ssh connections that

have a public key listed in `user_principals` section and which have a

forwarded agent. This response will be to insert an ssh user certificate

into the forwarded agent which is signed by `caprivatekey` with the

parameters set out in `settings.yaml` and restrictions as noted below.



sshagentca generates a new key and corresponding certificate to insert

into the client's ssh-agent, signed using ed25519 keys. The CA key you

provide to sign the certificate may be a different key.



Clients can authenticate to sshagentca using any key type supported by

go's `x/crypto/ssh` package, including ed25519 keys introduced in go

1.13. Key types supported include the ecdsa-sk key used with U2F

security keys, introduced in OpenSSH 8.2. As a result, you should be

able to use a physical U2F token with an OpenSSH 8.2 client to

authenticate to sshagentca, whilst the keys and certificates it issues

can be used to login to older versions of sshd.



## Certificate Restrictions



The project currently has no support for host certificates, although

these could be easily added.



With reference to

https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD

there is no support presently for customising *critical options*, and

only the standard *extensions*, such as `permit-agent-forwarding`,

`permit-port-forwarding` and `permit-pty` are permitted.



Each certificate's principals settings are taken from the principals set

out for the specific connecting client public key from the

`user_principals` settings.



The `valid after` timestamp in the generated certificates is set

according to the `validity` settings parameter, specified in minutes.

A `validity` duration of 24 hours or more is not permitted.



## Key generation



To generate new server keys, refer to man ssh-keygen. For example:



    ssh-keygen -t rsa -b 4096 -f id_server



and specify a password. The id_server file is the private key. Certificate

authority keys are generated in the same way, although adding a comment is often

considered sensible for CA key management, e.g.:



    ssh-keygen -t rsa -b 4096 -f ca -C "CA for example.com"



and choose a password. The ca file is the private key. The ca.pub key in

this example should be used in the sshd_config file on any server for

which you wish to grant certificate-authenticated access. For example:



    TrustedUserCAKeys /etc/ssh/ca.pub



The use of principals to provide "zone" based access to servers is set out at

https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/



## Thanks



Thanks to Peter Moody for his pam-ussh announcement at

https://medium.com/uber-security-privacy/introducing-the-uber-ssh-certificate-authority-4f840839c5cc

which was the inspiration for this project, and the comments and help

from him and others on the ssh mailing list.



## License



This project is licensed under the [MIT Licence](LICENCE).



Rory Campbell-Lange