Skip to content

Commit

Permalink
Merge branch 'release/v2.0.0'
Browse files Browse the repository at this point in the history
  • Loading branch information
mettke committed Apr 19, 2019
2 parents fe2eeab + c14ce26 commit 38f1103
Show file tree
Hide file tree
Showing 178 changed files with 37,909 additions and 2,153 deletions.
18 changes: 17 additions & 1 deletion NOTICE
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
NOTICE

Copyright 2013-2017 Opera Software AS
Copyright 2019 Marc Mettke

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand All @@ -17,6 +17,22 @@ Copyright 2013-2017 Opera Software AS

THIRD PARTY ACKNOWLEDGEMENTS

Component: Original SSH Key Authority

Copyright 2013-2017 Opera Software AS

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Component: Bootstrap Framework

The MIT License (MIT)
Expand Down
46 changes: 24 additions & 22 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
> This is a maintained fork of [operasoftware/ssh-key-authority](https://github.com/operasoftware/ssh-key-authority). There should be no problem upgrading to this version, but it is not possible to migrate back to the old. Before migrating remember to make backups!
SKA - SSH Key Authority
=======================

*Please see the [Security Advisories](#security-advisories) section below for a recently addressed security issue*

A tool for managing user and server SSH access to any number of servers.

Features
Expand All @@ -18,6 +18,7 @@ Features
* Specify SSH access options such as `command=`, `nopty` etc on your access rules.
* All access changes are logged to the database and to the system logs. Granting of access is also reported by email.
* Be notified when a server becomes orphaned (has no active administrators).
* Introduce key depreciation to encouraging users to replace their public keys

Demo
----
Expand All @@ -34,14 +35,12 @@ All data on this demonstration server is reset nightly at 00:00 UTC.
Requirements
------------

* An LDAP directory service
* Apache 2.2 or higher
* PHP 5.6 or higher
* PHP JSON extension
* PHP LDAP extension
* PHP mbstring (Multibyte String) extension
* PHP MySQL extension
* PHP ssh2 extension
* MySQL (5.5+), Percona Server (5.5+) or MariaDB database

Installation
Expand All @@ -63,30 +62,37 @@ Installation

4. Copy the file `config/config-sample.ini` to `config/config.ini` and edit the settings as required.

5. Set up authnz_ldap for your virtual host (or any other authentication module that will pass on an Auth-user
variable to the application).
5. Set up authentication for your virtual host. The Auth-user variable must be passed to the application.

6. Set `scripts/ldap_update.php` to run on a regular cron job.
6. Set `scripts/cron.php` to run on a regular cron job.

7. Generate an SSH key pair to synchronize with. SSH Key Authority will expect to find the files as `config/keys-sync` and `config/keys-sync.pub` for the private and public keys respectively.

8. Install the SSH key synchronization daemon. For systemd:
8. Install the SSH key synchronization daemon.

* For systemd:

1. Copy `services/systemd/keys-sync.service` to `/etc/systemd/system/`
2. Modify `ExecStart` path and `User` as necessary. If SSH Key Authority is installed under `/home`, disable `ProtectHome`.
3. `systemctl daemon-reload`
4. `systemctl enable keys-sync.service`

1. Copy `services/systemd/keys-sync.service` to `/etc/systemd/system/`
2. Modify `ExecStart` path and `User` as necessary. If SSH Key Authority is installed under `/home`, disable `ProtectHome`.
3. `systemctl daemon-reload`
4. `systemctl enable keys-sync.service`
* For sysv-init:

for sysv-init:
1. Copy `services/init.d/keys-sync` to `/etc/init.d/`
2. Modify `SCRIPT` path and `USER` as necessary.
3. `update-rc.d keys-sync defaults`

1. Copy `services/init.d/keys-sync` to `/etc/init.d/`
2. Modify `SCRIPT` path and `USER` as necessary.
3. `update-rc.d keys-sync defaults`
* Manual:

1. Make sure that `scripts/syncd.php --user keys-sync` is executed whenever the system is restarted

Usage
-----

Anyone in the LDAP group defined under `admin_group_cn` in `config/config.ini` will be able to manage accounts and servers.
If LDAP is enabed anyone in the LDAP group defined under `admin_group_cn` in `config/config.ini` will be able to manage accounts and servers.

Without LDAP, only the `keys-sync` users will be available after installation. With that user, it is possible to add new administrators or normal users.

Key distribution
----------------
Expand Down Expand Up @@ -127,14 +133,10 @@ Screenshots
### Getting started guide for new users
![Getting started guide for new users](public_html/screenshot-getting-started.png)

Security advisories
-------------------
* [SKA security advisory: SSH port redirection attack](https://github.com/operasoftware/ssh-key-authority/wiki/SKA-security-advisory%3A-SSH-port-redirection-attack)

License
-------

Copyright 2013-2017 Opera Software
Copyright 2019 Marc Mettke

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
23 changes: 20 additions & 3 deletions config/config-sample.ini
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,23 @@
[web]
enabled = 1
baseurl = https://ska.example.com
logo = /logo-header-opera.png
logo = /logo-header-itmettke.png
; footer may contain HTML. Literal & " < and > should be escaped as &amp;
; &quot; &lt; $gt;
footer = 'Developed by <a href="https://www.opera.com/">Opera Software</a>.'
footer = 'Developed by <a href="https://github.com/mettke/ssh-key-authority">Marc Mettke</a>'

[general]
; Use timeout --version to find out the current version
; used on e.g. debian
timeout_util = GNU coreutils
; used on e.g. alpine
; timeout_util = BusyBox

key_expiration_enabled = 0
key_expiration_days = 180

minimum_rsa_key_size = 4096
minimum_ecdsa_key_size = 384

[security]
; It is important that SKA is able to verify that it has connected to the
Expand Down Expand Up @@ -50,7 +63,7 @@ hostname_verification = 0
; account_groups[root] = "root-accounts"
;
; Any number of these can be specified
account_groups[root] = "root-accounts"
account_groups[root] = "accounts-root"

[email]
enabled = 1
Expand All @@ -76,6 +89,7 @@ password = password
database = ska-db

[ldap]
enabled = 0
; Address to connect to LDAP server
host = ldaps://ldap.example.com:636
; Use StartTLS for connection security (recommended if using ldap:// instead
Expand Down Expand Up @@ -130,6 +144,9 @@ group_member_value = uid
; Members of admin_group are given full admin access to SSH Key Authority web
; interface
admin_group_cn = ska-administrators
; By default only the admin_group_cn will be synced. This option enabled
; synchronisation of every group a user is in
full_group_sync = 0

[inventory]
; SSH Key Authority will read the contents of the file /etc/uuid (if it
Expand Down
26 changes: 6 additions & 20 deletions core.php
Original file line number Diff line number Diff line change
@@ -1,20 +1,4 @@
<?php
##
## Copyright 2013-2017 Opera Software AS
##
## Licensed under the Apache License, Version 2.0 (the "License");
## you may not use this file except in compliance with the License.
## You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
##

chdir(dirname(__FILE__));
mb_internal_encoding('UTF-8');
date_default_timezone_set('UTC');
Expand All @@ -35,10 +19,12 @@
require('ldap.php');
require('email.php');

$ldap_options = array();
$ldap_options[LDAP_OPT_PROTOCOL_VERSION] = 3;
$ldap_options[LDAP_OPT_REFERRALS] = !empty($config['ldap']['follow_referrals']);
$ldap = new LDAP($config['ldap']['host'], $config['ldap']['starttls'], $config['ldap']['bind_dn'], $config['ldap']['bind_password'], $ldap_options);
if ($config['ldap']['enabled'] == 1) {
$ldap_options = array();
$ldap_options[LDAP_OPT_PROTOCOL_VERSION] = 3;
$ldap_options[LDAP_OPT_REFERRALS] = !empty($config['ldap']['follow_referrals']);
$ldap = new LDAP($config['ldap']['host'], $config['ldap']['starttls'], $config['ldap']['bind_dn'], $config['ldap']['bind_password'], $ldap_options);
}
setup_database();

$relative_frontend_base_url = (string)parse_url($config['web']['baseurl'], PHP_URL_PATH);
Expand Down
38 changes: 38 additions & 0 deletions docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
FROM alpine
LABEL maintainer="Marc Mettke <[email protected]>"

ENV SYSTEM https://github.com/mettke/ssh-key-authority.git
ADD entrypoint.sh /entrypoint.sh
ADD healthcheck.sh /healthcheck.sh
ADD cron /var/spool/cron/crontabs/root

RUN mkdir -p /var/log/keys/ /run/php/ /ska/ && \
adduser --system --disabled-password keys-sync && \
apk add openssh \
php7 \
php7-fpm \
php7-json \
php7-ldap \
php7-mbstring \
php7-mysqli \
php7-pcntl \
php7-posix \
rsync \
ssmtp \
sudo && \
sed -i -e '/listen =/ s/= .*/= 0.0.0.0:9000/' /etc/php7/php-fpm.d/www.conf && \
sed -i -e '/;pid =/ s/.*/pid = \/var\/run\/php-fpm.pid/' /etc/php7/php-fpm.conf && \
echo "" >> /etc/php7/php-fpm.conf && \
chmod +x /entrypoint.sh /healthcheck.sh && \
ln -sf /dev/stderr /var/log/php7/error.log
RUN apk add git && \
git clone ${SYSTEM} /ska && \
apk del git && \
chown -R keys-sync:nogroup /ska/config

EXPOSE 9000
VOLUME /ska/config
VOLUME /public_html

ENTRYPOINT "/entrypoint.sh"
HEALTHCHECK CMD /healcheck.sh
2 changes: 2 additions & 0 deletions docker/cron
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
0 1 * * * /ska/scripts/cron.php
*/1 * * * * /bin/ash -c "PID=$(cat /var/run/keys-sync.pid) && [ -n ${PID} -a -d /proc/${PID} ] || /ska/scripts/syncd.php --user keys-sync"
43 changes: 43 additions & 0 deletions docker/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
#!/usr/bin/env ash
if [ `whoami` == 'keys-sync' ]; then
if [ ! -r /ska/config/config.ini ]; then
echo "config.ini not found or incorrect permissions."
echo "Permissions must be $(id -u keys-sync):$(id -g keys-sync) with at least 400"
exit 1
fi
if [ ! -r /ska/config/keys-sync ]; then
echo "private key not found or incorrect permissions."
echo "Permissions must be $(id -u keys-sync):$(id -g keys-sync) with 400"
exit 1
fi
if [ ! -r /ska/config/keys-sync.pub ]; then
echo "public key not found or incorrect permissions."
echo "Permissions must be $(id -u keys-sync):$(id -g keys-sync) with at least 400"
exit 1
fi
if ! grep "^timeout_util = BusyBox$" /ska/config/config.ini > /dev/null; then
echo "timeout_util must be set to BusyBox."
echo "Change it to: timeout_util = BusyBox"
exit 1
fi
elif [ $(id -u) = 0 ]; then
if ! sudo -u keys-sync /entrypoint.sh; then
exit 1
fi
rsync -a --delete /ska/public_html/ /public_html/
echo "Waiting for database..."
for i in $(seq 1 10); do
if /ska/scripts/apply_migrations.php; then
echo "Success"
break
fi
echo "Trying again in 1 sec"
sleep 1
done

/usr/sbin/crond
/ska/scripts/syncd.php --user keys-sync
/usr/sbin/php-fpm7 -F
else
echo "Must be executed with root"
fi
7 changes: 7 additions & 0 deletions docker/healthcheck.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/usr/bin/env ash
for PID_FILE in /var/run/crond.pid /var/run/keys-sync.pid /var/run/php-fpm.pid; do
PID=$(cat ${PID_FILE})
if ! [ -n "${PID}" -a -d "/proc/${PID}" ]; then
exit 1
fi
done
16 changes: 0 additions & 16 deletions email.php
Original file line number Diff line number Diff line change
@@ -1,20 +1,4 @@
<?php
##
## Copyright 2013-2017 Opera Software AS
##
## Licensed under the Apache License, Version 2.0 (the "License");
## you may not use this file except in compliance with the License.
## You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
##

class Email {
public $from;
public $subject;
Expand Down
2 changes: 2 additions & 0 deletions examples/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
db/
public_html/
25 changes: 25 additions & 0 deletions examples/httpd-ldap/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Example: httpd + ldap

This Example shows how to use ska with httpd and ldap using docker.

## Prepare setup

1. Start system using `docker-compose up -d`
1. Visit http://localhost
1. Login using one of the following credentials:

|Username|Password|Type|
|---|---|---|
|rainbow|password|admin|
|proceme|password|user|

If something goes wrong, check the log using:
```
docker logs -f httpd-ldap_ska_1
```

## Using ska

1. Login using the admin account `rainbow`.
1. Add the server `test.example.com` at http://localhost/servers#add
1. Ska should be able to connet to the system and update its authorized_keys file. You can verify this by checking whether there is an `Synced successfully` next to the server.
Loading

0 comments on commit 38f1103

Please sign in to comment.