beyond vs huproxy

[vzuevsky]

Hi guys, I can see there was huproxy to be an ssh plugin to access beyond. Do you have anything to replace huproxy as part of this active project - or am I shaking the wrong tree? Cheers

[presbrey]

Hi @vzuevsky, thanks for writing. SSH is always a good tree 😎 I'm assuming you refer to https://github.com/google/huproxy. This project does not answer cloud scale authentication nor authorization like beyond with oidc/saml/oauth2 and backend entities though it could be easily extended. Also, does huproxy need a special client software? One beyond goal is to maximize interoperability. We have an SSH project to release soon. It builds on this project: http://github.com/gliderlabs/ssh and adds GitHub and DUO integrations.

What federation integrations do you need for SSH keys, multi factor, backend ACL, etc.? Cheers, -Joe

[vzuevsky]

I think I am just trying to understand big picture around beyondcorp. Is https://www.beyondcorp.com/ backed by this repo, or is this repo something else? I indeed considered huproxy you mentioned in conjunction with https://github.com/Cloud-Foundations/keymaster/ (which works in PoC). So they are potentially three different solutions saying they are "beyondcorp" :-) You also mentioned https://github.com/gliderlabs/ssh (which you will rely on). I understand that's an ssh server replacing sshd in effect?

[presbrey]

Keymaster is new to me and looks interesting, thanks for the introduction! Great question on the big picture -

1. this HTTPS OIDC/SAML(SSO) project we call "beyond"
2. SSH project we call "superproxy" (also inspired by Google)

These projects make some choices on access control so all together we propose they implement the 3 components encircled in green below here from beyondcorp.com:

Correct on the sshd question. Our Beyond SSHd project doesn't accept passwords or spawn shells like a bastion host but rather enforces MFA and only supports forwarding and proxy flags such as: -L -R -D -J (LocalForward, RemoteForward, SOCKS, ProxyJump). We use these together to enable and control private network access at scale without VPN.