nbeguier / cassh Goto Github PK

View Code? Open in Web Editor NEW

73.0 7.0 20.0 382 KB

SSH CA administration via CLI and GUI

Home Page: https://medium.com/leboncoin-engineering-blog/cassh-ssh-key-signing-tool-39fd3b8e4de7

License: Apache License 2.0

Python 54.57% CSS 5.12% HTML 2.68% Shell 37.05% Dockerfile 0.58%

ssh sign authority-control krl python cli

cassh's Introduction

CASSH

OpenSSH features reach their limit when it comes to industrialization. We don’t want an administrator to sign every user’s public key by hand every day, so we need a service for that. That is exactly the purpose of CASSH: signing keys! Developped for @leboncoin

https://medium.com/leboncoin-engineering-blog/cassh-ssh-key-signing-tool-39fd3b8e4de7

Usage

Client CLI

Add new key to cassh-server :

cassh add

Sign pub key :

cassh sign [--display-only] [--force]

Get public key status :

cassh status

Get ca public key :

cassh ca

Get ca krl :

cassh krl

Admin CLI

usage: cassh admin [-h] [-s SET] [--add-principals ADD_PRINCIPALS]
                   [--remove-principals REMOVE_PRINCIPALS]
                   [--purge-principals]
                   [--update-principals UPDATE_PRINCIPALS]
                   [--principals-filter PRINCIPALS_FILTER]
                   username action

positional arguments:
  username              Username of client's key, if username is 'all' status
                        return all users
  action                Choice between : active, delete, revoke, set, search,
                        status keys

optional arguments:
  -h, --help            show this help message and exit
  -s SET, --set SET     CAUTION: Set value of a user.
  --add-principals ADD_PRINCIPALS
                        Add a list of principals to a user, should be
                        separated by comma without spaces.
  --remove-principals REMOVE_PRINCIPALS
                        Remove a list of principals to a user, should be
                        separated by comma without spaces.
  --purge-principals    Purge all principals to a user.
  --update-principals UPDATE_PRINCIPALS
                        Update all principals to a user by the given
                        principals, should be separated by comma without
                        spaces.
  --principals-filter PRINCIPALS_FILTER
                        Look for users by the given principals filter, should
                        be separated by comma without spaces.

Active Client username key :

cassh admin <username> active

Revoke Client username key :

cassh admin <username> revoke

Delete Client username key :

cassh admin <username> delete

Status Client username key :

cassh admin <username> status

Set Client username key :

# Set expiry to 7 days
cassh admin <username> set --set='expiry=7d'

# Add principals to existing ones
cassh admin <username> set --add-principals foo,bar

# Remove principals from existing ones
cassh admin <username> set --remove-principals foo,bar

# Update principals and erease existsing ones
cassh admin <username> set --update-principals foo,bar

# Purge principals
cassh admin <username> set --purge-principals

Search Principals among clients :

cassh admin all search --principals-filter foo,bar

Install

Quick test

Server side

Install docker : https://docs.docker.com/engine/installation/

Prerequisites

# install utilities needed by tests/test.sh
sudo apt install pwgen jq

# Make a 'sudo' only if your user doesn't have docker rights, add your user into docker group
pip install -r tests/requirements.txt

cp tests/cassh/cassh.conf.sample tests/cassh/cassh.conf
cp tests/cassh/ldap_mapping.json.sample tests/cassh/ldap_mapping.json

# Edit cassh.conf file to configure the hosts

# Generate temporary certificates
mkdir test-keys
ssh-keygen -C CA -t rsa -b 4096 -o -a 100 -N "" -f test-keys/id_rsa_ca # without passphrase
ssh-keygen -k -f test-keys/revoked-keys

############################################
# BEGIN THE ONE OR MULTIPLE INSTANCES STEP #
############################################

# Duplicate the cassh.conf
cp tests/cassh/cassh.conf tests/cassh/cassh_2.conf
# Generate another krl
ssh-keygen -k -f test-keys/revoked-keys-2
sed -i "s/revoked-keys/revoked-keys-2/g" tests/cassh/cassh_2.conf

One instance

# Launch this on another terminal
bash tests/launch_demo_server.sh --server_code_path ${PWD} --debug
$ /opt/cassh/src/server/server.py --config /opt/cassh/tests/cassh/cassh.conf

# When 'http://0.0.0.0:8080/' appears, start this script
bash tests/test.sh

Multiple instances

The same as previsouly, but launch this to specify a second cassh-server instance

# Launch this on another terminal
bash tests/launch_demo_server.sh --server_code_path ${PWD} --debug --port 8081
$ /opt/cassh/src/server/server.py --config /opt/cassh/tests/cassh/cassh_2.conf

Client side

Generate key pair then sign it !

git clone https://github.com/nbeguier/cassh.git /opt/cassh
cd /opt/cassh

# Generate key pair
mkdir test-keys
ssh-keygen -t rsa -b 4096 -o -a 100 -f test-keys/id_rsa

rm -f ~/.cassh
cat << EOF > ~/.cassh
[user]
name = user
key_path = ${PWD}/test-keys/id_rsa
key_signed_path = ${PWD}/test-keys/id_rsa-cert
url = http://localhost:8080

[ldap]
realname = [email protected]
EOF

# List keys
python cassh status

# Add it into server
python cassh add

# ADMIN: Active key
python cassh admin user active

# Sign it !
python cassh sign [--display-only]

License

Licensed under the Apache License, Version 2.0 (the "License").

Copyright

cassh's People

Stargazers

Watchers

Forkers

leboncoin bianhezhen ycflash jottschi jffz hansemerkur github-clonner nekojpvn siacali lukavia cubit9-danielpeyer fedegiova fpl

cassh's Issues

Cassh Server - clean functions

A Server Class that has the CASSH specific methods

list_keys
sign_keys
A ClusterController Class with:
status (cluster_alived)
get_krl (cluster_last_krl)
update_krl (cluster_update_krl)
Maybe Server would merge into ClusterController at some point and just be renamed as Controller with a option / param to support cluster mode.

And finally the Tools class could be removed and these methods would go back as functions :

pg_connection
get
post
sql_to_json
and tools might me renamed as cassh_utils

Error: No realname option given.

This error occurs when LDAP is disable on both server and client.

Add admin token

Use token in conf and use it to log in

url without / big error

[user]
name = nbeguier
realname = Nicolas Beguier
pubkey_path = /root/.ssh/id_rsa
url = http://172.17.0.2:8080
auth = None # None or ldap

Documentation

How to test our ssh signed key

Implement cluster functionalities on cassh client

/cluster/status only for now

Compatible python3

Add a "signed" filed to the "cassh status" command

Context

When you add a key, you can see explicitly that the status is Pending

$ cassh status
{
    "expiration": "1970-01-01 01:00:00 (UTC+0000)", 
    "realname": "Firstname Lastname", 
    "ssh_key_hash": "2048 e8:00:ed:f3:ae:8c:d1:65:e6:3b:48:8f:d5:84:fd:f5 ", 
    "status": "PENDING", 
    "username": "username"
}

After an admin "activate" a user, same result, we can clearly see the status:

 $ cassh status
Please type your LDAP password (user=Xavier Krantz): 
{
    "expiration": "1970-01-01 01:00:00 (UTC+0000)", 
    "realname": "Xavier Krantz", 
    "ssh_key_hash": "2048 e8:00:ed:f3:ae:8c:d1:65:e6:3b:48:8f:d5:84:fd:f5 ", 
    "status": "ACTIVE", 
    "username": "username"
}

However, currently there is no way to know if the key is signed ...
Even if we can guess it, since we have an expiration date that is defined in the future:

$ cassh status
{
    "expiration": "2017-08-26 11:29:19 (UTC+0000)", 
    "realname": "Firstname Lastname", 
    "ssh_key_hash": "2048 e8:00:ed:f3:ae:8c:d1:65:e6:3b:48:8f:d5:84:fd:f5 ", 
    "status": "ACTIVE", 
    "username": "username"
}

Feature Request:

It could be nice to have an explicit field for quick understanding, especially for users who are not very familiar with CLI and ssh practices. Maybe a new field or update the status filed to SIGNED ?

Disable debug mode in server

Web interface

Improve README

Quick start incomplete and pretty messy

[Bug] admin status

Return wrong key !!

Add duration in client configuration

How to deploy CA files to ssh servers.

So, I have set up the cassh server, and created a key, but I have no idea how to deploy the files necessary to be able to use my newly created and signed key on an SSH server.

Could somebody write up some quick instructions on the following:

What files are necessary to copy from either the CASSH server or the CASSH client to the remote SSH server?
what sshd_config configuration options need to be set for the remote SSH server to be able to authenticate the CASSH-signed key.

Generated KRL

Rename cluster_updatekrl to cluster_update_krl

Handle readname with special character "-"

Add health check on the WebUI

There is no way to check the web interface of the web ui.
HEAD / is the only way, but that's log too much.

Add LDAP auth

CASSh WebUI - Add headers UA & HTTP_CLIENT_VERSION

Support multiple keys for one user

Create a server config file

For instance, postgres passwd and hostname

Web UI in http only

It should be possible to enable http only for the WebUI

Put disable warning in optionnal

Display pubkey better hash and add rate

keys are not display properly :

    "ssh_key_hash": "2048 e8:47:77:a6:ea:aa:7d:26:67:24:ba:3a:52:b6:3f:ce ", 

    "ssh_key_hash": "2048 SHA256:R8NwvNikoqVR9DMwvNikoqVR9DdOSwvNikoqVR9D roberto@roberto-ThinkPad-T470p (RSA)\n", 

    "ssh_key_hash": "256 SHA256:hf44FmQ8YdbeEdO+u7geOKv",

It could be better to split this into category :

DSA (weakest)
RSA (standard)
ECDSA (better)
Ed25519 (strongest but not suported on old OS)

and show the length.

Why not add a rate to help the admin to validate a key

Split server.py

Extract tools functions into a separate library

Implement KRL

Add versioning

Separate settings.txt in a non-versioned file

[bug] cassh status open for everyone

Increase test code coverage

help message lbcssh

TODO are in every help messagein lbcssh script

Add new status : NEVER SIGNED

Add way more different HTTP code

realname facultatif

Sanitize every inputs

Implement admin and cluster functionalities for the WebUI

Getting all settings / configurations / paths through env variables and mounted secrets

It would be really great to be able to specify all configuration attributes via environment variables. For example to the path to settings.txt for cassh-web.
Further more it would be also super handy to be able to define keys as paths to files. This would allow keys to be mounted in kubernetes as secrets and the rest of the configuration could reside in a ConfigMap.
Both changes would allow a fast and consistent configuration and deployment of all the components in a Kubernetes cluster.

Thanks,
Thomas

expiration status issue

$ cassh admin abricot status
Please type your LDAP password (user=[email protected]):
{
"expiration": "2017-09-22 10:02:56",
"realname": "[email protected]",
"ssh_key_hash": "2048 9c:22:1xxxxxb:d2:3b ",
"status": "ACTIVE",
"username": "abricot"
}

Support KRL for multiple instances

Increase log verbosity

Add ip, user agent, version, account and wrong inputs

Also, disable logs for /ping and /health

CASSH Server - Display client version last used

Client already give version in header : HTTP_CLIENT_VERSION

Issue UTC during status

[Bug] If revoked, no message during signing

Do you support startTLS connections to LDAP?

Is it possible to use startTLS with LDAP authentication? My LDAP server has an SSF of 256 and requires secure connections.

Configurable Debug mode for CASSH-SERVER

config.debug = False

Admin ldap auth server

tmp file not readable

127.0.0.1:41578 - - [09/Jul/2017 12:04:07] "HTTP/1.1 GET /admin/user" - 200 OK
do_ca_sign: unable to open "/tmp/tmpDAkVaX": No such file or directory

Add OAuth2/OpenID Connect authentication

This is a feature request.

In addition to LDAP authentication, it would be possible to authenticate users with OpenID Connect. This would make it possible to integrate cassh into environments where Google Accounts are used to authenticate users (and, of course, other environments that employ an identity provider which supports OpenID Connect).