SSH CA signed key validation + authN webhook support #331
Comments
ghost
added this to the 
|
Note to self, sample code to verify CA on SSH public keys: import (
"fmt"
"strings"
"golang.org/x/crypto/ssh"
)
func main() {
caKey := "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDd9JsPAW+ll03EKjOnQB4q+8KFs0SDiw2Hl5HYDcboemdOXPxKLUivBfz8ZhtzvimiKV0nN1cMrHqZiIzv3+V3FNOLMS7T7DGC/Kp0jb/wDlXXze4rK0SB6mrMBDrsl4v8J0GlQZ/TFJQzgxD9KWLVQfQcAZix3khJywSWcySlq+PP/DnaqMXlz8JI6xR8A/wLuPukrb40U8qCxzAQsyT3BHcKKE+DsMnKOYrZHV3VgstQGHNdLjpGYUGpBRV7A3pKxEME+qs2GeYdLy3b3YZxwiUT/g0tjSy5yj6mlcggTcgmLv61R3IhBgy2dyoQLfStGOy1pE9rNR2hn0ZJLoXb565eDHhRhG110BH2MRHdimEGQNse7WK0XxVQXhbEiMOzlmh9EFK1ZdqtC0MSt3pI7VtMGrBdgGUEHlfXiFE4W9Sm1NsAFJqKMNcPaNPRQNDt8PBbYw1Ypn1W6HJk+iZLcdSXIWUiO9x9UPJmcw4qbKDe7AR5J7AUDpKiOfBUuLM="
key := "[email protected] AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgcxlWeXMp9aBzqppQNIiZJDL7+Fh30pctSz6MstqHwucAAAADAQABAAABgQC4y+i2FUrnfG3yKn/p3E5OwLG/I8vdweJsgtH0+Tj4F0k3xC0uYUpkPXjQynBPQ7+eZELbPf4RO71j0fsn8b0Lag4DNzNsNPk84SqvOxf4sBNMx5/Qm4l85DcDzyQ6FHaOQgAP7IqOFteD6bLA8u1tE4smzY31RB9Qx7oktKkgFkk469sWzZHsCJHdw3hJyVmHh9QsILEBRDlbsvT94CkcBhLWRO2Tb4GOS0Doyf/vvU8K21qpQvcdYP0unqIKum9MxMSXzckNa40SYPOwxw11TlSZTco5C3hgNVqxQZujf3B2dy5dMKciNepZKAuwfGD2SlwE3eBtC6JCkBBqLzIspjVPpYDO/ueCehnmhk/VbiRCyaKDpKfNbIqzKb/iAID4SDthrHI614OTsfqgYmtU3rorFPocdl1bZAC8xuN3db7uqudEn7QRpZvuOX2Sb0h0bc+6wbuW4F4HqFc9qUcg9ULWf2+kIy+0nk/LaF0/DhFIugzDRBpetY1ksHgxxb0AAAAAAAAAAAAAAAEAAAATamFub3NAdGVzdCB1c2VyIGtleQAAAAkAAAAFamFub3MAAAAAYXhNdwAAAAB0RFGjAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBAN30mw8Bb6WXTcQqM6dAHir7woWzRIOLDYeXkdgNxuh6Z05c/EotSK8F/PxmG3O+KaIpXSc3VwysepmIjO/f5XcU04sxLtPsMYL8qnSNv/AOVdfN7isrRIHqaswEOuyXi/wnQaVBn9MUlDODEP0pYtVB9BwBmLHeSEnLBJZzJKWr48/8OdqoxeXPwkjrFHwD/Au4+6StvjRTyoLHMBCzJPcEdwooT4Owyco5itkdXdWCy1AYc10uOkZhQakFFXsDekrEQwT6qzYZ5h0vLdvdhnHCJRP+DS2NLLnKPqaVyCBNyCYu/rVHciEGDLZ3KhAt9K0Y7LWkT2s1HaGfRkkuhdvnrl4MeFGEbXXQEfYxEd2KYQZA2x7tYrRfFVBeFsSIw7OWaH0QUrVl2q0LQxK3ekjtW0wasF2AZQQeV9eIUThb1KbU2wAUmoow1w9o09FA0O3w8FtjDVimfVbocmT6Jktx1JchZSI73H1Q8mZzDipsoN7sBHknsBQOkqI58FS4swAAAZQAAAAMcnNhLXNoYTItNTEyAAABgL/uSg5s9o1jWD9lCdd04k8V+02sjCsWXwkF4kJlChebr+oMk8E95XK7SZ4wuLou6hozYHaIqxd+ZX/pq37aiqpe8JUtrdEv7PeheyPcKO4gcKPPdWZpmfpPffDlnYRt5zPMa2eq6Y/i5odCVQfDskrmpCxpTAef4pRrP8KJUnPkkuzYg6+5C/CvI9szNHAriJTUDK+zTLtdhnfc3FkcoP+c/5PNEIhPOjmalu3NO27sz2FgRKt9Tc/NvzBB/XxG7CJ5loRph/kBibe8hauhMIEpn/Z22z32f/46Ak9vA9Gnm59jnMxK4WdkLnsa88BKzSx3teicChdfJ6JDHnzu9rpYErRnlvfX8my2UsswQIAplpCy7LBYSB5Kd5xVTlF/Z6RbBb9kKJFsPWs60rQU019Jj9bcOt1SemfiJeWYoKZ9pqPRQE3e71RuqFNGr5cLLK9L5oDsgcHQH/9vTW6m5ch3AvZ5v0F8SXs1fRM2B70ElL3CP3rBj7PANJKz/UupsA=="
parsedKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(key))
if err != nil {
panic(err)
}
crt := parsedKey.(*ssh.Certificate)
marshalledSignatureKey := ssh.MarshalAuthorizedKey(crt.SignatureKey)
if strings.TrimSpace(string(marshalledSignatureKey)) == caKey {
fmt.Printf("OK")
}
} |
|
If my understanding of the auth webhook is correct: Without cssh implementing this FR, cert based ssh auth is already possible, BUT you'll have to do it in your own auth webhook. This webhook will receive the complete ssh key of the client, without any parsing. If you 'unmarshal' this key, you'll get the components to check the signer, inspect Principles etc. |
|
This issue contains two different enhancements:
If needed I can split these up to two issues @janosdebugs ? |
|
It's fine to track his as one issue, shouldn't be too much code. |
|
My team is also interested in certificate based SSH authentication. |
|
I am no longer a ContainerSSH maintainer, but ContainerSSH/libcontainerssh#37 is a draft PR implementing SSH certificates, but it's lacking testing. If anyone is interested in taking that PR over, feel free. |
Please describe what you would like to see in ContainerSSH
SSH certs can be signed by a 2nd key, acting as a Certificate Authority. While doing so, User based, short lived SSH certificates can be created by tools such as mysocket.io, cloudflare and smallsteps.
I'd like ContainterSSH to validate the key and keysignature of the CA and pass these properties onto the authN webhook for external authorization.
Please describe the solution you'd like
CSSH should validate the signer (CA) signature. If valid, all the cert details should be parsed and sent to the authN backend for further processing/validation (eg: do we trust this CA?)
Please describe your use case
The mentioned tools provide very user friendly abstraction of user validation/SSO. Additionally some network tunneling to expose CSSH to the untrusted networks in a safe way.
If cssh can reliable built upon the preprocessing done by the certprovider, it would make for a great addition to the cssh capabilities as a jumphost
The text was updated successfully, but these errors were encountered: