Security Concerns

[jim3692]

I checked the project trying to understand how it works and what are the security risks of such an approach.

1. The idea of storing credentials of any kind in a repository, even a private one, is itself a very bad practice. Some users may have other apps activated across all repos. If any of those apps is vulnerable, the credentials are at risk.
2. Based on my understanding, the idea is that traffic passes through sshpiper.com, as there are no instructions for self hosting the app. If that is the case, then other credentials of upstream servers, ex. sudo passwords, may be exposed to sshpiper, as they can easily be logged. Besides the logging issue, there would also be a performance impact in SCP.

[tg123]

i am totally with your security concern.

sshpiper.com is hosted on fly.io, everything is open in the repo and you can definitely host it yourself with following steps

1. docker build . --> your own sshpiper-gh
2. start with env
   • SSHPIPERD_GITHUBAPP_BASEURL: this is your domain name, eg sshpiper.com
   • SSHPIPERD_GITHUBAPP_CLIENTID: github client id
   • SSHPIPERD_GITHUBAPP_CLIENTSECRET: github client secret

the github appid can be generate here https://github.com/settings/apps

[tg123]

check new project https://github.com/tg123/sshpiper-openpubkey now you can use 3rd oidc to auth