stoggi / sshrimp Goto Github PK

View Code? Open in Web Editor NEW

110.0 8.0 11.0 30 KB

🦐SSH Certificate Authority in a Lambda (on the barbie)

License: MIT License

Go 92.71% HCL 7.29%

sshrimp's Introduction

sshrimp 🦐

SSH Certificate Authority in a lambda, automated by an OpenID Connect enabled agent.

Why? Check out this presentation Zero Trust SSH - linux.conf.au 2020.

Warning

This is still in very early development. Only use for testing. Not suitable for use in production yet. PR's welcome ;)

Quickstart

This project uses mage as a build tool. Install it.

Build the agent, lambda, and generate terraform code ready for deployment:

mage

Deployment

Terraform files are defined in /terraform and the generated sshrimp-ca.tf.json file can be used to automatically deploy sshrimp into multiple AWS regions.

terraform init
terraform apply

You will need AWS credentials in your environment to run terraform apply. You can also use aws-vault or aws-oidc to more securely manage AWS credentials on the command line.

sshd_config (on your server)

Server configruation is minimal. Get the public keys from KMS (using AWS credentials):

mage ca:keys

Put these keys in a file on your server /etc/ssh/trusted_user_ca_keys, owned by root permissions 0644.

Modify /etc/ssh/sshd_config to add the line:

TrustedUserCAKeys /etc/ssh/trusted_user_ca_keys

ssh_config (on your local computer)

Since OpenSSH (>= 7.3), you can use the IdentityAgent option in your ssh config file to set the socketname you configured:

Host *.sshrimp.io
    User jeremy
    IdentityAgent /tmp/sshrimp-agent.sock

This has the advantage of only using the agent for the group of hosts you need, and let other hosts use your regular agent (like github.com for cloning git repos). In fact, you can't add other identities to the sshrimp-agent. It's meant to be used for only the hosts you need it for.

For other SSH clients or older versions, set the SSH_AUTH_SOCK environment variable when invoking ssh: SSH_AUTH_SOCK=/tmp/sshrimp-agent.sock ssh user@host

Let's go!

Start the agent:

sshrimp-agent /path/to/sshrimp.toml

SSH to your host:

ssh example.server.sshrimp.io

🎉

Why sshrimp?

Shrimp have shells.
Shrimp are lightweight.
Has a backronym: SSH. Really. Isn't. My. Problem.
Shrimp on a barbie?
Yeah...

sshrimp's People

Contributors

Stargazers

Watchers

Forkers

backwardn laurentfough lordwelch lpcalisi gazzenger cslauritsen bramtervoort secdragon mkiah bkyoung

sshrimp's Issues

Read Unix Socket

Hi @stoggi , it is possible get ssh connection data in the agent?

For example.. if i make a connection like ssh ubuntu@host, is it possible that the agent receives this data? if true, maybe we can sign specific certificates for each host and maybe forcing commands o other features.

Thanks you!

OpenID Fails

Hi @stoggi, i am triying to up sshrimp but i have some problems. I managed to configure Google OpenID and i got the message Signed in successfully, return to cli app, but after it, the agent crash

sshrimp-agent: listening on /tmp/sshrimp.sock
2020/12/18 00:10:19 <nil>
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x13e73e6]

goroutine 1 [running]:
golang.org/x/crypto/ssh.(*Certificate).Type(0x0, 0xc00006ae40, 0xc0003ee100)
	/Users/lcalisi/go/pkg/mod/golang.org/x/[email protected]/ssh/certs.go:494 +0x26
github.com/stoggi/sshrimp/internal/sshrimpagent.(*sshrimpAgent).List(0xc0001fc700, 0xc000096004, 0x1, 0xc00020f9e0, 0x1091e22, 0xc00008e080)
	/Users/lcalisi/sshrimp/internal/sshrimpagent/sshrimpagent.go:87 +0x18e
golang.org/x/crypto/ssh/agent.(*server).processRequest(0xc00020fbf8, 0xc000096004, 0x1, 0x1, 0xc00020fb70, 0x10719a7, 0xc000094000, 0xc000096004)
	/Users/lcalisi/go/pkg/mod/golang.org/x/[email protected]/ssh/agent/server.go:145 +0x5ec
golang.org/x/crypto/ssh/agent.(*server).processRequestBytes(0xc00020fbf8, 0xc000096004, 0x1, 0x1, 0x1, 0x1, 0x1)
	/Users/lcalisi/go/pkg/mod/golang.org/x/[email protected]/ssh/agent/server.go:30 +0x67
golang.org/x/crypto/ssh/agent.ServeAgent(0x1875c00, 0xc0001fc700, 0x2d15008, 0xc000094000, 0xc000094000, 0x0)
	/Users/lcalisi/go/pkg/mod/golang.org/x/[email protected]/ssh/agent/server.go:557 +0x1c6
main.launchAgent(0xc0002c65a0, 0xc0001fc100, 0x0, 0x0)
	/Users/lcalisi/sshrimp/cmd/sshrimp-agent/main.go:88 +0x537
main.main()
	/Users/lcalisi/sshrimp/cmd/sshrimp-agent/main.go:37 +0x4a5

How i need to config the OpenID? Additionally, i have another question, how i could get aws credentials to invoke shrimp lambda function through OpenID? Do i need use the aws-oidc ?

My sshrimp.toml looks:

[Agent]
  ProviderURL = "https://accounts.google.com"
  ClientID = "CLIENT_ID"
  ClientSecret = "CLIENT_SECRET"
  BrowserCommand = ["open", "-a", "Google Chrome", "{}"]
  Socket = "/tmp/sshrimp.sock"

[CertificateAuthority]
  AccountID = AWS_ACCOUNT_ID
  Regions = ["us-east-1"]
  FunctionName = "sshrimp"
  KeyAlias = "alias/sshrimp"
  ForceCommandRegex = "^$"
  SourceAddressRegex = "^$"
  UsernameRegex = "^(.*)@example\\.com$"
  UsernameClaim = "email"
  ValidAfterOffset = "-5m"
  ValidBeforeOffset = "+12h"
  Extensions = ["no-x11-forwarding", "permit-agent-forwarding", "permit-port-forwarding", "permit-pty", "permit-user-rc"]

panic: http: multiple registrations for /

Hi @stoggi ! , i was testing the agent with ssh-add exporting the environment variable export SSH_AUTH_SOCK=/tmp/sshrimp.sock. I found an panic error when you delete de identities and then you want get a certificate again.

Replay error:

Start sshrimp-agent
export SSH_AUTH_SOCK=/tmp/sshrimp.sock
ssh-add -L to list and authenticate for first time
after get the cert , ssh-add -D to delete de identities
ssh-add -L to get a new one and see error

I believe that the error is in aws-oidc provider when tries to register again the handler for / or /auth/callback. It's using the Default Server Mux.

Do you know any solution about this? I could develop the fix. Maybe could be solved using mux server in order to up a new server mux for each of them.

In the other hand, i dont know why the error its happened because you shutdown the server after each authentication

Thanks you for support !

panic: http: multiple registrations for /

goroutine 1 [running]:
net/http.(*ServeMux).Handle(0x1d994a0, 0x172f915, 0x1, 0x1977c40, 0xc0002d8340)
	/usr/local/Cellar/go/1.14.5/libexec/src/net/http/server.go:2432 +0x2b6
net/http.(*ServeMux).HandleFunc(...)
	/usr/local/Cellar/go/1.14.5/libexec/src/net/http/server.go:2469
net/http.HandleFunc(...)
	/usr/local/Cellar/go/1.14.5/libexec/src/net/http/server.go:2481
github.com/stoggi/aws-oidc/provider.ProviderConfig.Authenticate(0xc000026280, 0x48, 0xc000028b80, 0x18, 0xc000028b00, 0x1b, 0x101, 0xc00012eec0, 0x4, 0x4, ...)
	/Users/lcalisi/go/pkg/mod/github.com/stoggi/[email protected]/provider/provider.go:169 +0xc8d
github.com/stoggi/sshrimp/internal/sshrimpagent.(*sshrimpAgent).List(0xc000170680, 0xc00002ac44, 0x1, 0xc00045db10, 0x109fb42, 0xc000170380)
	/Users/lcalisi/alfred-ssh-agent-poc/internal/sshrimpagent/sshrimpagent.go:72 +0xdb
golang.org/x/crypto/ssh/agent.(*server).processRequest(0xc00045dd28, 0xc00002ac44, 0x1, 0x1, 0xc00045dca0, 0x1071d87, 0xc000486060, 0xc00002ac44)
	/Users/lcalisi/go/pkg/mod/golang.org/x/[email protected]/ssh/agent/server.go:145 +0x5ec
golang.org/x/crypto/ssh/agent.(*server).processRequestBytes(0xc00045dd28, 0xc00002ac44, 0x1, 0x1, 0x1, 0x1, 0x1)
	/Users/lcalisi/go/pkg/mod/golang.org/x/[email protected]/ssh/agent/server.go:30 +0x67
golang.org/x/crypto/ssh/agent.ServeAgent(0x1988920, 0xc000170680, 0x2f41008, 0xc000486060, 0xc000486060, 0xc000020050)

mage error: AWS Region: "Sorry, your reply was invalid: Value is required"

Defect Description
When building sshrimp with mage, user is prompted first to provide an AWS Account ID (12 digit number), and then select an AWS Region from a list, using arrow keys and the Enter key.
During this second step, after moving the 'carat' cursor to an AWS Region in the list and typing the Enter key, the following message is returned (in red text), and the user is unable to proceed.

X Sorry, your reply was invalid: Value is required

Repro steps

Follow instructions under Quickstart
- Installed mage

▶ mage --version
Mage Build Tool v1.10.0-2-g50f568e
Build Date: 2020-11-04T16:16:07-07:00
Commit: 50f568e
built with: go1.15.3

- run mage

▶ mage
? AWS Account ID: 000000000000
X Sorry, your reply was invalid: Value is required
? AWS Region:  [Use arrows to move, enter to select, type to filter, ? for more help]
> [ ]  ap-east-1
  [ ]  ap-northeast-1
  [ ]  ap-northeast-2
  [ ]  ap-south-1
  [ ]  ap-southeast-1
  [ ]  ap-southeast-2
  [ ]  ca-central-1
  [ ]  eu-central-1
  [ ]  eu-north-1
  [ ]  eu-west-1