SSH Certificate Authority in a lambda, automated by an OpenID Connect enabled agent.
Why? Check out this presentation Zero Trust SSH - linux.conf.au 2020.
~~ Warning ~~
This is still in very early development. Only use for testing. Not suitable for use in production yet. PR's welcome ;)
This project uses mage as a build tool. Install it.
Build the agent, lambda, and generate terraform code ready for deployment:
Terraform files are defined in
/terraform and the generated
sshrimp-ca.tf.json file can be used to automatically deploy sshrimp into multiple AWS regions.
terraform init terraform apply
sshd_config (on your server)
Server configruation is minimal. Get the public keys from KMS (using AWS credentials):
Put these keys in a file on your server
/etc/ssh/trusted_user_ca_keys, owned by
/etc/ssh/sshd_config to add the line:
ssh_config (on your local computer)
Since OpenSSH (>= 7.3), you can use the IdentityAgent option in your ssh config file to set the socketname you configured:
Host *.sshrimp.io User jeremy IdentityAgent /tmp/sshrimp-agent.sock
This has the advantage of only using the agent for the group of hosts you need, and let other hosts use your regular agent (like github.com for cloning git repos). In fact, you can't add other identities to the sshrimp-agent. It's meant to be used for only the hosts you need it for.
For other SSH clients or older versions, set the
SSH_AUTH_SOCKenvironment variable when invoking ssh:
SSH_AUTH_SOCK=/tmp/sshrimp-agent.sock ssh user@host
Start the agent:
SSH to your host:
- Shrimp have shells.
- Shrimp are lightweight.
- Has a backronym: SSH. Really. Isn't. My. Problem.
- Shrimp on a barbie?