https://github.com/sio/sshcertotp

Issue ssh certificate after asking for TOTP key
https://github.com/sio/sshcertotp

Last synced: 24 days ago
JSON representation

Issue ssh certificate after asking for TOTP key

• Host: GitHub
• URL: https://github.com/sio/sshcertotp
• Owner: sio
• Created: 2022-11-01T19:24:35.000Z (over 2 years ago)
• Default Branch: master
• Last Pushed: 2022-12-29T07:24:08.000Z (over 2 years ago)
• Last Synced: 2025-02-11T20:49:50.203Z (3 months ago)
• Language: Go
• Homepage:
• Size: 70.3 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# Issue ssh certificate after asking for TOTP key

## Known problems

### Denial of service: TOTP rate limit exhaustion

If attacker knows both your username and sshcertotp endpoint they may

trivially cause denial of service by supplying incorrect TOTP values more

frequently than allowed by TOTP validator rate limits. Until TOTP validation

attempt rate returns under the limit even correct TOTP values coming from a

legitimate user will not be accepted and certificates will not be issued for

this user.

If this is a problem in your use case, consider adding another authentication

factor before TOTP (password / IP allow list / messenger bot / etc).

To do that place your extra logic right after `term.ReadPassword()` call.

### Weakness: unencrypted CA private key

Current implementation assumes that CA private key is stored unencrypted on

the file system. This is fine for a proof of concept and for low stakes usage

scenario, but may pose a significant threat otherwise. Take this into

consideration before deploying.

Use more secure private key storage if possible: TPM, smart card, HSM

(requires source code modification).