keyman

command module

v0.0.0-...-3ed2260 Latest Latest Go to latest Published: Nov 30, 2017 License: MIT Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/skuid/keyman

Links

Open Source Insights

README ¶

keyman

An SSH key CA Server.

With keyman, users can SSH into servers as whichever user is specified in the principals.

Usage

keyman is a cli for requesting server-signed SSH certs

Usage:
  keyman [flags]
  keyman [command]

Available Commands:
  help        Help about any command
  server      Run a SSH key signing server

Flags:
      --client-id string         The client ID for the application
      --client-secret string     The client secret for the application
      --config string            config file (default is $HOME/.keyman.yaml)
  -h, --help                     help for keyman
      --open-browser             Open the oauth approval URL in the browser (default true)
      --principals stringSlice   The identities to request (default [core,openvpnas])
      --pubkey string            The key to sign. Defaults to ~/.ssh/id_rsa.pub
      --server string            The server to connect to (default "https://localhost:3000")
      --skip-verify              Skip server TLS verification
      --write                    Write the issued SSH cert to the ~/.ssh directory (default true)

Use "keyman [command] --help" for more information about a command.

Demo

Create a ClientID/Client Secret in Google, and set the environment variables KEYMAN_CLIENT_ID and KEYMAN_CLIENT_SECRET.

# Create a server key pair
cd demo
openssl req -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.pem -subj "/C=US/ST=Tennessee/L=Chattanooga/O=Skuid/OU=/CN=localhost"
cd -

# Start the server and an SSH server after
# filling out the empty variables in docker-compose.yaml
docker-compose up -d

# Get your pubkey signed by the server
go build
KEYMAN_SERVER="http://localhost:3000"
MY_PUBKEY=$(ls ~/.ssh/id_rsa.pub)
./keyman --skip-verify  --pubkey $MY_PUBKEY > ~/.ssh/id_rsa-cert.pub
ssh-keygen -Lf ~/.ssh/id_rsa-cert.pub
ssh -p 2222 core@localhost

# When inside the container
cat /var/log/sshd.log

Production Setup

You'll need an SSH keypair that will function as your Certificate Authority. Create it and keep the private key secret.

# Create an SSH Certificate Authority
ssh-keygen -C CA -f ca

First, you'll need to create a project and OAuth 2.0 Credential in the Google Cloud Console. You can follow this guide on creating an application, but do NOT create a web application. You'll need to select "Other" as the Application Type. Once that is created, you can download the ClientID and ClientSecret as a JSON file for ease of use.

You'll need to provide the Keyman server the ClientID, and each user the ClientSecret and ClientID.

Second, you'll need to create a Google Service Account and download the credentials as JSON. This allows the Keyman server to only allow certain group members access.

This Service account requires the following scopes:

https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly

Reading

Facebook Blog post

TODO

Key Revocation

License

MIT. See LICENSE

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cmd
groupauth
oidcauth
server
shapes Package shapes is a generated protocol buffer package.	Package shapes is a generated protocol buffer package.
sign

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL