GSH is an OpenID Connect-compatible authentication system for systems using OpenSSH servers
License: BSD 3-Clause "New" or "Revised" License
GSH is an OpenID Connect-compatible authentication system for systems using OpenSSH servers consisting of an out-of-box binary set.
Its use requires only a few configurations in the sshd_config file, allowing for a staged migration of an infrastructure based on PAM authentication (LDAP/AD/Kerberos/etc) to an authentication structure with OpenID Connect and SSH certificates.
Take a look at our excellent documentation!
This project is based on a number of other similar projects.
GSH CLI don't resolve domain names.
Currently only RSA keys are supported. This issue is to enable the use of ed25519 keys at GSH API.
This issue is to address an improvement of user usage when the user don't know how to generate a OpenSSH key pair.
References:
Hi,
I did follow the guide but when trying to connect to the host, I got this message
{"details":"Your roles are: []","message":"You don't have permission to request this certificate","result":"fail"}I think there are missed step to grant/add roles for the new user.
Can you please tell me how to add a role to a new user?
Thank!
GSH does not validate multiple audience fields, only the first. The problem here lies if the authorized audience is not in the first position.
GSH is not validating the authorized party field, which should be validated if present.
GSH agent is logging auth ok even if certificate is expired. It was expected that if the certificate is expired sshd would not call AuthorizedPrincipalsCommand and fallback to another type of authentication.
If a user always asks for a certificate using the same public key, the keyid will always be the same, so when the agent asks the api for this certificate information it will give only the first record in the database.
If the user had asked for a certificate for ip 10.0.0.1 and then a second for 10.0.0.2, the api will only answer the agent with the first remote host, thus not authorizing the login in the second remote host.
Serial number should be unique among all certificates in a given certificate authority. Gsh api should looks for this instead of keyid.
This issue is to address the fact that GSH API exits if it doesn't find a config file, even though the environment variables are set correctly through a .env file.
GSH doesn't really check if the target host IP is the same as the one contained in the certificate (retrieved from gsh-api/certificates/[serial-number]).
Asking a certificate for accessing host 10.225.73.117 and using it to access 10.225.73.118 instead:
$ go run main.go check-permission --api https://gsh-api.example.com --serial-number 15299221765059483344 --username manoel.junior
INFO[0000] Failed to log to file, using default stdout
INFO[0000] Failed to log to file, using default stdout
IP FROM API: 10.142.64.4 -> SERVER IP: 127.0.0.0/8
IP FROM API: 10.142.64.4 -> SERVER IP: ::1/128
IP FROM API: 10.142.64.4 -> SERVER IP: fe80::/64
IP FROM API: 10.142.64.4 -> SERVER IP: fe80::/64
IP FROM API: 10.142.64.4 -> SERVER IP: 10.127.36.0/24
FATA[0000] Certificate not authorized for local host certificate= certificate-type= event="remote host validation" key=remote-host key-fingerprint= key-id= remote_host=10.142.64.4 result=fail serial_number=15299221765059483344 topic="certificate not issued to any of local ips" username=manoel.junior
exit status 1go run main.go check-permission --api https://gsh-api.example.com --serial-number 15299221765059483344 --username manoel.junior
INFO[0000] Failed to log to file, using default stdout
IP FROM API: 10.142.64.4 -> SERVER IP: 127.0.0.0/8
IP FROM API: 10.142.64.4 -> SERVER IP: 10.142.64.0/28
INFO[0000] All checks passed, user authenticating... certificate= certificate-type= event="auth ok" key=auth key-fingerprint= key-id= remote_user=manoel.junior result=success serial_number=15299221765059483344 topic="authentication succeded" username=manoel.juniorWe could use CircleCI ! ๐
After generating several certificates and authenticating with gsh, the ssh-agent caches the certificates, and after a number of certificates new authentications fail when new certificates are issued.
I had a lot of certificates in gsh folder (not all of them were cached):
MacBook-Pro-37:prod felipe$ ll
total 272
drwxr-x--- 36 felipe staff 1.1K Apr 17 09:51 .
drwxr-x--- 3 felipe staff 96B Jul 26 2019 ..
-rw------- 1 felipe staff 3.2K Apr 17 09:47 1V8tM1JuJBFfVq1U6zBndpjW5KrURlbe
-rw-r--r-- 1 felipe staff 2.4K Apr 17 09:47 1V8tM1JuJBFfVq1U6zBndpjW5KrURlbe-cert.pub
-rw------- 1 felipe staff 3.2K Jul 26 2019 3dNWW2IEnHCNRpW8y0TtO5WGUYFdxYnm
-rw-r--r-- 1 felipe staff 2.4K Jul 26 2019 3dNWW2IEnHCNRpW8y0TtO5WGUYFdxYnm-cert.pub
-rw------- 1 felipe staff 3.2K Jul 26 2019 3uwVNF3Edb3CjLGishLyqfNPxEJ65fj0
-rw-r--r-- 1 felipe staff 2.4K Jul 26 2019 3uwVNF3Edb3CjLGishLyqfNPxEJ65fj0-cert.pub
-rw------- 1 felipe staff 3.2K Apr 17 09:51 8kfKvAnDdRvcSXnYgpIypJsV4QOQrihB
-rw-r--r-- 1 felipe staff 2.4K Apr 17 09:51 8kfKvAnDdRvcSXnYgpIypJsV4QOQrihB-cert.pub
-rw------- 1 felipe staff 3.2K Apr 16 17:35 AeaBwc7QjqAjCl1pGViEGt4HjdZ6cngI
-rw-r--r-- 1 felipe staff 2.4K Apr 16 17:35 AeaBwc7QjqAjCl1pGViEGt4HjdZ6cngI-cert.pub
-rw------- 1 felipe staff 3.2K Apr 16 18:41 Jxvpytz6V3Hn9Hh4uawm7BoXh2FRxdP8
-rw-r--r-- 1 felipe staff 2.4K Apr 16 18:41 Jxvpytz6V3Hn9Hh4uawm7BoXh2FRxdP8-cert.pub
-rw------- 1 felipe staff 3.2K Apr 16 18:41 Lboi113d2M1hWlZYgv5YV8C8PxOzUYFO
-rw-r--r-- 1 felipe staff 2.4K Apr 16 18:41 Lboi113d2M1hWlZYgv5YV8C8PxOzUYFO-cert.pub
-rw------- 1 felipe staff 3.2K Apr 15 11:04 MwJ6HFB1BsVgQVuTC6pVh01CFlTe6ejh
-rw-r--r-- 1 felipe staff 2.4K Apr 15 11:04 MwJ6HFB1BsVgQVuTC6pVh01CFlTe6ejh-cert.pub
-rw------- 1 felipe staff 3.2K Apr 16 19:22 ZJEiVajueQfsTVt6HB8IN4fFh5DPxYPG
-rw-r--r-- 1 felipe staff 2.4K Apr 16 19:22 ZJEiVajueQfsTVt6HB8IN4fFh5DPxYPG-cert.pub
-rw------- 1 felipe staff 3.2K Jul 26 2019 aS9DVHtOsnzOCZ0YPyCpqw1MSOHhRQP1
-rw-r--r-- 1 felipe staff 2.4K Jul 26 2019 aS9DVHtOsnzOCZ0YPyCpqw1MSOHhRQP1-cert.pub
-rw------- 1 felipe staff 3.2K Apr 15 11:37 eNyGTWf90Ilx9L4s97OrPpJlufGfHekk
-rw-r--r-- 1 felipe staff 2.4K Apr 15 11:37 eNyGTWf90Ilx9L4s97OrPpJlufGfHekk-cert.pub
-rw------- 1 felipe staff 3.2K Apr 17 09:49 gE2ALbq0nUCw8NBdnoFoqLfxxvS1YIK8
-rw-r--r-- 1 felipe staff 2.4K Apr 17 09:49 gE2ALbq0nUCw8NBdnoFoqLfxxvS1YIK8-cert.pub
-rw------- 1 felipe staff 3.2K Jul 26 2019 jthdwxmMw6ouPL2H982K1L1AqriVoTws
-rw-r--r-- 1 felipe staff 2.4K Jul 26 2019 jthdwxmMw6ouPL2H982K1L1AqriVoTws-cert.pub
-rw------- 1 felipe staff 3.2K Apr 17 09:48 lOM5VORINe3sH0sb1PcMtTaJlLFLfkp7
-rw-r--r-- 1 felipe staff 2.4K Apr 17 09:48 lOM5VORINe3sH0sb1PcMtTaJlLFLfkp7-cert.pub
-rw------- 1 felipe staff 3.2K Apr 17 09:47 rB7KB6J3Czp3ZmRSThMTvVL0FTbocFCk
-rw-r--r-- 1 felipe staff 2.4K Apr 17 09:47 rB7KB6J3Czp3ZmRSThMTvVL0FTbocFCk-cert.pub
-rw------- 1 felipe staff 3.2K Apr 16 19:08 tgJHdKcEwXleE51ZG81q9CE0mRtFvFTr
-rw-r--r-- 1 felipe staff 2.4K Apr 16 19:08 tgJHdKcEwXleE51ZG81q9CE0mRtFvFTr-cert.pub
-rw------- 1 felipe staff 3.2K Jul 26 2019 xk0n5naXONX4EltF1qDmYw7Z9GUJX930
-rw-r--r-- 1 felipe staff 2.4K Jul 26 2019 xk0n5naXONX4EltF1qDmYw7Z9GUJX930-cert.pub
When trying a new authentication it would fail. I used the option -d to see which certificate was trying to use, and added -v to ssh command:
OpenSSH_8.2p1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /Users/felipe/.ssh/config
debug1: /Users/felipe/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug1: Connecting to HOST_IP [HOST_IP] port 22.
debug1: Connection established.
debug1: identity file /Users/felipe/.gsh/certs/prod/rNzw4nQoDirwKp8u7Bzxbta6lXsNgJUU type -1
debug1: identity file /Users/felipe/.gsh/certs/prod/rNzw4nQoDirwKp8u7Bzxbta6lXsNgJUU-cert type 4
debug1: identity file /Users/felipe/.gsh/certs/prod/rNzw4nQoDirwKp8u7Bzxbta6lXsNgJUU-cert.pub type 4
debug1: identity file /Users/felipe/.gsh/certs/prod/rNzw4nQoDirwKp8u7Bzxbta6lXsNgJUU-cert.pub-cert type -1
debug1: identity file /Users/felipe/.ssh/id_rsa type 0
debug1: identity file /Users/felipe/.ssh/id_rsa-cert type 4
debug1: Local version string SSH-2.0-OpenSSH_8.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to HOST_IP:22 as 'USER'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:uZqx1/SL3Y7Q2Zm/qVrcivUJcWFR5diMMBGt+eXh2JQ
debug1: Host 'HOST_IP' is known and matches the ECDSA host key.
debug1: Found key in /Users/felipe/.ssh/known_hosts:902
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/felipe/.ssh/id_rsa RSA SHA256:eMb0q08Jp36LQGHmy8aEMWG5KVVdHo4WyfcB31Pcwus explicit agent
debug1: Will attempt key: /Users/felipe/.gsh/certs/prod/Jxvpytz6V3Hn9Hh4uawm7BoXh2FRxdP8 RSA SHA256:pM4+t6WXSHsP/caXWM+S2kvi8ApUG1c2UvOeUiJo1hM agent
debug1: Will attempt key: /Users/felipe/.gsh/certs/prod/Lboi113d2M1hWlZYgv5YV8C8PxOzUYFO RSA SHA256:0f0Hs+pEPKwSeLtgNIEZqI9V4afpNDUOaGmGs710kys agent
debug1: Will attempt key: /Users/felipe/.gsh/certs/prod/tgJHdKcEwXleE51ZG81q9CE0mRtFvFTr RSA SHA256:tmPrt/XHj0pe76QB/s53PBBxqKhsx69DXzfXF7BrEps agent
debug1: Will attempt key: /Users/felipe/.gsh/certs/prod/ZJEiVajueQfsTVt6HB8IN4fFh5DPxYPG RSA SHA256:mg+rCTp+DrMfAGp/8Qg8aBUDDekTZrTgEgzpQpFY9D4 agent
debug1: Will attempt key: /Users/felipe/.gsh/certs/prod/1V8tM1JuJBFfVq1U6zBndpjW5KrURlbe RSA SHA256:sBVD8rTjS8/JTkIlIv9GiniGwmsJLrtLsrB+VhZjm18 agent
debug1: Will attempt key: /Users/felipe/.gsh/certs/prod/rNzw4nQoDirwKp8u7Bzxbta6lXsNgJUU explicit
debug1: Will attempt key: /Users/felipe/.gsh/certs/prod/rNzw4nQoDirwKp8u7Bzxbta6lXsNgJUU RSA-CERT SHA256:J6YY9HztjAsNamxvhJ4YSlz7mNi4j77hsUZPRJnRni4 explicit
debug1: Will attempt key: /Users/felipe/.gsh/certs/prod/rNzw4nQoDirwKp8u7Bzxbta6lXsNgJUU-cert.pub RSA-CERT SHA256:J6YY9HztjAsNamxvhJ4YSlz7mNi4j77hsUZPRJnRni4 explicit
debug1: Will attempt key: /Users/felipe/.ssh/id_rsa RSA-CERT SHA256:eMb0q08Jp36LQGHmy8aEMWG5KVVdHo4WyfcB31Pcwus explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/felipe/.ssh/id_rsa RSA SHA256:eMb0q08Jp36LQGHmy8aEMWG5KVVdHo4WyfcB31Pcwus explicit agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /Users/felipe/.gsh/certs/prod/Jxvpytz6V3Hn9Hh4uawm7BoXh2FRxdP8 RSA SHA256:pM4+t6WXSHsP/caXWM+S2kvi8ApUG1c2UvOeUiJo1hM agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /Users/felipe/.gsh/certs/prod/Lboi113d2M1hWlZYgv5YV8C8PxOzUYFO RSA SHA256:0f0Hs+pEPKwSeLtgNIEZqI9V4afpNDUOaGmGs710kys agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /Users/felipe/.gsh/certs/prod/tgJHdKcEwXleE51ZG81q9CE0mRtFvFTr RSA SHA256:tmPrt/XHj0pe76QB/s53PBBxqKhsx69DXzfXF7BrEps agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /Users/felipe/.gsh/certs/prod/ZJEiVajueQfsTVt6HB8IN4fFh5DPxYPG RSA SHA256:mg+rCTp+DrMfAGp/8Qg8aBUDDekTZrTgEgzpQpFY9D4 agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /Users/felipe/.gsh/certs/prod/1V8tM1JuJBFfVq1U6zBndpjW5KrURlbe RSA SHA256:sBVD8rTjS8/JTkIlIv9GiniGwmsJLrtLsrB+VhZjm18 agent
Received disconnect from HOST_IP port 22:2: **Too many authentication failures**
ssh-agent had some certificates:
MacBook-Pro-37:~ felipe$ ssh-add -l
2048 SHA256:eMb0q08Jp36LQGHmy8aEMWG5KVVdHo4WyfcB31Pcwus /Users/felipe/.ssh/id_rsa (RSA)
4096 SHA256:pM4+t6WXSHsP/caXWM+S2kvi8ApUG1c2UvOeUiJo1hM /Users/felipe/.gsh/certs/prod/Jxvpytz6V3Hn9Hh4uawm7BoXh2FRxdP8 (RSA)
4096 SHA256:0f0Hs+pEPKwSeLtgNIEZqI9V4afpNDUOaGmGs710kys /Users/felipe/.gsh/certs/prod/Lboi113d2M1hWlZYgv5YV8C8PxOzUYFO (RSA)
4096 SHA256:tmPrt/XHj0pe76QB/s53PBBxqKhsx69DXzfXF7BrEps /Users/felipe/.gsh/certs/prod/tgJHdKcEwXleE51ZG81q9CE0mRtFvFTr (RSA)
4096 SHA256:mg+rCTp+DrMfAGp/8Qg8aBUDDekTZrTgEgzpQpFY9D4 /Users/felipe/.gsh/certs/prod/ZJEiVajueQfsTVt6HB8IN4fFh5DPxYPG (RSA)
4096 SHA256:sBVD8rTjS8/JTkIlIv9GiniGwmsJLrtLsrB+VhZjm18 /Users/felipe/.gsh/certs/prod/1V8tM1JuJBFfVq1U6zBndpjW5KrURlbe (RSA)
After deleting all of them with ssh-add -D I was able to authenticate again.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.