All Projects → mikesmitty → Curse

mikesmitty / Curse

Licence: mit
CURSE is an SSH certificate signing server, built as an alternative to Netflix's BLESS tool, but without a dependency on AWS.

Programming Languages

go
31211 projects - #10 most used programming language

Projects that are alternatives of or similar to Curse

shim
The Userify Shim (cloud agent)
Stars: ✭ 57 (-71.5%)
Mutual labels:  ssh, openssh
Cashier
A self-service CA for OpenSSH
Stars: ✭ 590 (+195%)
Mutual labels:  ssh, openssh
jsch
fork of the popular jsch library
Stars: ✭ 127 (-36.5%)
Mutual labels:  ssh, openssh
girltalk
A tool for helping stand up headless C2 for droppables.
Stars: ✭ 16 (-92%)
Mutual labels:  ssh, openssh
Xxh
🚀 Bring your favorite shell wherever you go through the ssh.
Stars: ✭ 2,559 (+1179.5%)
Mutual labels:  ssh, openssh
Sharkey
Sharkey is a service for managing certificates for use by OpenSSH
Stars: ✭ 360 (+80%)
Mutual labels:  ssh, openssh
Wsl Ssh Pageant
A Pageant -> TCP bridge for use with WSL, allowing for Pageant to be used as an ssh-ageant within the WSL environment.
Stars: ✭ 381 (+90.5%)
Mutual labels:  ssh, openssh
Sshd config
K4YT3X's Hardened OpenSSH Server Configuration
Stars: ✭ 49 (-75.5%)
Mutual labels:  ssh, openssh
Sidedoor
SSH connection daemon for Debian/Raspbian/Ubuntu/etc
Stars: ✭ 97 (-51.5%)
Mutual labels:  ssh, openssh
Openssh Rs
Scriptable SSH through OpenSSH in Rust
Stars: ✭ 58 (-71%)
Mutual labels:  ssh, openssh
Corkscrew
Corkscrew is a tool for tunneling SSH through HTTP proxies.
Stars: ✭ 149 (-25.5%)
Mutual labels:  ssh, openssh
Awesome Ssh
💻 A curated list of SSH resources.
Stars: ✭ 1,742 (+771%)
Mutual labels:  ssh, openssh
Ansible Sshd
Ansible role to configure the OpenSSH server daemon
Stars: ✭ 163 (-18.5%)
Mutual labels:  ssh, openssh
Tf aws bastion s3 keys
A Terraform module for creating bastion host on AWS EC2 and populate its ~/.ssh/authorized_keys with public keys from bucket
Stars: ✭ 178 (-11%)
Mutual labels:  ssh
Fq Book
📖《这本书能让你连接互联网》详细阐述代理、隧道、VPN运作过程,并对GFW策略如:地址端口封锁、服务器缓存投毒、数字验证攻击、SSL连接阻断做相关的原理说明
Stars: ✭ 2,393 (+1096.5%)
Mutual labels:  ssh
Postgresqltuner
Simple script to analyse your PostgreSQL database configuration, and give tuning advice
Stars: ✭ 2,214 (+1007%)
Mutual labels:  ssh
Simple Ssh
A simple wrapper for Brian White's ssh2 module to make it easier to perform sequential commands.
Stars: ✭ 175 (-12.5%)
Mutual labels:  ssh
Drawbridge
manage SSH access to multiple applications/environments protected by bastion servers
Stars: ✭ 196 (-2%)
Mutual labels:  ssh
Ssh Ldap Pubkey
Utility to manage SSH public keys stored in LDAP.
Stars: ✭ 185 (-7.5%)
Mutual labels:  ssh
Firessh
free, cross-platform SSH terminal client for Firefox and Chrome
Stars: ✭ 173 (-13.5%)
Mutual labels:  ssh

CURSE

CURSE is an SSH certificate signing server, built as an alternative to Netflix's BLESS tool, but without a dependency on AWS.

Demo

gif

This software is currently in a beta state, feel free to submit issues on GitHub with any suggestions for improvement/feature requests or issues encountered.

Table of Contents

Requirements

  • OpenSSH 5.6+
  • CentOS 7
  • Ubuntu 14.04+ (Destination servers)
  • Ubuntu 15.10+ (Server running CURSE daemon)
  • Debian 7+ (Destination servers)
  • Debian 8+ (Server running CURSE daemon)

Because SSH certificates are a relatively recent feature in OpenSSH, older versions of CentOS unfortunately do not support their use.

Install

These instructions assume the bastion host is hosting the curse daemon. Adjust instructions as necessary if hosting cursed on another server.

Ubuntu/Debian

Ubuntu 15.10+/Debian 8+

First, install the debian repo and GPG key:

$ sudo sh -c 'echo "deb http://mirror.go-repo.io/curse/deb/ curse main" >/etc/apt/sources.list.d/curse.list'
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 0732065B92735F2F

Update and install pwauth, curse and jinx:

$ sudo apt-get update && sudo apt-get install curse jinx pwauth

Run the curse post-install setup script

$ sudo bash /opt/curse/sbin/setup.sh

This will output your CA public key to be added to destination servers, and setup the curse daemon for running.

If all went well you should now be able to request certificates:

$ jinx echo test
$ ssh-keygen -Lf ~/.ssh/id_jinx-cert.pub

Now, all that is left is to add the CA public key on the servers you want to connect to:

Add TrustedUserCAKeys /etc/ssh/cas.pub to /etc/ssh/sshd_config on your destination servers and Put the contents of /opt/curse/etc/user_ca.pub into your /etc/ssh/cas.pub on the destination server.

Netflix recommends generating several CA keypairs and storing the private keys of all but one offline, in order to simplify CA key rotation. If you choose to do this you will want to also add the pubkeys of all of your CA keypairs to the /etc/ssh/cas.pub file at this time as well.

CentOS

CentOS 7

First, install pwauth, curse, and jinx:

$ sudo rpm --import https://mirror.go-repo.io/curse/centos/RPM-GPG-KEY-GO-REPO
$ sudo curl -s https://mirror.go-repo.io/curse/centos/curse-repo.repo | tee /etc/yum.repos.d/curse-repo.repo
$ sudo yum install curse jinx pwauth

Unless you're using httpd on this server for any other reason you should mask the httpd service:

$ sudo systemctl mask httpd

Run the curse post-install setup script

$ sudo bash /opt/curse/sbin/setup.sh

This will output your CA public key to be added to destination servers, and setup the curse daemon for running.

If all went well you should now be able to request certificates:

$ jinx echo test
$ ssh-keygen -Lf ~/.ssh/id_jinx-cert.pub

Now, all that is left is to add the CA public key on the servers you want to connect to:

Add TrustedUserCAKeys /etc/ssh/cas.pub to /etc/ssh/sshd_config and Put the contents of /opt/curse/etc/user_ca.pub into your /etc/ssh/cas.pub on the destination server.

Netflix recommends generating several CA keypairs and storing the private keys of all but one offline, in order to simplify CA key rotation. If you choose to do this you will want to also add the pubkeys of all of your CA keypairs to the /etc/ssh/cas.pub file at this time as well.

TODO

  • Authentication
  • Document Authentication Setup
  • SSL support
  • Add support for maximum pubkey ages in daemon
  • Client app
  • More configuration options
  • Add support for maximum pubkey ages in client and automatic key regeneration
  • Add support for key algorithm enforcement/auto-key-generation
  • RPM/DEB packages for easier installation
  • Per-user access ACLs

Maybe Someday

  • Interactive ssh client for command logging
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].