GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → hallowauth → hallow

hallowauth / hallow

Licence: MIT License
Hallow is a SSH Certificate Authority designed for use with AWS native environments

Programming Languages

go
31211 projects - #10 most used programming language
HCL
1544 projects
Makefile
30231 projects

Labels

aws-iamssh-certificate-authorities

Projects that are alternatives of or similar to hallow

Startup Aws Iam Roles
A list of typical positions in a startup and their policies for IAM AWS.
Stars: ✭ 118 (+122.64%)
Mutual labels:  aws-iam
terraform-aws-enforce-mfa
A terraform module to enforce MFA for AWS groups and users
Stars: ✭ 24 (-54.72%)
Mutual labels:  aws-iam
iam4kube
AWS IAM support for Kubernetes
Stars: ✭ 22 (-58.49%)
Mutual labels:  aws-iam
Cloudrig
Stream your applications with Parsec and AWS on the cheap.
Stars: ✭ 151 (+184.91%)
Mutual labels:  aws-iam
AWSXenos
AWSXenos will list all the trust relationships in all the IAM roles and S3 buckets
Stars: ✭ 57 (+7.55%)
Mutual labels:  aws-iam
holochrome
Use your IAM role (from instance metadata) to open the AWS console
Stars: ✭ 102 (+92.45%)
Mutual labels:  aws-iam
Smart Security Camera
A Pi Zero and Motion based webcamera that forwards images to Amazon Web Services for Image Processing
Stars: ✭ 103 (+94.34%)
Mutual labels:  aws-iam
cloud-cheat-sheets
My handmade cheat-sheets for different AWS services.
Stars: ✭ 63 (+18.87%)
Mutual labels:  aws-iam
aws-missing-tools
Random tools I've written to make life easier using AWS, namely aws-choose-profile and aws-mfa-login
Stars: ✭ 46 (-13.21%)
Mutual labels:  aws-iam
desktop
A native GUI application that makes it easy to explore and test Serverless Framework applications built on AWS Lambda.
Stars: ✭ 42 (-20.75%)
Mutual labels:  aws-iam
Aws Csa Notes 2018
My AWS Certified Solutions Architect Associate Study Notes!
Stars: ✭ 167 (+215.09%)
Mutual labels:  aws-iam
assume-role-arn
🤖🎩assume-role-arn allows you to easily assume an AWS IAM role in your CI/CD pipelines, without worrying about external dependencies.
Stars: ✭ 54 (+1.89%)
Mutual labels:  aws-iam
grpc-vpn
🍄 VPN supporting authentication such as Google OpenID Connect or AWS IAM ..., over GRPC.
Stars: ✭ 49 (-7.55%)
Mutual labels:  aws-iam
Consoleme
A Central Control Plane for AWS Permissions and Access
Stars: ✭ 2,631 (+4864.15%)
Mutual labels:  aws-iam
terraform-aws-account
🌳 A sustainable Terraform Package which creates Account & IAM resources on AWS
Stars: ✭ 18 (-66.04%)
Mutual labels:  aws-iam
Trackiam
A project to collate IAM actions, AWS APIs and managed policies from various public sources.
Stars: ✭ 115 (+116.98%)
Mutual labels:  aws-iam
react-relay-appsync
AppSync for Relay
Stars: ✭ 19 (-64.15%)
Mutual labels:  aws-iam
stsauth
A CLI tool that allows easy generation of AWS credentials using STS, ADFS, and Active Directory.
Stars: ✭ 18 (-66.04%)
Mutual labels:  aws-iam
aws-iam-operator
AWS IAM Operator for Kubernetes
Stars: ✭ 23 (-56.6%)
Mutual labels:  aws-iam
masl
Assume an AWS Role using Onelogin
Stars: ✭ 24 (-54.72%)
Mutual labels:  aws-iam
View All Similar Projects ➔

Hallow

Hallow is an OpenSSH Certificate Authority tightly coupled to AWS.

How does Hallow work?

Hallow uses AWS IAM to authenticate incoming requests via API Gateway to resolve the IAM identity of the requester. The API Gateway triggers a Lambda running Hallow, which will take the AWS IAM User ARN, and sign the provided SSH Public Key with an asymmetric key (currently only ECDSA keys are supported) stored in KMS.

Why did we build it?

Our goals in building a new SSH CA were:

  • Easy to deploy, even (perhaps especially) for small teams. That's why it has relatively few moving pieces, and comes with a terraform module.
  • Leverages an existing authentication system. That's why we use AWS IAM for authentication, making it trivial to require MFA for SSH.
  • Non-extractible private key. That's why we the CA private key lives in KMS.
  • Simple to understand. Security tools should make things easier, not more complicated. Hallow itself is under 500 lines of code.

What does it use as the SSH Principal?

Hallow will set the Principal to the User ARN of the incoming request. In most cases, this means that your User ARN in AWS that was used to hit the API endpoint will match the principal name in the Certificate.

The only exception is an sts assumed-role ARN. The Session Name (the last part of the ARN) is user-controlled, and usually set to something helpful (like the username of the person assuming the role, or the i-* instance ID), but is not significant, or any assertion of identity. As a result, session names are removed from assumed-role ARNs.

If you are using Assumed Roles, it is important to note that the principal in your certificate will be of the form arn:aws:sts::{account_id}:assumed-role/{role_name}. It will not be the ARN for the role itself (which is of the form arn:aws:iam::{account_id}:role/{role_name}).

Additionally, if you are authenticating to Hallow with an Assumed Role, Hallow will look at the tags on the role, and if there is a tag named hallow.additional_principals it will use that value as additional principals for the certificate. To pass multiple values comma separate them.

Deploying Hallow

The easiest way to deploy Hallow is with the Terraform module provided in the terraform/ directory. It will deploy all the AWS resources required for Hallow to work.

For your first deployment try our quickstart guide.

What do I need to do to my system to trust Hallow?

First, the /etc/ssh/sshd_config should be updated to add a few flags. The first is to add the SSH Certificate Authorities, and the second is to set which principals are allowed for which users on the system.

TrustedUserCAKeys is a list of SSH Public Keys in the authorized_keys format, separated by newlines. This file should contain Hallow's KMS Public Key in SSH format.

AuthorizedPrincipalsFile is a list of principals that are allowed to access the particular user that is being logged into. %u means the requested user, so it's a good idea to keep a directory full of files named after users of the system. Hallow will set the principal of the Certificate to the User ARN, so these files should specify the ARNs allowed to access the particular resources.

sshd_config

TrustedUserCAKeys=/etc/ssh/hallow_cas
AuthorizedPrincipalsFile=/etc/ssh/principals/%u

hallow_cas

Set this file to your own roots. This is an example file, and not the the one you should put in your own file, unless you want the authors of this package to have root on your boxes.

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFvuBGdFLPNRg+xZkGfQ5u9V3FD6etx0cz0fx6HkjzAvZ0W/FF4HYZPsCkLpsJhjaRfF1Nm9mNXiyaHsrkfaKgQ=

principals/%u

arn:aws:iam::12345.....098:root

Configuration knobs

Environment Variable Usage
LOG_LEVEL Log Level for Logrus. Valid values are trace, debug, info, warn, error, fatal, panic
HALLOW_KMS_KEY_ARN ARN of the KMS asymmetric key. Currently must be an ECDSA key.
HALLOW_CERT_VALIDITY_DURATION Duration that Certificates issued by Hallow are valid for, in Go time.Duration syntax (1h, 20s). Default is 30m
HALLOW_ALLOWED_KEY_TYPES Space delimited list of supported ssh key types (default set is a sensible default of ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519

Security considerations

To get the most value out of Hallow, only give people the right to interact with Hallow via a role which is assumed with MFA. This gets you MFA for SSH.

Generate a fresh private key for every certificate. This reduces the damage that can be caused by a disclosed private key to the lifetime of the certificate.

Hallow does not need to be run in the same AWS account as the rest of your infrastructure.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].