1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
package controllers
import (
"crypto/rand"
"fmt"
"io"
"net/http"
"strings"
"time"
"code.crute.us/mcrute/ssh-proxy/app/middleware"
"code.crute.us/mcrute/ssh-proxy/app/models"
"github.com/labstack/echo/v4"
"golang.org/x/crypto/ssh"
)
type CASecret struct {
Key string `mapstructure:"key"`
}
type CAHandlerConfig struct {
Logger echo.Logger
Users models.UserStore
Expiration time.Duration
Secret CASecret
}
type CAHandler struct {
Logger echo.Logger
Users models.UserStore
Expiration time.Duration
signer ssh.Signer
}
func NewCAHandler(cfg CAHandlerConfig) (*CAHandler, error) {
signer, err := ssh.ParsePrivateKey([]byte(cfg.Secret.Key))
if err != nil {
return nil, err
}
cfg.Logger.Infof("CA Authorized Key: %s", ssh.MarshalAuthorizedKey(signer.PublicKey()))
return &CAHandler{
Logger: cfg.Logger,
Users: cfg.Users,
Expiration: cfg.Expiration,
signer: signer,
}, nil
}
func (h *CAHandler) authorizeRequest(c echo.Context, certRequest *ssh.Certificate) error {
session := middleware.GetAuthorizedSession(c)
user, err := h.Users.Get(c.Request().Context(), session.UserId)
if err != nil {
return err
}
if user.Username != certRequest.ValidPrincipals[0] {
return fmt.Errorf("Authenticated username and cert username must match")
}
if !session.HasScope("ca:issue") {
return fmt.Errorf("Authorized session does not have scope ca:issue")
}
if certRequest.Extensions == nil {
return fmt.Errorf("Cert request extensions are empty")
}
hostLine, ok := certRequest.Extensions["allowed-hosts"]
if !ok {
return fmt.Errorf("Cert request allowed-hosts is blank")
}
for _, host := range strings.Split(hostLine, ",") {
if !user.AuthorizedForHost(host) {
return fmt.Errorf("User %s is not authorized for host %s", session.UserId, host)
}
}
h.Logger.Infof("Allowing user %s to obtain SSH certificate for hosts %s", user.Username, hostLine)
return nil
}
func (h *CAHandler) verifyRequestSignature(c *ssh.Certificate) error {
// Copied from ssh.Certificate#bytesForSigning
// https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.11.0:ssh/certs.go;l=499-505
c2 := *c
c2.Signature = nil
out := c2.Marshal()
// Drop trailing signature length.
return c.Verify(out[:len(out)-4], c.Signature)
}
func (h *CAHandler) HandleIssue(c echo.Context) error {
req, err := io.ReadAll(c.Request().Body)
if err != nil {
return c.JSON(http.StatusBadRequest, map[string]string{
"error": "Unable to read request body",
})
}
pubkey, _, _, _, err := ssh.ParseAuthorizedKey(req)
if err != nil {
return c.JSON(http.StatusBadRequest, map[string]string{
"error": "Error parsing certificate request",
})
}
certRequest, ok := pubkey.(*ssh.Certificate)
if !ok {
return c.JSON(http.StatusBadRequest, map[string]string{
"error": "Invalid format for certificate request",
})
}
if certRequest.CertType != ssh.UserCert {
return c.JSON(http.StatusBadRequest, map[string]string{
"error": "This CA only issues user certificates",
})
}
if len(certRequest.ValidPrincipals) != 1 {
return c.JSON(http.StatusBadRequest, map[string]string{
"error": "Invalid number of principals specified",
})
}
// Kinda silly I guess but at least proves that the requestor
// is in posession of the private key that we're signing
if err := h.verifyRequestSignature(certRequest); err != nil {
h.Logger.Error(err)
return c.JSON(http.StatusUnauthorized, map[string]string{
"error": "Invalid signature",
})
}
if err := h.authorizeRequest(c, certRequest); err != nil {
h.Logger.Error(err)
return c.JSON(http.StatusUnauthorized, map[string]string{
"error": "Not authorized",
})
}
utcNow := time.Now().UTC()
// Serial doesn't really matter since these are so short lived and we
// won't be revoking them
certToIssue := &ssh.Certificate{
Key: certRequest.Key,
Serial: uint64(utcNow.Unix()),
CertType: ssh.UserCert,
KeyId: fmt.Sprintf("%s_%d", certRequest.ValidPrincipals[0], utcNow.Unix()),
ValidPrincipals: certRequest.ValidPrincipals,
ValidAfter: uint64(utcNow.Add(-5 * time.Minute).Unix()),
ValidBefore: uint64(utcNow.Add(h.Expiration).Unix()),
Permissions: ssh.Permissions{
Extensions: map[string]string{
"permit-pty": "",
},
},
}
if err := certToIssue.SignCert(rand.Reader, h.signer); err != nil {
return c.JSON(http.StatusBadRequest, map[string]string{
"error": "Error signing certificate",
})
}
return c.Blob(http.StatusOK, "application/x-ssh-certificate", ssh.MarshalAuthorizedKey(certToIssue))
}
|