SSHPortal V2 🥈

[moul]

👋 I plan to start the v2 of sshportal.

For now, I mostly have developer-oriented ideas of enhancement, that should allow making the project easier to work on.

About the usage, I will try to limit as much as possible the retro-compatibility breaking. I also plan to write the migration that will allow keeping the current database.

Please, do not hesitate to add your thoughts if you have ideas for improvements or specific wishes.

Thank you for your support, and take care of you.

---

Checklist (based on my ideas and the comments below)

• [ ] simplify codebase, less deps, less hacks, more tests
• [ ] clean up old branches and issues
• [ ] add integration test
• [ ] fix issues flagged with the v2 milestone
• [ ] bump deps to their latest stable versions
• [ ] switch to GitHub actions
• [ ] add a built-in bug-reporting tool that prefill an issue
• [ ] include a feature-flag system allowing to ship experimental features
• [ ] add more non-admin CLI features
• [ ] support having an external API that manages the logic (you can use your existing user authentication)
• [ ] split the main binary into various components that can be run alone or together in the same process (sshgateway, webapi, ...)
• [ ] web UI
  • [ ] graphs
  • [ ] replay sessions
• [ ] replay sessions from the CLI
• [ ] reuse HostOption in both Host and HostGroup in order to support configuring one host or a group or host in the same way
• [ ] webhooks support
• [ ] built-in system monitoring (disk space, memory), send warnings

Targets:

• [ ] make the foundations in order to support having more contributors/co-maintainers
• [ ] propose paid support for companies that require having some guarantees / custom features

[jle64]

Hey nice to see this features being worked on, in particular the api and web ui.

At $WORK we have a internal small python web ui / rest api over sshportal that we made for our internal needs, so I'm listing them in case that can inspire you (from our point of view it would be great if they were built-in so we could ditch our custom stuff):

• ldap authentication and attribution of user roles based on ldap groups,
• host management with limitation of which hosts a user can create/update based on user role and host key,
• revocable api tokens that users can create with privileges equal or less than those of the user role,
• limitation of sessions replay based on user role (for privacy reasons),
• easy access to hosts list in simple txt format and basic http auth for use in bash completion and other simple custom scripts where users don't want the complexity of the full api
• associated ssh wrapper that calls into the api to provide users with some comfort functions (like directly connecting to a host hop, seeing who is currently connected to a host, shell completion etc)

Also for session replay we have had good results using tty-player.js.

[bozzo]

built-in system monitoring (disk space, memory), send warnings

Did you also plan to add metrics to monitor the app behaviour and expose them outside SSH Portal? for example, SSH Portal could expose, in Prometheus format, the active connection count per host, the active connection count per user, errors count per host, access denied ... This can be useful to detect suspicious activity.

[jeanlouisferey]

Awsome, a lot of interesting propositions !

At $WORK we made an Ansible role to manage SSHPortal resources (user, host, hostgroup, ...) and of course, it could be very useful to have an API to interact with SSHPortal instead of ssh communication. We are thinking to open source this Ansible role.

This Ansible role send directly by email the "SSHPortal invite" to the newly created user.

Maybe it could be an new feature for SSHPortal V2:

• ability to send invite by email for a newly created user
• based on a new configuration parameter (smtp host, with authentication or not, ...)
• with a template of mail (with a Jinja2-like template maybe)

[jeanlouisferey]

It could be useful, through configuration parameters, to modify ssh crypto parameters ?

I tried to find myself the answer in https://pkg.go.dev/golang.org/x/crypto/ssh but as Go is not my mother tongue, I'm not sure. Maybe with https://godoc.org/golang.org/x/crypto/ssh#Config

For example, with Opensshd, we can modify some parameters :

• Ciphers, using the Ciphersoption
• Host key algorithms, using the HostKeyAlgorithms option
• Key exchange algorithms, using the KexAlgorithms option
• Message authentication code algorithms, using the MACs option

With these parameters, it is possible to enforce ssh server configuration to follow some common SSH secure use recommendations (like the ANSSI one)

For example, when I try to audit my SSHPortal instance with ssh-audit, ssh-audit notes some weaknesses in the different algorithms used

[Grounz]

It could be useful to have a REST/API for configure sshportal with ANSIBLE. Today we have a ansible rôle for that but it's so tricky, we use shell module and he is not idempotent. I can help you you code a rest/api.

[Grounz]

Hi,

for system monitoring metrics, it's possible to use prometheus exporter go library for expose a /metrics api ? And will be possible to scrape it with prometheus .

[NoxInmortus]

Hello @jeanlouisferey @Grounz

Is your ansible role public ? It would be immensely appreciated

[jeanlouisferey]

Hello @NoxInmortus, Today, our Ansible role is not public. I planed to open source it, but I didn't take time to do it. I need to clean some parts of code and make a real documentation before.

[FaraFara]

Hello @jeanlouisferey!

..... We are thinking to open source this Ansible role....

Can you show some things? One year is gone... :) Thanx!

[WladyX]

Is this project still alive? Just found it and looks really, really cool! Thank you for sharing it and hope there will be a V2 :)

[libvoid]

@WladyX

This project is no longer maintained. You may take a look at our fork which is up to date and includes multiple security improvements / fixes but keep in mind that our fork is on MAINTENANCE mode and only security issues and major bugs will be fixed. We don't plan to add and accept new features.

Honestly, you should consider choosing another SSH bastion :

• https://github.com/warp-tech/warpgate (seems promising but is maintained by only 1 person)
• https://github.com/gravitational/teleport (maintained by a company)

[WladyX]

Will take a look at the alternatives. Thank you @libvoid !