This is a SSH CA that allows you to retrieve a signed SSH certificate by authenticating to Duo.

Overview

github-duo-ssh-ca

Authenticate to GitHub Enterprise in a secure way by requiring users to go through a Duo flow to get a short-lived SSH certificate that works for their yubikey. This client will function as an SSH agent that will communicate with the YubiKey and authenticate to the API server component whenever necessary. It will popup a browser window for the Duo flow and request your yubikey PIN.

Usage

  1. Get Duo credentials ("protect web SDK").
  2. Create an RSA 4K keypair with ssh-keygen -t rsa -b 4096.
  3. Run the server component.
  4. Generate credentials with client new.
  5. Run it as an agent with client agent.

Overview

Server

duo:
  client_id: "xxx"
  client_secret: "xxx"
  api_host: "api-xxx.duosecurity.com"

github:
  token: "xxx"
  orgs: ["ironpeakservices"]

signer:
  private_key_path: "ca"
  expires_seconds: 36000

listener:
  address: "localhost:9999"
  token_secret_hex: "32byteshex"
  tls:
    certificate_path: ""
    key_path: ""
./server -log=debug -config=server.yml

Client

api: "http://localhost:9999"
email: "[email protected]"
socket_path: "/tmp/.shh"
./client -log=debug -config=client.yml agent
Releases(v1.4.0)
  • v1.4.0(Nov 22, 2021)

    1.4.0 (2021-11-22)

    Feature

    • play around with goreleaser (35c6e14d)
    • work (f72e92c8)

    Code Refactoring

    • rework signers (d9c57c05)
    • abstract away yubikey support (45aeef4c)
    Source code(tar.gz)
    Source code(zip)
  • v1.3.1(Oct 28, 2021)

  • v1.3.0(Oct 13, 2021)

  • v1.2.0(Sep 9, 2021)

  • v1.1.0(Sep 9, 2021)

    1.1.0 (2021-09-09)

    Feature

    • agent windows with named pipes (67714af4)
    • agent windows with named pipes (669eabf2)
    • agent windows with named pipes (ee10dde9)
    • agent windows with named pipes (fadfe3f4)
    • agent windows with named pipes (a55b580a)
    • agent windows with named pipes (580a6199)
    • agent windows with named pipes (ac6017bb)
    • agent windows with named pipes (e40eb713)
    • agent windows with named pipes (9b050a97)
    • agent windows with named pipes (6bbdc16e)
    • agent windows with named pipes (af249ec4)
    • agent windows with named pipes (de536a86)
    • agent windows with named pipes (6918e203)
    • agent windows with named pipes (4b26bebe)

    Chores

    • add cleanup action (0ac703d4)
    Source code(tar.gz)
    Source code(zip)
  • v1.0.1(Aug 31, 2021)

    1.0.1 (2021-08-31)

    Bug Fixes

    • don't close yubi on open error (0e920188)
    • don't close yubi on open error (473a241e)

    Code Refactoring

    • only lock yubikey when necessary (077ad584)

    Chores

    • fix build (dc0f0ba1)
    • fix build (80f6fc9e)
    • fix build (6f19576a)
    • fix build (8f4c68ec)
    • fix build (420dc24c)
    • fix build (b0c8ce86)
    • fix build (c00a9577)
    • fix build (13c8c28e)
    • fix build (5e94d5fa)
    • fix build (2e345247)
    • fix build (dd408470)
    • fix build (b394044d)
    • fix build (942ad84d)
    • fix build (1dd224b0)
    • fix build (89e62045)
    • fix build (20388ccd)
    • fix build (480c9221)
    • fix build (19dec62b)
    • fix build (4ea87ff3)
    • fix build (255413a1)
    • fix build (e2cde455)
    • add arm64 gcc dep (79fdc885)
    • enable cgo (b76840d0)
    • add dev ref (817f38c1)
    Source code(tar.gz)
    Source code(zip)
  • v1.0.0(Aug 10, 2021)

    1.0.0 (2021-08-10)

    Feature

    • re-add pinentry (5f6abe03)

    Bug Fixes

    • works on macos with default pin (e38b63d1)
    • cache improvements and refactoring (7b372498)

    Code Refactoring

    • flow work (4a90455e)
    • refactor to flows (a528ede7)
    • improvements (04b821df)

    Chores

    • gitignore (e56a7894)
    • cleanup (9f6a6a5a)
    • gitignore (86ace2d4)
    • gitignore (5d05ff91)
    • gitignore (45a53eb3)

    clean

    • cleanup (494cc22d)
    Source code(tar.gz)
    Source code(zip)
Owner
Niels Hofmans
Hello! I'm a cybersecurity freelancer and an open sourcerer from Belgium.
Niels Hofmans
An experimental Go application that allows an SSH session to interact with the clipboard of the host machine and forward calls to open

Remote Development Manager An experimental Go application that allows an SSH session to interact with the clipboard of the host machine and forward ca

Blake Williams 23 Aug 2, 2022
Trusted Certificate Service for Kubernetes Platform

Trusted Certificate Service (TCS) is a Kubernetes (k8s) service to protect private keys using Intel's SGX technology including support for k8s CSR and cert-manager CR APIs. TCS also contains integration samples for Istio service mesh and Key Management Reference Application (KMRA).

Intel Corporation 15 Aug 9, 2022
Jenkins CLI allows you manage your Jenkins as an easy way

Quick start 简体中文 Jenkins CLI Jenkins CLI allows you manage your Jenkins in an easy way. No matter if you're a plugin developer, administrator or just

Jenkins Chinese Community 331 Aug 7, 2022
Mattermost outline plugin allows you to search your teams documents.

mattermost-plugin-outline Mattermost Outline plugin allows you to search your teams documents. Installation In Mattermost 5.16 and later, this plugin

Lujeni 7 Nov 10, 2021
A tool that allows you to manage Kubernetes manifests for your services in a Git repository

kuberpult Readme for users About Kuberpult is a tool that allows you to manage Kubernetes manifests for your services in a Git repository and manage t

freiheit.com technologies 12 Jul 28, 2022
Fleex allows you to create multiple VPS on cloud providers and use them to distribute your workload.

Fleex allows you to create multiple VPS on cloud providers and use them to distribute your workload. Run tools like masscan, puredns, ffuf, httpx or a

null 159 Aug 7, 2022
Boxygen is a container as code framework that allows you to build container images from code

Boxygen is a container as code framework that allows you to build container images from code, allowing integration of container image builds into other tooling such as servers or CLI tooling.

nitric 5 Dec 13, 2021
A very simple utility that allows you to run the desired command or script as soon as a certain process with a known PID completes correctly or with an error.

go-monkill A very simple utility that allows you to run the desired command or script as soon as a certain process with a known PID completes correctl

Michael Savin 6 Mar 31, 2022
A Docker image that allows you to use Hetzner DNS as a DynDNS Provider

Docker Hetzner DDNS This Docker image will allow you to use the Hetzner DNS Service as a Dynamic DNS Provider (DDNS). How does it work? The Go script

Matthias Kutz 6 Jun 7, 2022
The Container Storage Interface (CSI) Driver for Fortress Block Storage This driver allows you to use Fortress Block Storage with your container orchestrator

fortress-csi The Container Storage Interface (CSI) Driver for Fortress Block Storage This driver allows you to use Fortress Block Storage with your co

Fortress 0 Jan 23, 2022
Integrated ssh-agent for windows. (pageant compatible. openSSH ssh-agent etc ..)

OmniSSHAgent About The chaotic windows ssh-agent has been integrated into one program. Chaos Map of SSH-Agent on Windows There are several different c

YAMASAKI Masahide 28 Aug 14, 2022
:recycle: Now you can easily rollback to previous deployed images whatever you want on k8s environment

EasyRollback EasyRollback is aim to easy rollback to previous images that deployed on k8s environment Installation You should have go installation fir

Trendyol Open Source 92 May 4, 2022
sleuth checks that you declared a slice with length and you are trying append to the slice.

sleuth sleuth detects when an append is used on a slice with an initial size. Instruction go install github.com/sivchari/sleuth/cmd/sleuth Usage packa

sivchari 11 Sep 15, 2021
Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.

Open Service Mesh (OSM) Open Service Mesh (OSM) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure,

Open Service Mesh 2.5k Aug 7, 2022
Snowflake grafana datasource plugin allows Snowflake data to be visually represented in Grafana dashboards.

Snowflake Grafana Data Source With the Snowflake plugin, you can visualize your Snowflake data in Grafana and build awesome chart. Get started with th

Michelin 29 Jun 24, 2022
A block parser tool that allows extraction of various data types on DAS

das-database A block parser tool that allows extraction of various data types on DAS (register, edit, sell, transfer, ...) from CKB Prerequisites Ubun

DAS 13 Jun 23, 2022
Custom Terraform provider that allows provisioning VGS Proxy Routes.

VGS Terraform Provider Custom Terraform provider that allows provisioning VGS Proxy Routes. How to Install Requirements: terraform ver 0.12 or later M

Very Good Security, Inc. 4 Mar 12, 2022
A simple webdev utility program that allows developers to quickly validate and format JSON code

Toolbox CLI A simple webdev utility program that allows developers to quickly validate and format JSON code, convert from UNIX epoch to timestamp and

Vlad Costea 0 Jan 4, 2022
Solana Token Registry - a package that allows application to query for list of tokens

Please note: This repository is being rebuilt to accept the new volume of token additions and modifications. PR merges will be delayed. @solana/spl-to

Square and Compass 0 Jan 16, 2022