If you squint, GitHub is basically a free, zero-ops IdP that provides SSH public keys. Let's use it to authenticate to OpenSSH!
There are two ways to use aeneid. You can configure both methods at once.
- You set a list of
{unix_username = "github_username"}pairs in theoverridessection of/etc/aeneid.toml. These users will be able to login with the SSH keys they have saved on their GitHub account. - You create a GitHub organization, with a team inside it that has some members. You configure
/etc/aeneid.tomlwith an API key. As long as these users remain in the organization and team, they'll be able to login to OpenSSH via public key.
Install aeneid with your usual package manager. If that's not possible, you can use cargo.
deb (Debian, Ubuntu, etc): download from GitHub releases then dpkg -i /path/to/aeneid.deb
rpm (Fedora, RHEL, etc): download from GitHub releases then rpm -i /path/to/aeneid.rpm
nix (NixOS, etc): coming soon (TM)...
cargo (not recommended, see FAQ): cargo install aeneid && cp $(whereis aeneid | cut -f 2 -d " ") /usr/local/bin && cargo uninstall aeneid && sudo /usr/local/bin/aeneid --init
Automatic Configuration
If you used a non-cargo package manager, everything should be automatically configured. Just add credentials (and/or overrides) to /etc/aeneid/config.toml, and then run sudo aeneid --init to automatically configure your sshd. If you'd rather manually configure your sshd, see the paragraph about sshd in the manual configuration section.
Manual Configuration
Create a new unix user called aeneid and place the binary somewhere that both the new user and the sshd user can read / execute. Make sure the aeneid user (and ONLY the aeneid user) can read / write / execute in /etc/aeneid.
The configuration lives in /etc/aeneid/config.toml. If it doesn't exist, create it based on the src/config.toml in this repository. All fields have comments explaining what they do.
You'll also need to set AuthorizedKeysCommand /path/to/bin/aeneid and AuthorizedKeysCommandRunAs aeneid in your sshd_config (typically /etc/ssh/sshd_config) so that OpenSSH knows where to get keys from.
If you specified a unix username in overrides, use that username. If you're using GitHub teams, and your username starts with a number, prefix your username with an _ to login. Otherwise, your username is your GitHub username. See the unix_to_github function in main.rs for more information.
Automatically creating users is currently unsupported, you'll need to create the corresponding user manually before first login (adduser username).
$ # make sure ssh is setup with your GitHub keys, then...
$ ssh username@example.com # that's itI've thought about security a little, but not nearly as much as I'd like. I don't recommend using this anywhere security is important. It's your responsibility to ensure that...
/etc/aeneidand all children are owned by a separate user (call itaeneid) and set with restrictive permissions (chmod 600)AuthorizedKeysCommandRunAsis set to the separate user that owns/etc/aeneid- all relevant GitHub accounts are kept secure (MFA, good passwords, etc.)
- other problematic SSH config options (e.x. password auth) are disabled
- your SSH keys are not compromised
- possibly other things I haven't thought of
Why did you make this?
- I really didn't want to set up LDAP. I really really didn't want to set up LDAP. I really really really really really really didn't want to set up LDAP. In the end I set up LDAP, so hopefully this is useful to someone else.
What's with the name?
- I thought it was silly. You're accepting a present (free, zero-ops IdP), but in the process, GitHub could silently swap out the public keys it returns and authenticate to your machines. So if you squint: trojan horse.
Why is cargo install not recommended?
-
Cargo is not recommended because 1) rustup users will have the binary installed in a place not accessible by the sshd 2) config files will be created by the
aeneid --initscript instead of your global package manager. -
The
--initscript is pretty smart (it's idempotent), but has only been tested on a handful of common linux distros. It's highly unlikely to work anywhere else.