GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → nikhiljha → aeneid

nikhiljha / aeneid

Licence: GPL-3.0 license
use your GitHub SSH keys to authenticate to sshd

Programming Languages

rust
11053 projects

Labels

githubopensshopenssh-server

Projects that are alternatives of or similar to aeneid

shim
The Userify Shim (cloud agent)
Stars: ✭ 57 (+159.09%)
Mutual labels:  openssh, openssh-server
docker-sftp
SFTP Server for Docker
Stars: ✭ 118 (+436.36%)
Mutual labels:  openssh, openssh-server
Host
Expose your LocalHost with this tool
Stars: ✭ 268 (+1118.18%)
Mutual labels:  openssh
Corkscrew
Corkscrew is a tool for tunneling SSH through HTTP proxies.
Stars: ✭ 149 (+577.27%)
Mutual labels:  openssh
Sshd config
K4YT3X's Hardened OpenSSH Server Configuration
Stars: ✭ 49 (+122.73%)
Mutual labels:  openssh
Wsl Ssh Pageant
A Pageant -> TCP bridge for use with WSL, allowing for Pageant to be used as an ssh-ageant within the WSL environment.
Stars: ✭ 381 (+1631.82%)
Mutual labels:  openssh
Sidedoor
SSH connection daemon for Debian/Raspbian/Ubuntu/etc
Stars: ✭ 97 (+340.91%)
Mutual labels:  openssh
edkey
edkey allows you to write ED25519 private keys in the OpenSSH private key format
Stars: ✭ 45 (+104.55%)
Mutual labels:  openssh
exploit-CVE-2016-6515
OpenSSH remote DOS exploit and vulnerable container
Stars: ✭ 53 (+140.91%)
Mutual labels:  openssh
Lftp4win
lftp for Windows - Windows task scheduler automation with push notifications via WinSCP custom commands.
Stars: ✭ 39 (+77.27%)
Mutual labels:  openssh
Awesome Ssh
💻 A curated list of SSH resources.
Stars: ✭ 1,742 (+7818.18%)
Mutual labels:  openssh
Ssh Keys In Macos Sierra Keychain
Saving SSH keys in macOS Sierra keychain
Stars: ✭ 928 (+4118.18%)
Mutual labels:  openssh
Bastion
🔒Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support
Stars: ✭ 531 (+2313.64%)
Mutual labels:  openssh
Openssh
Development repository for the openssh cookbook
Stars: ✭ 108 (+390.91%)
Mutual labels:  openssh
Sharkey
Sharkey is a service for managing certificates for use by OpenSSH
Stars: ✭ 360 (+1536.36%)
Mutual labels:  openssh
Ansible Sshd
Ansible role to configure the OpenSSH server daemon
Stars: ✭ 163 (+640.91%)
Mutual labels:  openssh
gsh
GSH is an OpenID Connect-compatible authentication system for systems using OpenSSH servers
Stars: ✭ 21 (-4.55%)
Mutual labels:  openssh
Sftp
Securely share your files
Stars: ✭ 897 (+3977.27%)
Mutual labels:  openssh
Openssh Rs
Scriptable SSH through OpenSSH in Rust
Stars: ✭ 58 (+163.64%)
Mutual labels:  openssh
python-sshpubkeys
OpenSSH public key parser for Python
Stars: ✭ 85 (+286.36%)
Mutual labels:  openssh
View All Similar Projects ➔

aeneid

aeneid-meme

If you squint, GitHub is basically a free, zero-ops IdP that provides SSH public keys. Let's use it to authenticate to OpenSSH!

What / How?

There are two ways to use aeneid. You can configure both methods at once.

  1. You set a list of {unix_username = "github_username"} pairs in the overrides section of /etc/aeneid.toml. These users will be able to login with the SSH keys they have saved on their GitHub account.
  2. You create a GitHub organization, with a team inside it that has some members. You configure /etc/aeneid.toml with an API key. As long as these users remain in the organization and team, they'll be able to login to OpenSSH via public key.

Installation

Install aeneid with your usual package manager. If that's not possible, you can use cargo.

deb (Debian, Ubuntu, etc): download from GitHub releases then dpkg -i /path/to/aeneid.deb

rpm (Fedora, RHEL, etc): download from GitHub releases then rpm -i /path/to/aeneid.rpm

nix (NixOS, etc): coming soon (TM)...

cargo (not recommended, see FAQ): cargo install aeneid && cp $(whereis aeneid | cut -f 2 -d " ") /usr/local/bin && cargo uninstall aeneid && sudo /usr/local/bin/aeneid --init

Configuration

Automatic Configuration

If you used a non-cargo package manager, everything should be automatically configured. Just add credentials (and/or overrides) to /etc/aeneid/config.toml, and then run sudo aeneid --init to automatically configure your sshd. If you'd rather manually configure your sshd, see the paragraph about sshd in the manual configuration section.

Manual Configuration

Create a new unix user called aeneid and place the binary somewhere that both the new user and the sshd user can read / execute. Make sure the aeneid user (and ONLY the aeneid user) can read / write / execute in /etc/aeneid.

The configuration lives in /etc/aeneid/config.toml. If it doesn't exist, create it based on the src/config.toml in this repository. All fields have comments explaining what they do.

You'll also need to set AuthorizedKeysCommand /path/to/bin/aeneid and AuthorizedKeysCommandRunAs aeneid in your sshd_config (typically /etc/ssh/sshd_config) so that OpenSSH knows where to get keys from.

Usage

If you specified a unix username in overrides, use that username. If you're using GitHub teams, and your username starts with a number, prefix your username with an _ to login. Otherwise, your username is your GitHub username. See the unix_to_github function in main.rs for more information.

Automatically creating users is currently unsupported, you'll need to create the corresponding user manually before first login (adduser username).

$ # make sure ssh is setup with your GitHub keys, then...
$ ssh [email protected] # that's it

Security

I've thought about security a little, but not nearly as much as I'd like. I don't recommend using this anywhere security is important. It's your responsibility to ensure that...

  • /etc/aeneid and all children are owned by a separate user (call it aeneid) and set with restrictive permissions (chmod 600)
  • AuthorizedKeysCommandRunAs is set to the separate user that owns /etc/aeneid
  • all relevant GitHub accounts are kept secure (MFA, good passwords, etc.)
  • other problematic SSH config options (e.x. password auth) are disabled
  • your SSH keys are not compromised
  • possibly other things I haven't thought of

FAQ

Why did you make this?

  • I really didn't want to set up LDAP. I really really didn't want to set up LDAP. I really really really really really really didn't want to set up LDAP. In the end I set up LDAP, so hopefully this is useful to someone else.

What's with the name?

  • I thought it was silly. You're accepting a present (free, zero-ops IdP), but in the process, GitHub could silently swap out the public keys it returns and authenticate to your machines. So if you squint: trojan horse.

Why is cargo install not recommended?

  • Cargo is not recommended because 1) rustup users will have the binary installed in a place not accessible by the sshd 2) config files will be created by the aeneid --init script instead of your global package manager.

  • The --init script is pretty smart (it's idempotent), but has only been tested on a handful of common linux distros. It's highly unlikely to work anywhere else.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].