uber's ssh certificate pam module

Overview

Uber's SSH certificate pam module.

This is a pam module that will authenticate a user based on them having an ssh certificate in their ssh-agent signed by a specified ssh CA.

This is primarily intended as an authentication module for sudo. Using it for something else may be unsafe (we haven't tested it anyway). We'd be happy to learn of other potential uses though.

An example usage would be you ssh to a remote machine and sshd authenticates you (probably using your ssh cert, because if you're using it for this, you're probably using it for sshd as well). At that point when you want to run a command that requires authentication (eg. sudo), you can use pam-ussh for authentication.

Works on linux and osx. BSD doesn't work because go doesn't (yet) support buildmode=c-shared on bsd.

Building:

  1. clone the repo and run 'make'
  $ git clone github.com/uber/pam-ussh

  ...

  $ make
  mkdir -p /home/pmoody/tmp/pam-ussh/.go/src
  GOPATH=/home/pmoody/tmp/pam-ussh/.go go get golang.org/x/crypto/ssh
  GOPATH=/home/pmoody/tmp/pam-ussh/.go go get golang.org/x/crypto/ssh/agent
  GOPATH=/home/pmoody/tmp/pam-ussh/.go go get github.com/stretchr/testify/require
  GOPATH=/home/pmoody/tmp/pam-ussh/.go go test -cover
  PASS
  coverage: 71.8% of statements
  ok  	_/home/pmoody/tmp/pam-ussh	0.205s
  GOPATH=/home/pmoody/tmp/pam-ussh/.go go build -buildmode=c-shared -o pam_ussh.so

  $

Usage:

  1. put this pam module where ever pam modules live on your system, eg. /lib/security

  2. add it as an authentication method, eg.

  $ grep auth /etc/pam.d/sudo
  auth [success=1 default=ignore] /lib/security/pam_ussh.so
  auth requisite                  pam_deny.so
  auth required                   pam_permit.so
  1. make sure your SSH_AUTH_SOCK is available where you want to use this (eg. ssh -A [email protected])

Runtime configuration options:

  • ca_file - string, the path to your TrustedUserCAKeys file, default /etc/ssh/trusted_user_ca. This is the pubkey that signs your user certificates.

  • authorized_principals - string, comma separated list of authorized principals, default "". If set, the user needs to have a principal in this list in order to use this module. If this and authorized_principals_file are both set, only the last option listed is checked.

  • authorized_principals_file - string, path to an authorized_principals file, default "". If set, users need to have a principal listed in this file in order to use this module. If this and authorized_principals are both set, only the last option listed is checked.

  • group - string, default, "" If set, the user needs to be a member of this group in order to use this module.

Example configuration:

the following looks for a certificate on $SSH_AUTH_SOCK that have been signed by user_ca. Additionally, the user needs to have a principal on the certificate that's listed in /etc/ssh/root_authorized_principals

auth [success=1 default=ignore] /lib/security/pam_ussh.so ca_file=/etc/ssh/user_ca authorized_principals_file=/etc/ssh/root_authorized_principals

FAQ:

  • How do I report a security issue?

  • does this work with non-certificate ssh-keys?

    • No, not at the moment.
    • There's no reason it can't though, we just didn't need it to do that so I never added the functionality
  • why aren't you using $DEP_SYSTEM?

    • We didn't need to so we didn't bother
  • can you make it do $X?

    • Submit a feature request, or better yet a pull request

Information on ssh certificates:

Issues
  • Add CI workflow

    Add CI workflow

    Add a simple Github actions workflow to prove and demonstrate how to build this module. This could be the base for automated releases, for now it only runs the make command.

    Notable things for running with modern Go versions:

    GO111MODULE=auto is required (see: https://go.dev/blog/go116-module-changes)


    • Add CI workflow

    Add basic CI workflow to test and build

    • Add libpam0g-dev

    Add required package libpam0g-dev to CI

    opened by FlxPeters 4
  • Restrict sudo command for SSH Certificate ForcedCommand

    Restrict sudo command for SSH Certificate ForcedCommand

    One of the options for an SSH certificate is force-command (https://man.openbsd.org/ssh-keygen.1#force-command).

    Would it be possible to limit the command that a user is able to execute with sudo if the force-command is set in the SSH certificate?

    This would be super useful to be able to issue a certificate for a user with sudo permissions for one particular command without knowing the command in advance (otherwise you could user the sudoers file).

    Is this possible in the PAM? Do you have access to the command that is to be run? I'm happy to contribute this feature with a little guidance in the right direction :)

    opened by stoggi 3
  • pam-ussh: Change IsAuthority -> IsUserAuthority

    pam-ussh: Change IsAuthority -> IsUserAuthority

    In x/ssh/crypto a breaking change was introduced by pmoody in commit 527d12e53572562de9fd348d50e1ee4096803cec. This implements the needed fix within pam_ussh.go to support the upstream go change.

    This resolves #5.

    opened by brianredbeard 3
  • Make fails on centos 6

    Make fails on centos 6

    Centos 6 using latest go in repository:

    # make test
    mkdir -p /lib/security/pam-ussh/.go/src
    GOPATH=/lib/security/pam-ussh/.go go get golang.org/x/crypto/ssh
    GOPATH=/lib/security/pam-ussh/.go go get golang.org/x/crypto/ssh/agent
    GOPATH=/lib/security/pam-ussh/.go go get github.com/stretchr/testify/require
    GOPATH=/lib/security/pam-ussh/.go go test -cover
    # _/lib/security/pam-ussh
    /tmp/go-build020625526/_/lib/security/pam-ussh/_test/_obj_test/pam_ussh.go:128: unknown ssh.CertChecker field 'IsAuthority' in struct literal
    FAIL	_/lib/security/pam-ussh [build failed]
    make: *** [test] Error 2
    
    opened by solomongifford 3
  • Project still alive?

    Project still alive?

    Hey there and first a big thanks for providing this project. We try around with certificate based authentication at the moment and this seams to be the perfect fit to enable sudo via certs without having passwordless sudo. Before using it in production I have some concerns on the health of the project as there is no release and some open PRs.

    So just a simple question: Is this project still alive and maintained?

    Thanks :-)

    opened by FlxPeters 2
  • Log the username which was authenticated, not the principal

    Log the username which was authenticated, not the principal

    In case of multiple principals in a certificate, cert.ValidPrincipals[0] will create a log with first principal name which has no relation with the authentication. It creates misleading logs. It assumes first principal will always be the username, which might not be the case.

    Instead, the username should be logged explicitly that was authenticated.

    opened by shivamdixit 2
  • Verify the certificate is signed by the correct root CA.

    Verify the certificate is signed by the correct root CA.

    Fixes bug reported by penguinsaretasty.

    If pam-ussh is presented a certificate signed by another authority for the current user, pam-ussh will accept the forgery and return a successful authentication.

    opened by jessespears 1
  • Documentation should clearly state that the module is only meant for use with sudo, and any other use may be unsafe

    Documentation should clearly state that the module is only meant for use with sudo, and any other use may be unsafe

    Apparently, pam-ussh itself and its recently added euid switching were designed with primarily, or even exclusively, sudo in mind. With sudo, the user controlling the SSH_AUTH_SOCK env var and the user being authenticated are the same, so it's reasonable to switch to that user's euid for accessing the socket (of the user's choice).

    Now imagine having the module stacked for su instead. The target user may be e.g. root (this is different from sudo's case), but the env var is under the invoking user's control (just like with sudo). Thus, the invoking user may make pam-ussh access a pathname that is not normally accessible by the user directly. The "pam-ussh: check cert against the pam username" commit hopefully defeats the obvious attack on authentication (although this depends on external/setup detail), but it doesn't deal with the issue of pathname probing (with pam-ussh becoming an oracle, potentially providing 1-bit responses via side-channels), nor with potential side-effects of being able to connect to (even though not talk over) arbitrary Unix domain sockets (not necessarily those of any ssh-agent, bypassing Unix permissions on parent directories and the sockets themselves).

    Maybe the README should be re-worded some further, stating that the module is only meant for use with sudo, and any other use may be unsafe? I don't find use e.g. along with su reasonable anyway.

    opened by solardiz 1
  • Please clarify that the client mush use ssh-agent forwarding (ssh -A option).

    Please clarify that the client mush use ssh-agent forwarding (ssh -A option).

    This might be obvious after one starts debugging... but the the pam-ussh only works if the client uses agent-forwarding.

    Thanks for this PAM module! I'm trying to integrate it https://github.com/openstack/tatu (SSH as a Service for OpenStack).

    opened by pinodeca 0
  • How security vulnerabilities for this package is tracked in NIST/NVD?

    How security vulnerabilities for this package is tracked in NIST/NVD?

    Hi,

    I was trying to find cpe_uri associated with this package in NIST/NVD so that COS (https://cloud.google.com/container-optimized-os/docs) can track security vulnerabilities associated with it. However, based on the search there was no cpe_uri associated. From the past security vulnerabilities, I could find https://hackerone.com/reports/204802 security vulnerability but there was no CVE Number assigned for that in that bug.

    Could you help in providing information as what cpe_uri can be used by downstream users to track security vulnerability in this package from NIST/NVD?

    opened by vaibhav-rustagi 2
  • AuthorizedPrincipalsCommand option

    AuthorizedPrincipalsCommand option

    This PR adds a configuration option to execute a separate command to get a list of authorized principals. It is similar to the AuthorizedPrincipalsCommand option for sshd.

    Some of the added tests rely on #21 which will need to be merged first or the tests may have to change depending on the result of that PR.

    opened by ArmaanT 0
  • Conditionally skip username check within certificate principals

    Conditionally skip username check within certificate principals

    This PR removes the requirement that a username must appear within a certificate's list of principals so long as an explicit set of valid principals is defined. This change was made so that the call to c.CheckCert on line 166 will verify the certificate, but explicitly exclude checking principals because pam-ussh verifies principals later in the code.

    This change is related to #15.

    opened by ArmaanT 0
  • Clarify interaction with sudoers file

    Clarify interaction with sudoers file

    This is request to fill what seems to be a gap in the docoumentation around how pam-ussh hooks into the sudoers file (or its includes).

    I have just started investigating ssh certs and setup a simple test environment to learn how this works.

    I was pleased it only took a couple of hours to have my test server authenticating with certs working so known_hosts messages no longer appear and authorized_keys are not needed.

    The next step was to integrate pam-ussh into the solution but can't get it to work.

    It appears pam-ussh is accepting the certificate I'm presenting it with.

    My confusion is how this hooks into my sudo rules.

    I assume when the CA signs the public key, it gives the user key a number of principals: the user's name and the roles that user has, let say one is "allowed_root". That "allowed_root" would be listed in /etc/ssh/root_authorized_principals. But what should the sudoers file contain? Something like: allowed_root ALL =(ALL) ALL I'm having trouble seeing how the pam-ussh hooks into the sudoers rules. Could the documentation fill out this final missing piece of the puzzle.

    opened by asteele4 3
Owner
Uber Open Source
Open Source Software at Uber
Uber Open Source
fido-ident: a cli tool for getting the attestation certificate from a fido token.

fido-ident fido-ident is a cli tool for getting the attestation certificate from a fido token. fido-ident will print the raw certificate and the human

Peter Sanford 0 Jan 28, 2022
SSH Manager - manage authorized_keys file on remote servers

SSH Manager - manage authorized_key file on remote servers This is a simple tool that I came up after having to on-boarding and off-boarding developer

Sam Ban 32 Jun 27, 2022
an SSO and OAuth / OIDC login solution for Nginx using the auth_request module

Vouch Proxy An SSO solution for Nginx using the auth_request module. Vouch Proxy can protect all of your websites at once. Vouch Proxy supports many O

Vouch 1.9k Jun 27, 2022
The mep-agent module provides proxy services for 3rd applications to MEP.

Mep-Agent Introduction Mep-Agent is a middleware that provides proxy services for third-party apps. It can help apps, which do not implement the ETSI

EdgeGallery 21 Mar 9, 2022
Go module that allows you to authenticate to Azure with a well known client ID using interactive logon and grab the token

azureimposter Go module that pretends to be any clientID and grabs an authentication token from Azure using interactive login (w/mfa if enabled) and r

Lars Karlslund 22 Jun 23, 2022
Generate and verify JWT tokens with Trusted Platform Module (TPM)

golang-jwt for Trusted Platform Module (TPM) This is just an extension for go-jwt i wrote over thanksgiving that allows creating and verifying JWT tok

null 2 Mar 2, 2022
Go module with token package to request Azure Resource Manager and Azure Graph tokens.

azAUTH Go module with token package to request Azure Resource Manager and Azure Graph tokens. prerequisites Install azure cli: https://docs.microsoft.

Bart 1 Dec 1, 2021
An example module for k6.io to get a cognito access token using USER_SRP_AUTH flow.

xk6-cognito An example module for k6.io to get a cognito access token using USER_SRP_AUTH flow. See: to create k6 extension: https://github.c

null 1 Feb 10, 2022
This is a SSH CA that allows you to retrieve a signed SSH certificate by authenticating to Duo.

github-duo-ssh-ca Authenticate to GitHub Enterprise in a secure way by requiring users to go through a Duo flow to get a short-lived SSH certificate t

Niels Hofmans 8 Jan 7, 2022
step-ca is an online certificate authority for secure, automated certificate management.

??️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

Smallstep 4.4k Jun 27, 2022
Bucket-ssh. A fuzzy ssh manager for managing and categorizing ssh connections.

Bssh is an ssh bucket for categorizing and automating ssh connections. Also, with parallel command execution and connection checks(pings) over categories (namespaces).

Furkan Aksoy 14 May 23, 2022
Go driver for PostgreSQL over SSH. This driver can connect to postgres on a server via SSH using the local ssh-agent, password, or private-key.

pqssh Go driver for PostgreSQL over SSH. This driver can connect to postgres on a server via SSH using the local ssh-agent, password, or private-key.

mattn 47 Mar 3, 2022
Certificate authority and access plane for SSH, Kubernetes, web applications, and databases

Teleport is an identity-aware, multi-protocol access proxy which understands SSH, HTTPS, Kubernetes API, MySQL and PostgreSQL wire protocols.

Teleport 12.1k Jul 4, 2022
🤘 The native golang ssh client to execute your commands over ssh connection. 🚀🚀

Golang SSH Client. Fast and easy golang ssh client module. Goph is a lightweight Go SSH client focusing on simplicity! Installation ❘ Features ❘ Usage

Mohamed El Bahja 1.1k Jul 3, 2022
Extended ssh-agent which supports git commit signing over ssh

ssh-agentx ssh-agentx Rationale Requirements Configuration ssh-agentx Configuration ssh-gpg-signer Linux Windows Signing commits after configuration T

Wim 10 Jun 11, 2022
Golang `net/rpc` over SSH using installed SSH program

Golang net/rpc over SSH using installed SSH program This package implements a helper functions to launch an RPC client and server. It uses the install

null 0 Nov 5, 2021
Ssh-lxd - A proof of concept for an ssh server that spawns a bash session inside a LXD container

SSH LXD A proof of concept for an ssh server that spawns a bash session inside a

Henning Dahlheim 2 Jan 14, 2022
Gsshrun - Running commands via ssh on the server/hosting (if ssh support) specified in the connection file

Gsshrun - Running commands via ssh on the server/hosting (if ssh support) specified in the connection file

Məhəmməd 3 Jun 9, 2022
one simple git ssh server (just for learning git over ssh )

wriet one simple git ssh server use golang write one simple git ssh server how to running starting service docker-compose up -d add authorized_keys i

rong fengliang 2 Mar 5, 2022
Integrated ssh-agent for windows. (pageant compatible. openSSH ssh-agent etc ..)

OmniSSHAgent About The chaotic windows ssh-agent has been integrated into one program. Chaos Map of SSH-Agent on Windows There are several different c

YAMASAKI Masahide 20 Jun 30, 2022
PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. You can use PHP like functions in your app, module etc. when you add this module to your project.

PHP Functions for Golang - phpfuncs PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. Y

Serkan Algur 48 Jun 4, 2022
:lock: acmetool, an automatic certificate acquisition tool for ACME (Let's Encrypt)

acmetool is an easy-to-use command line tool for automatically acquiring certificates from ACME servers (such as Let's Encrypt). Designed to flexibly

Hugo Landau 1.9k Jun 27, 2022
Certificate monitoring utility for watching tls certificates and reporting the result as metrics.

cert-checker cert-checker is a certificate monitoring utility for watching tls certificates. These checks get exposed as Prometheus metrics to be view

Frederik Mogensen 78 Jun 1, 2022
Go package to embed the Mozilla Included CA Certificate List

rootcerts Package rootcerts provides an embedded copy of the Mozilla Included CA Certificate List, more specifically the PEM of Root Certificates in M

Lucas Bremgartner 82 Jun 14, 2022
Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal

Easy and Powerful TLS Automation The same library used by the Caddy Web Server Caddy's automagic TLS features—now for your own Go programs—in one powe

Caddy 4.1k Jul 4, 2022
Toy TLS certificate viewer

veilig Toy tls certificate viewer that I built because openssl s_client confuses me Source available at: https://github.com/noqqe/veilig/ Please repor

Florian Baumann 9 Aug 25, 2021
This library generate a new tlsconfig usable within go standard library configured with a self-signed certificate generated on the fly

sslcert This library generate a new tlsconfig usable within go standard library configured with a self-signed certificate generated on the fly. Exampl

ProjectDiscovery 6 Nov 17, 2021
Go decoder for EU Digital COVID Certificate (EUDCC) QR code data

Go Corona QR Code Decoder This repository contains a decoder for EU Digital COVID Certificate (EUDCC) QR code data, written in Go. If you got vaccinat

Michael Stapelberg 171 Jun 10, 2022
Golang implementation of the covid certificate QRCode decoder

Golang implementation of the covid certificates. At the moment it only includes DCC signed data decoding but I've planned to add a lot more of features related to certificates processing.

AlexPresso 5 Sep 22, 2021