Most simples Secure Shell proxy to control access of your engineering/support team(s) to private servers.
This tool is for a company that provide support to clients, small engineering teams or start-ups. Anyone who needs centralized, secure and simples access governance to private server. It offers an alternative solution to authorized_keys.
Why not authorized_keys on server?
Imagine that you need to ask for root access on client's server. If you put public keys of all your engineers on client's server, then you need to maintain list of client's servers to delete these keys and you need to disclose list of your people.
All this is a bad idea, especially when you will corrupt authorized_keys on server by running your automation tool and client's simultaneously.
This tool will allow to put only one public key on server and maintain access through this key.
Secondly, it solves a problem of SSH access provision in the ad-hoc cloud environment, where new servers automatically comes and goes.
As benefits, you gets
- No LDAP, Kerberos or any other nightmare technologies
- No need to share private key with all your team including fired people
- All actions are logged so that you will be able to find, who have dropped production database
Please be aware that solution is still under development.
- Secure shell proxy.
- Secure port forwarding via stdio.
- Of-the-shelf deployment to docker-based environments.
SSH proxy is a daemon that helps you to control access of your support team to customers servers with following workflow:
- You create your team key pair
- Give public key to all customers
- Store private key on a private server that runs a proxy. The access to this server has to be limited to yourself
- Take public key from your support personnel
- Upload them on that proxy server
- Now your support stuff can login to customer server unless you revoke this access
Use the proxy to control access of your engineering team to cloud servers with similar workflow
- Use the console to generate key pair(s) for your environment.
- Upload the private key to a ssh-proxy server.
- Take public key from your engineers (e.g. github identity)
- Upload public keys on that proxy server.
- Now your support stuff can login to cloud servers unless you revoke this access
The easiest way to run Secure Shell proxy is Docker containers, there are available pre-build images at flussonic/ssh-proxy. Alternatively, you can use Erlang escript to spawn a daemon but it requires an installation of Erlang OTP/19 or later release.
docker run -it --rm --name ssh-proxy \
-p ${CONFIG_SSH_PORT}:2022 \
-v ${CONFIG_SSH_AUTH}:/opt/data/auth \
-v ${CONFIG_SSH_USERS}:/opt/data/users \
flussonic/ssh-proxyUse environment variables or other means to configure the proxy container
## defines a port used by proxy
export CONFIG_SSH_PORT=2022
## location of server's private key
export CONFIG_SSH_AUTH=/tmp/ssh/auth
## location of user's publick key. Only these user will be able to build a tunnel
export CONFIG_SSH_USERS=/tmp/ssh/usersUpload a team private key (the key that provisions access to all private servers) id_rsa to ${CONFIG_SSH_AUTH} folder on ssh-proxy server.
Upload users public key to ${CONFIG_SSH_USERS} folder on ssh-proxy server. Name the file after the users name. User's access is revoked if you delete this key from the proxy.
Your team needs to update ~/.ssh/config file with details of ssh proxy
Host ssh-proxy
HostName 127.0.0.1
Port 2022
User my-user-name
IdentityFile ~/.ssh/my-public-key
Please note that proxy has a special syntax to identify private servers. Username, host and ports have to be specified like user/host/port.
ssh user/private-host@ssh-proxyErlang SSH subsystem do not supports a standard ssh port forwarding. The proxy daemon implements a port forwarding using standard I/O. Using a special syntax:
ssh user/private-host~forward-host/port@ssh-proxyOnce SSH connection is established, any stdin is delivered to forward-host/port and its response available at stdout of your local ssh process. A following scripts helps you to attach ssh stdio to any local port.
mkfifo pipe
while [ 1 ]
do
nc -l 8080 < pipe | ssh -T user/private-host~forward-host/port@ssh-proxy | tee pipe > /dev/null
doneThe project accepts contributions via GitHub pull requests.
- Fork it
- Create your feature branch
git checkout -b my-new-feature - Commit your changes
git commit -am 'Added some feature' - Push to the branch
git push origin my-new-feature - Create new Pull Request
The proxy development requires Erlang OTP/19 or later release.
Use the following command to run the proxy locally for RnD purposes
escript ssh-proxy.erl \
-p 2022 \
-i /tmp/ssh/auth \
-u /tmp/ssh/users \
-t /tmp/ssh/server