GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → richard-mauri → vaultssh

richard-mauri / vaultssh

Licence: MPL-2.0 license
A Go based Vault client to support ssh sessions, remote commands and scp transfers all in memory

Programming Languages

go
31211 projects - #10 most used programming language
shell
77523 projects

Labels

sshkmsvaultsecurescpssh-clientvault-client

Projects that are alternatives of or similar to vaultssh

termscp
🖥 A feature rich terminal UI file transfer and explorer with support for SCP/SFTP/FTP/S3
Stars: ✭ 707 (+2728%)
Mutual labels:  scp, ssh-client
Lssh
List selection type alternative ssh/scp/sftp client. Pure Go.
Stars: ✭ 110 (+340%)
Mutual labels:  scp, ssh-client
Ssh Mitm
ssh mitm server for security audits supporting public key authentication, session hijacking and file manipulation
Stars: ✭ 335 (+1240%)
Mutual labels:  scp, ssh-client
Sshj
ssh, scp and sftp for java
Stars: ✭ 2,016 (+7964%)
Mutual labels:  scp, ssh-client
cryptorious
CLI Password Manager
Stars: ✭ 15 (-40%)
Mutual labels:  kms, vault
vaultlib
Lightweight Go client library for reading Vault kv secrets
Stars: ✭ 21 (-16%)
Mutual labels:  vault, vault-client
Wolfssh
wolfSSH is a small, fast, portable SSH implementation, including support for SCP and SFTP.
Stars: ✭ 142 (+468%)
Mutual labels:  scp, ssh-client
citadel
Turn an arbitrary command into a Kubernetes Key Management Service GRPC server
Stars: ✭ 15 (-40%)
Mutual labels:  kms, vault
sigil
AWS SSM Session manager client
Stars: ✭ 67 (+168%)
Mutual labels:  scp, ssh-client
logger
☠ 😈 👀 Simple,Secure & Undetected (6.11.2017) keylogger for Windows :)
Stars: ✭ 37 (+48%)
Mutual labels:  secure
kms-issuer
KMS issuer is a cert-manager Certificate Request controller that uses AWS KMS to sign the certificate request.
Stars: ✭ 43 (+72%)
Mutual labels:  kms
marathon-vault-plugin
Marathon plugin which injects Vault secrets via environment variables
Stars: ✭ 30 (+20%)
Mutual labels:  vault
ssh-crypt
🔒 Share AES-256 encrypted vault file with your teammates using only ssh authorized_keys!
Stars: ✭ 17 (-32%)
Mutual labels:  vault
ghost
A simple, server/less, single-api, multi-backend, ghostly secret-store/key-store for your passwords, ssh-keys and cloud credentials. Ghost isn't real, it's just in your head.
Stars: ✭ 36 (+44%)
Mutual labels:  vault
obsidian-publish-mkdocs
A Template to Publish Obsidian/Foam Notes on Github Pages (uses MkDocs)
Stars: ✭ 219 (+776%)
Mutual labels:  vault
mowoli
Mowoli - A Modality Worklist with RESTful HTTP API
Stars: ✭ 17 (-32%)
Mutual labels:  scp
vault-ec2auth
A simple agent to authenticate an AWS EC2 instance against Hashicorp Vault
Stars: ✭ 12 (-52%)
Mutual labels:  vault
puppet-vault
Puppet module to manage Vault (https://vaultproject.io)
Stars: ✭ 41 (+64%)
Mutual labels:  vault
vault-consul-docker
Vault + Consul + Docker
Stars: ✭ 75 (+200%)
Mutual labels:  vault
go-peer
Library for create secure and anonymity decentralized networks.
Stars: ✭ 74 (+196%)
Mutual labels:  secure
View All Similar Projects ➔

A Vault client supporting ssh remote commands, interactive sessions and scp file transfer using signed ssh certificates done all in-memory.

vaultssh

It is motivated by the need to be able to ssh from a shared bastion jump host and we :

  • Cannot store keys on disk (not secure)
  • Cannot use ssh agent forwarding (not secure)
  • Don't want to remember or manage a complicated passphrase

For this system to work, the ssh servers must be configured to trust the vault ca, which signs the users ssh cert.

The demo script captures all the steps so use that as reference.

Operation

Here are the modes of operation:

  1. addkey : user injects his ssh keypair into Vault once for subsequent ssh access
  2. ssh: the user uses this mode to log into vault, sign his key and start an interactive ssh session
  3. scpto: the user uses this mode to log into vault, sign his key and transfer files to a remote system
  4. scpfrom: the user uses this mode to log into vault, sign his key and transfer files from a remote system

Project Setup

  • This uses "go mod" for build dependency management (go.11.4 is current and known to work ok)
  • Makefile is used to drive the go build commands
  • The GOPATH env variable must be defined so the installed vaultssh is installed under GOPATH/bin.
  • The runtime demo requires dependencies including (at least these versions;others may work): Go (go1.11.4), Docker (18.09.0), Git (2.18.0), vault (>= 0.11.5)
  • This project internally uses travis ci and goreleaser for CI builds and releases respectively.

Demo

There is a demo.sh that invokes demo-build.sh and play.sh to build and use respectively. The following video is an example of the play.sh session asciicast

Usage

There are a couple bash scripts under scripts/

  • configure.sh can be used to configure vault to enable userpass and signing. Run it after vault init.
  • adduser.sh can be used to create a vault userpass account and configure policies to be able to sign and ssh.

Example addkey usage (each user does this once; his vault password is prompted for)

  • vaultssh -mode addkey -publicKeyPath ~/.ssh/id_rsa.pub -privateKeyPath ~/.ssh/id_rsa -username ubuntu

Example ssh interactive usage:

  • vaultssh -mode ssh -username ubuntu -sshServerHost infra1.foo.com

Example scp to usage:

  • vaultssh -mode scpto -username ubuntu -localPath /tmp/source.txt -remotePath /home/ubuntu/source.txt -sshServerHost infra1.foo.com

Example scp from usage:

  • vaultssh -mode scpfrom -username ubuntu -localPath /tmp/source2.txt -remotePath /home/ubuntu/source.txt -sshServerHost infra1.foo.com
Usage of vaultssh:
  -kvVersion int
    	vault kv verion (1 or 2) (default 1)
  -localPath string
    	fully qualified path to local file to scp to or from
  -mode string
    	one of: addkey | ssh | scpto | scpfrom (default "ssh")
  -passwd string
    	password for vault auth (will prompt if empty)
  -privateKeyPath string
    	fully qualified path to ssh private key file
  -publicKeyPath string
    	fully qualified path to ssh public key file
  -remoteCommand string
    	remote command to execute
  -remotePath string
    	fully qualified path to remote file to scp to or from
  -signingRole string
    	ssh client signing role (default "regular-role")
  -sshServerHost string
    	hostname to connect for ssh seesion (default "0.0.0.0")
  -sshServerPort int
    	port to connect for ssh session (default 22)
  -sshUsername string
    	username for ssh session (defaults to username value)
  -termType string
    	terminal type for session session (default "xterm-256color")
  -username string
    	username for vault auth (default "ubuntu")
  -v	print current version and exit
  -vaultAddress string
    	vault address (default "http://localhost:8200")

License

Mozilla Public License, version 2.0

TODO

  • Fill in stubbed-out test cases
  • More configurability
  • Support additional Vault authentication backends besides userpass

Server side future?

  • Auditing reports of key, policy and session transcsripts including key logging
  • Monitoring and alerting
  • Key cleanup and rotation with declarative compliance policies
  • Consider implementing the feature as a vault server side plugins

GitHubPages: https://richard-mauri.github.io/vaultssh/

CI Build: https://travis-ci.org/richard-mauri/vaultssh

References links

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].