search

antoniomika / sish

HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.
https://ssi.sh
MIT License
3.98k stars 303 forks source link

Add authentication-key-request-url option #247

Closed rjobanp closed 1 year ago

rjobanp commented 2 years ago

Allows validating ssh public keys via an HTTP request to a separate service (if a key in the auth keys directory didn't already succeed).

The authentication-key-request-url flag allows specifying a URL which will receive an HTTP POST request whose body contains an OpenSSH 'authorized key' formatted public-key for each client key presented. If the request responds with a 200 status-code the auth is validated.

This should enable my team to delegate auth controls to a separate service of ours, without having to manage a shared disk between sish and that service with the keys directory.

In the future I'd like to expand this to allow 'whitelisting subdomains' in the HTTP response which sish uses to allow only certain HTTP forwarding subdomains to be allocated to this connection.

Happy for any/all feedback!

rjobanp commented 1 year ago

Hey @antoniomika - curious if you have any feedback on this

rjobanp commented 1 year ago

Sorry for the delay - I've been on vacation but will address your feedback this week or next!