Ever wanted to play around with SSH Principals and see how they work? This little package I put together creates a series of Docker containers which make use of Principals in SSH.
git clone
../test.sh
which will do the following:
client
, server
, and ca
.client
container to verify that it can/cannot SSH into certain accounts on the server
and ca
hosts.A successful run will end in something like this:
I said this project was a playground, and I meant it! If you'd like to play around yourself, here's how to get started:
First, attach to the client
container with docker-compose exec client bash
.
From there, you can try SSHing into the server
or the ca
containers. The server
container has the users root
, user1
, user2
, and user3
, and you can SSH into any
of those user accounts.
The ca
container trusts the CA certificate that we created, and has principals set up.
As such, you can only SSH to the root
, user1
, and user2
users. user3
will not work.
If you want to prove to yourself that you fully understand Principals in SSH, try some of these exercises:
ca
so you can log in as user3
on ca
with the existing Principals of root
, and user2
.user3
to the user key, and use it to log in as user3
on ca
.root
Principal from the user key and add sysadmin
. Configure ca
so that you can log in as the root
user again.These are some helper scripts I wrote to help streamline my development:
./bin/create-keys.sh
- Create our SSH keys. Called by test.sh
../bin/clean.sh
- Kill all containers (or an existing container, if specified), remove them, (re)build them, and start them back up../bin/attach.sh
- Attach to any running container../bin/clean-and-attach.sh
- Nice wrapper script for the previous two commands. :-)./bin/logs.sh
- Display logs from all containers, or a single container if specified.ssh-keygen -L -f keys/my-key-cert.pub
- View the signed key with its principals.docker-compose logs -f ca
, as status messages from sshd
will be sent there. On a successful login, a message like this will appear:
Accepted publickey for user1 from 172.21.0.3 port 34756 ssh2: ECDSA-CERT ID playground (serial 1) CA ECDSA SHA256:nR3ohRIBi2b29PgwLrqXvaO+qGlTdQBQyrI1KSHWG6k
root
user in this app is for demo purposes only. DO NOT allow root logins on a production system!My email is doug.muth@gmail.com. I am also @dmuth on Twitter and Facebook!