GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → obelisk → rustica

obelisk / rustica

Licence: MIT License
An SSHCA that uses a standard Yubikey to issue new host and user certificates.

Programming Languages

rust
11053 projects
shell
77523 projects
Dockerfile
14818 projects

Labels

sshyubikeyssh-certificates

Projects that are alternatives of or similar to rustica

Yubikey Ssh
How to use a Yubikey with OpenSSH without GPG
Stars: ✭ 108 (+350%)
Mutual labels:  ssh, yubikey
Yubikey
YubiKey at Datadog
Stars: ✭ 393 (+1537.5%)
Mutual labels:  ssh, yubikey
Bless
Repository for BLESS, an SSH Certificate Authority that runs as a AWS Lambda function
Stars: ✭ 2,627 (+10845.83%)
Mutual labels:  ssh, ssh-certificates
Yubikey Guide
Guide to using YubiKey for GPG and SSH
Stars: ✭ 6,709 (+27854.17%)
Mutual labels:  ssh, yubikey
Yubikey Agent
yubikey-agent is a seamless ssh-agent for YubiKeys.
Stars: ✭ 1,744 (+7166.67%)
Mutual labels:  ssh, yubikey
Yubikey Touch Detector
A tool to detect when your YubiKey is waiting for a touch (to send notification or display a visual indicator on the screen)
Stars: ✭ 167 (+595.83%)
Mutual labels:  ssh, yubikey
piv-agent
An SSH and GPG agent which you can use with your PIV hardware security device (e.g. a Yubikey).
Stars: ✭ 31 (+29.17%)
Mutual labels:  ssh, yubikey
fugit
_Really_ lightweight git access control
Stars: ✭ 24 (+0%)
Mutual labels:  ssh
FastTunnel
expose a local server to the internet. 高性能跨平台的内网穿透解决方案 远程内网计算机 域名访问内网站点 反向代理内网服务 端口转发 http代理
Stars: ✭ 815 (+3295.83%)
Mutual labels:  ssh
tosh
Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...
Stars: ✭ 406 (+1591.67%)
Mutual labels:  ssh
sshecret
I can keep a SSHecret
Stars: ✭ 56 (+133.33%)
Mutual labels:  ssh
seahorse
ELKFH - Elastic, Logstash, Kibana, Filebeat and Honeypot (HTTP, HTTPS, SSH, RDP, VNC, Redis, MySQL, MONGO, SMB, LDAP)
Stars: ✭ 31 (+29.17%)
Mutual labels:  ssh
ssh
golang ssh lib simple for use
Stars: ✭ 15 (-37.5%)
Mutual labels:  ssh
TailLog
实时日志(tail log)查看监控客户端工具
Stars: ✭ 79 (+229.17%)
Mutual labels:  ssh
cl
Concurrently run commands across multiple servers via SSH
Stars: ✭ 45 (+87.5%)
Mutual labels:  ssh
gpg-smartcard-automation
Tooling to make smartcard (e.g. yubikey) initialization easier
Stars: ✭ 23 (-4.17%)
Mutual labels:  yubikey
piping-ssh-web
SSH over HTTPS via Piping Server on Web browser
Stars: ✭ 60 (+150%)
Mutual labels:  ssh
lobbyboy
A lobby boy will create a VPS server when you need one, and destroy it after using it.
Stars: ✭ 212 (+783.33%)
Mutual labels:  ssh
MCAuthenticator
2FA for Minecraft!
Stars: ✭ 37 (+54.17%)
Mutual labels:  yubikey
synpse
Synpse is an all-in-one solution to manage your servers and IoT devices providing declarative app deployment, SSH access and TCP tunnels
Stars: ✭ 17 (-29.17%)
Mutual labels:  ssh
View All Similar Projects ➔

Rustica

Rustica is a Yubikey backed SSHCA written in Rust. It is designed to be used with the accompanying rustica-agent tool for certificate handling but speaks gRPC so other integrations are possible.

Features

  • Multiple Ways To Secure Private Keys
    • File
    • Yubikey 4/5 (non HSM)
    • AmazonKMS
  • Multiple Ways To Store Permissions
    • Built in SQLite Database
    • External Authorization Server
  • Multiple Supported Logging Systems
    • Stdout
    • InfluxDB
    • Splunk
    • External JSON Webhook
  • Just In Time Certificate Generation
  • Use Different Keys For User and Hosts
  • gRPC With mTLS
  • Docker Scratch Container Support
  • Extensive Feature Support

Protected Key Material

Malicious access to the Rustica private key would result in serious compromise and thus Rustica provides two ways to mitigate this risk with Yubikey and AmazonKMS support. These signing modules use keys that cannot be exported resulting in more control over how the private key is being used. If using AmazonKMS, Amazon logs can be compared with Rustica logs to provide assurance no misuse has occured.

Just-In-Time Certificate Generation

Rustica and RusticaAgent work together to use short lived certificates that are generated on the fly only when needed. In effect this means your deployment will never need to deal with revocation because after ten seconds (the default) all issued certificates will have expired.

Multiple Supported Logging Systems

All certificate issues can be logged to InfluxDB or Splunk if desired. See the logging submodule and the examples in examples/ for more information.

gRPC With mTLS

Rustica requires all connections be made using mutually authenticated TLS. This provides an extra level of authentication to the service and allows the tying of x509 certificates to SSH logins.

Docker Scratch Container

When using either AmazonKMS or file based keys, Rustica can be compiled to a statically linked binary capable of running in a docker container with no external dependencies. The docker/ folder contains Dockerfiles to compile Rustica this way for both amd64 (standard x86_64 architectures) and aarch64 (capable of running on Amazon Graviton servers).

Extensive Feature Support

Compile in only what you need to reduce binary size and dependency bloat. If you're planning on using AmazonKMS for storing your keys, Rustica can be compiled without Yubikey dependencies and vice versa. The same is also true for authorization, if using a remote authorization service, Rustica can be compiled without Diesel and SQLite.

EXPERIMENTAL: Host Restriction

It is possible to grant a principal to a user that is only valid for certain hostnames. This is achieved by setting the restricted host permission in the database. When in use, the certificate generated will have the force-command CriticalOption enabled. This will force the user to run a bash script, loaded inside the cert, that contains all hostnames she is allowed to log in to. If the hostname name of the remote host does not match any in the list, the connection is closed.

Key Support

The following key types have client support via FIDO:

  • ECDSA 256
  • Ed25519

The following key types have Yubikey support (client and server):

  • ECDSA 256
  • ECDSA 384

The following key types have file support (client and server):

  • ECDSA 256
  • ECDSA 384
  • Ed25519

The following key types have no support:

  • ECDSA 521

Running An Example Deployment

This repository comes with a set of configuration files and database to be used as an example. New certificates can be easily generated using the scripts in resources/.

Start Rustica

rustica --config examples/rustica_local_file.toml

Pull a certificate with RusticaAgent

rustica-agent --config examples/rustica_agent_local.toml -i

The details of the certificate will be printed to the screen.

Running Tests

Rustica ships with a small suite of integration tests aimed at ensuring some of the lesser known features do not get broken with updates. They require docker to be installed and can be run with the script in tests/integration.sh

Security Warning

No review has been done. I built it because I thought people could find it useful. Be wary about using this in production without doing a thorough code review. If you find mistakes, please open a pull request or if it's a security bug, email me.

Licence

This software is provided under the MIT licence so you may use it basically however you wish so long as all distributions and derivatives (source and binary) include the copyright from the LICENSE.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].