search

tg123 / sshpiper

The missing reverse proxy for ssh scp
https://sshpiper.com/
MIT License
981 stars 133 forks source link

Support for certificate based authentication #452

Open carlo-quinonez opened 5 days ago

carlo-quinonez commented 5 days ago

I searched and saw some issues and even a PR that were relevant to certificate support, but it wasn't clear what plugin supports this nor how to configure it.

Our company has setup Step CA to enable certificate-based SSH access for service persons supporting customers with the devices we sell.

Does ssh-piper support certificate-based SSH authentication?

tg123 commented 5 days ago

yes both downstream and upstream

but need a customized plugin to do the ca verification

auth downstream in your case only right?

tg123 commented 4 days ago

to verify downstream ca, need new custom plugin to send ca+cert to upstream, you can check exmaple here https://github.com/tg123/sshpiper/blob/master/plugin/testcaplugin/main.go

carlo-quinonez commented 4 days ago

Yes, we only need to use certificate authentication of the user that's initiating the ssh connection.

And just want to confirm my understanding...

Downstream means User -> ssh-piper Upstream meand ssh-piper -> device

tg123 commented 4 days ago

correct

may i know which plugin you're using, i can add ca check support

carlo-quinonez commented 3 days ago

At the moment, we're (re)planning out a solution.

full context

We designed, implemented and tested a solution based on ssh-piper V0, but project lost momentum and we never deployed it to production. The entire solution consisted of ssh-piper and AWS Step Functions to orchestrate transient jump hosts. The lifecycle of the jump host was tied to the lifecycle of the support case.

The solution involved two instances of ssh-piper, one to handle routing connections from our field service engineerings, and the second instance handled routing connections from the devices. We needed two instances of ssh-piper because people and machines needed to authenticate differently...

Now, we've been asked to resurrect the solution AND enhance it to support certificate based authentication and I'm trying to wrap my head around what, if any, changes we need to make to the prior solution.

carlo-quinonez commented 3 days ago

We were using the old database plugin

tg123 commented 1 day ago

i would suggest to take a look at https://github.com/tg123/sshpiper-openpubkey it integrates with google oauth with magic from open public key

also, CA support will be first added to yaml plugin soon