shortbread

module

v0.0.0-...-ab85943 Latest Latest Go to latest Published: Dec 10, 2014 License: Apache-2.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/philips/shortbread

Links

Open Source Insights

README ¶

shortbread

OpenSSH CA signing and publishing Daemon.

Problem

Managing SSH keys has two problems:

Onboarding new users to login to a box usually requires scp'ing keys to the target. Revoking requires removing the key (and remembering to do so).
Users generally just blindly trust hosts the first time they connect. This opens users up to MitM attacks.

To fix these two problems OpenSSH has implemented an SSH CA system. However, it is a command line tool that is rather hard to use. See https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu

Solution

Put Go and HTTP on it! All of these features should work from the go.ssh library: https://godoc.org/code.google.com/p/go.crypto/ssh#Certificate

Onboarding New Users

User story: Alice the admin needs to give access to the prod cluster to Ian the intern.

Alice would post to a URL to sign a public key with constraints like time, or commands.

POST /v1/sign
{
	'certificate': 'prod-servers',
	'username': 'core',
	'validityInterval': '201506231248',
	'rsaPubkey': 'ssh-rsa AAUw==',
}

Then a daemon living on the users laptop would pull down their certificates from the signing machine.

GET /v1/certificates/fingerprint

$CERT_BODY

Unfortunatly Ian's laptop was stolen and he didn't encrypt the disk! We had better revoke his keys:

POST /v1/revoke
{
	'rsaPubkey': 'ssh-rsa AAUw==',

Onboarding New Hosts

Host verificiation would work very similarly. Lets get the user case down first.

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
Godeps
_workspace/src/code.google.com/p/gcfg Package gcfg reads "INI-style" text-based configuration files with "name=value" pairs grouped into sections (gcfg files).	Package gcfg reads "INI-style" text-based configuration files with "name=value" pairs grouped into sections (gcfg files).
_workspace/src/code.google.com/p/gcfg/scanner Package scanner implements a scanner for gcfg configuration text.	Package scanner implements a scanner for gcfg configuration text.
_workspace/src/code.google.com/p/gcfg/token Package token defines constants representing the lexical tokens of the gcfg configuration syntax and basic operations on tokens (printing, predicates).	Package token defines constants representing the lexical tokens of the gcfg configuration syntax and basic operations on tokens (printing, predicates).
_workspace/src/code.google.com/p/gcfg/types Package types defines helpers for type conversions.	Package types defines helpers for type conversions.
_workspace/src/code.google.com/p/go.crypto/ssh Package ssh implements an SSH client and server.	Package ssh implements an SSH client and server.
_workspace/src/code.google.com/p/go.crypto/ssh/agent Package agent implements a client to an ssh-agent daemon.	Package agent implements a client to an ssh-agent daemon.
_workspace/src/code.google.com/p/go.crypto/ssh/terminal Package terminal provides support functions for dealing with terminals, as commonly found on UNIX systems.	Package terminal provides support functions for dealing with terminals, as commonly found on UNIX systems.
_workspace/src/code.google.com/p/go.crypto/ssh/test This package contains integration tests for the code.google.com/p/go.crypto/ssh package.	This package contains integration tests for the code.google.com/p/go.crypto/ssh package.
_workspace/src/code.google.com/p/google-api-go-client/google-api-go-generator command
_workspace/src/code.google.com/p/google-api-go-client/googleapi Package googleapi contains the common code shared by all Google API libraries.	Package googleapi contains the common code shared by all Google API libraries.
_workspace/src/code.google.com/p/google-api-go-client/googleapi/internal/uritemplates Package uritemplates is a level 4 implementation of RFC 6570 (URI Template, http://tools.ietf.org/html/rfc6570).	Package uritemplates is a level 4 implementation of RFC 6570 (URI Template, http://tools.ietf.org/html/rfc6570).
_workspace/src/code.google.com/p/google-api-go-client/googleapi/transport Package transport contains HTTP transports used to make authenticated API requests.	Package transport contains HTTP transports used to make authenticated API requests.
_workspace/src/github.com/coreos/cobra
_workspace/src/github.com/libgit2/git2go
_workspace/src/github.com/spf13/pflag pflag is a drop-in replacement for Go's flag package, implementing POSIX/GNU-style --flags.	pflag is a drop-in replacement for Go's flag package, implementing POSIX/GNU-style --flags.
api Package api provides access to the API to communicate with a centralized CA.	Package api provides access to the API to communicate with a centralized CA.
apigenerator Sole purpose is to get google-api-go-generator into Godeps	Sole purpose is to get google-api-go-generator into Godeps
client
cmd
shortbreadctl command
generatePlist
gitutil
server
util