nbeguier / cassh Goto Github PK

Is it possible to use startTLS with LDAP authentication? My LDAP server has an SSF of 256 and requires secure connections.

[user]
name = nbeguier
realname = Nicolas Beguier
pubkey_path = /root/.ssh/id_rsa
url = http://172.17.0.2:8080
auth = None # None or ldap

For instance, postgres passwd and hostname

Return wrong key !!

This is a feature request.

In addition to LDAP authentication, it would be possible to authenticate users with OpenID Connect. This would make it possible to integrate cassh into environments where Google Accounts are used to authenticate users (and, of course, other environments that employ an identity provider which supports OpenID Connect).

Use token in conf and use it to log in

This error occurs when LDAP is disable on both server and client.

A Server Class that has the CASSH specific methods

• list_keys
• sign_keys
  A ClusterController Class with:
• status (cluster_alived)
• get_krl (cluster_last_krl)
• update_krl (cluster_update_krl)
  Maybe Server would merge into ClusterController at some point and just be renamed as Controller with a option / param to support cluster mode.

And finally the Tools class could be removed and these methods would go back as functions :

pg_connection
get
post
sql_to_json
and tools might me renamed as cassh_utils

How to test our ssh signed key

Context

When you add a key, you can see explicitly that the status is Pending

$ cassh status
{
    "expiration": "1970-01-01 01:00:00 (UTC+0000)", 
    "realname": "Firstname Lastname", 
    "ssh_key_hash": "2048 e8:00:ed:f3:ae:8c:d1:65:e6:3b:48:8f:d5:84:fd:f5 ", 
    "status": "PENDING", 
    "username": "username"
}

After an admin "activate" a user, same result, we can clearly see the status:

 $ cassh status
Please type your LDAP password (user=Xavier Krantz): 
{
    "expiration": "1970-01-01 01:00:00 (UTC+0000)", 
    "realname": "Xavier Krantz", 
    "ssh_key_hash": "2048 e8:00:ed:f3:ae:8c:d1:65:e6:3b:48:8f:d5:84:fd:f5 ", 
    "status": "ACTIVE", 
    "username": "username"
}

However, currently there is no way to know if the key is signed ...
Even if we can guess it, since we have an expiration date that is defined in the future:

$ cassh status
{
    "expiration": "2017-08-26 11:29:19 (UTC+0000)", 
    "realname": "Firstname Lastname", 
    "ssh_key_hash": "2048 e8:00:ed:f3:ae:8c:d1:65:e6:3b:48:8f:d5:84:fd:f5 ", 
    "status": "ACTIVE", 
    "username": "username"
}

Feature Request:

It could be nice to have an explicit field for quick understanding, especially for users who are not very familiar with CLI and ssh practices. Maybe a new field or update the status filed to SIGNED ?

keys are not display properly :

    "ssh_key_hash": "2048 e8:47:77:a6:ea:aa:7d:26:67:24:ba:3a:52:b6:3f:ce ", 

    "ssh_key_hash": "2048 SHA256:R8NwvNikoqVR9DMwvNikoqVR9DdOSwvNikoqVR9D roberto@roberto-ThinkPad-T470p (RSA)\n", 

    "ssh_key_hash": "256 SHA256:hf44FmQ8YdbeEdO+u7geOKv", 

It could be better to split this into category :

• DSA (weakest)
• RSA (standard)
• ECDSA (better)
• Ed25519 (strongest but not suported on old OS)

and show the length.

Why not add a rate to help the admin to validate a key

Quick start incomplete and pretty messy

Extract tools functions into a separate library

So, I have set up the cassh server, and created a key, but I have no idea how to deploy the files necessary to be able to use my newly created and signed key on an SSH server.

Could somebody write up some quick instructions on the following:

1. What files are necessary to copy from either the CASSH server or the CASSH client to the remote SSH server?
2. what sshd_config configuration options need to be set for the remote SSH server to be able to authenticate the CASSH-signed key.

It would be really great to be able to specify all configuration attributes via environment variables. For example to the path to settings.txt for cassh-web.
Further more it would be also super handy to be able to define keys as paths to files. This would allow keys to be mounted in kubernetes as secrets and the rest of the configuration could reside in a ConfigMap.
Both changes would allow a fast and consistent configuration and deployment of all the components in a Kubernetes cluster.

Thanks,
Thomas

config.debug = False

Client already give version in header : HTTP_CLIENT_VERSION

It should be possible to enable http only for the WebUI

TODO are in every help messagein lbcssh script

$ cassh admin abricot status
Please type your LDAP password (user=[email protected]):
{
"expiration": "2017-09-22 10:02:56",
"realname": "[email protected]",
"ssh_key_hash": "2048 9c:22:1xxxxxb:d2:3b ",
"status": "ACTIVE",
"username": "abricot"
}

Add ip, user agent, version, account and wrong inputs

Also, disable logs for /ping and /health

There is no way to check the web interface of the web ui.
HEAD / is the only way, but that's log too much.

/cluster/status only for now