automatically login of user via SSO handled by reverse-proxy

[gelim]

Hi,

I'm starting to look at wetty with the idea to have it available password-less for users that are already authenticated via SSO by the reverse-proxy. Is that something you would be interested in? Having your thoughts about going into implementing that would be great.

Cheers, -- Mathieu

[userdocs]

This can already be done by this method of setting your ssh key. https://github.com/butlerx/wetty/blob/main/docs/atoz.md#generate-the-ssh-key-file

I do this with nginx reverse proxy + authentication with authelia

[gelim]

I had a look, SSO working fine by propagating $remote-user to wetty and using pubkey auth, but still anyone authenticated can impersonate any valid user by hitting /wetty/ssh/$other_user. It looks like it is not handled in the code to enforce the $remote-user and nothing else.

[butlerx]

That's a good point moving the logic from server/login.ts to server/command/address.ts should solve that

[butlerx]

If you feel like documentation could be improved for setting up SSO please feel free to create a PR outlining how you set it up

[gelim]

The fix by enforcing $remote-user when accessing /wetty/ssh/$user solves partially the user impersonation issue. As soon as an auth user can be logged in, it will query directly 127.0.0.1:3000 and bypass anything set on proxy side, or forge any headers at will.

I use iptables -A OUTPUT -i lo -p tcp --dport 3000 -m owner ! --user-uid www-data -j DROP for mitigating this risk.

[davama]

If you feel like documentation could be improved for setting up SSO please feel free to create a PR outlining how you set it up

@gelim

I too would be interested in seeing that.

we use authelia and looking to incorporate it to our ssh web client

[gelim]

@davama @butlerx see PR #312

Cheers

[butlerx]

thanks @gelim