Add authentication-key-request-url option #247
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…public key auth via an http POST request to a separate application
|
Hey @antoniomika - curious if you have any feedback on this |
|
Sorry for the delay - I've been on vacation but will address your feedback this week or next! |
widhaprasa
added a commit
to widhaprasa/sish
that referenced
this pull request
May 27, 2024
commit f381389 Author: Antonio Mika <me@antoniomika.me> Date: Tue Apr 30 16:52:08 2024 -0400 Update deps (antoniomika#302) * Update deps * Use bufio reader * Revert "Use bufio reader" This reverts commit c8003d4. * Print peeked info * Revert "Revert "Use bufio reader"" This reverts commit ff656b0. * Fixed sni reading * Handle sni based unix conn better commit 81e4350 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri Apr 19 09:36:38 2024 -0400 Bump golang.org/x/net from 0.22.0 to 0.23.0 (antoniomika#301) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.22.0 to 0.23.0. - [Commits](golang/net@v0.22.0...v0.23.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> commit 7ad6956 Author: Antonio Mika <me@antoniomika.me> Date: Fri Mar 8 08:56:04 2024 -0500 Enable the use of environment vars (antoniomika#300) commit 9f3f566 Author: Antonio Mika <me@antoniomika.me> Date: Thu Mar 7 18:33:15 2024 -0500 Update to go 1.22 and use multilistener (antoniomika#298) * Update to go 1.22 and use multilistener * Update * Updates * Set ports for tcp addresses properly * Fix address separator * Fixes * Update multilistener * Cleanup rogue log commit d0511c4 Author: Eric Bower <me@erock.io> Date: Thu Mar 7 09:13:34 2024 -0500 chore: update pdocs to latest (antoniomika#295) * chore: update pdocs to latest * design: sidebar commit 3ad5105 Author: Eric Bower <me@erock.io> Date: Tue Feb 13 10:24:03 2024 -0500 feat(docs): sitemap with links for headers (antoniomika#292) commit c64d009 Author: Dominik Konik <dkonik@dkonik.com> Date: Mon Feb 12 23:08:27 2024 -0500 Fix typo in comment (antoniomika#294) commit e8c56f6 Author: Antonio Mika <antoniomika@gmail.com> Date: Mon Jan 29 10:30:04 2024 -0500 Fix docs build commit 97edc2e Author: Antonio Mika <antoniomika@gmail.com> Date: Mon Jan 29 10:26:41 2024 -0500 Run go mod tidy commit 0c4f193 Author: Eric Bower <me@erock.io> Date: Mon Jan 29 10:17:13 2024 -0500 feat: docs site (antoniomika#286) * feat: docs site * docs: copy * chore(docs): update cli post * revert * chore: go.mod commit 6892112 Author: Antonio Mika <me@antoniomika.me> Date: Tue Jan 23 11:32:29 2024 -0500 Initial work on private aliases (antoniomika#291) * Initial work on private aliases * Ensure the current user is allowed to access the alias * Print the self ssh fingerprint * Add pubkeyfingerprint to alias log line * Start conn with self allowed for tcp aliases * Cleanup commit 4ed4208 Author: Antonio Mika <me@antoniomika.me> Date: Thu Oct 12 16:20:01 2023 -0400 Pin golang to major.minor.patch (antoniomika#284) * Pin golang to major.minor.patch * Update package deps commit 7ca0808 Author: Antonio Mika <me@antoniomika.me> Date: Wed Oct 11 19:49:44 2023 -0400 Update golang versions. Supersedes up antoniomika#282 (antoniomika#283) commit b89a463 Author: Antonio Mika <me@antoniomika.me> Date: Mon Oct 9 14:48:00 2023 -0400 Set conn deadline to both reads and writes (antoniomika#281) commit 56816e6 Author: Antonio Mika <me@antoniomika.me> Date: Sat Oct 7 20:14:32 2023 -0400 Updated go deps and general package work (antoniomika#279) * Updated go deps and general package work * Update used go version to 1.21 * feat: wildcard support * Fixed lint * feat: auto redirect to https * Use proper hostname in redirect * Add wildcards to sni proxy * Ensure wildcard isn't too greedy and fix sni on https port * Code cleanup --------- Co-authored-by: Son Nguyen <sonntuet1997@gmail.com> commit 62dec83 Author: Antonio Mika <antoniomika@gmail.com> Date: Tue Dec 20 13:31:17 2022 -0500 Use original address for forwarded channel. Fix antoniomika#237 commit c54d681 Author: Antonio Mika <antoniomika@gmail.com> Date: Mon Dec 12 12:04:17 2022 -0500 Force lower case aliases and subdomains commit 4b5c2db Author: Antonio Mika <me@antoniomika.me> Date: Mon Dec 12 10:56:14 2022 -0500 Update ci/cd and deps (antoniomika#262) * Update ci/cd and deps * Fix build args commit a8236e5 Author: Antonio Mika <me@antoniomika.me> Date: Tue Oct 25 10:20:34 2022 -0400 Fixed http override port (antoniomika#256) * Fixed http override port * Cleanup references used for establishing tunnels * Removed short flag from authentication-key-request-url commit fe2b1c2 Author: Roshan Jobanputra <3818834+rjobanp@users.noreply.github.com> Date: Fri Oct 21 12:04:10 2022 -0400 Add authentication-key-request-url option (antoniomika#247) * Add authentication-key-request-url option to allow validation of ssh public key auth via an http POST request to a separate application * Switch to using JSON body in request and include username & remote address of client. commit bcd6911 Author: Sabri Eyuboglu <32822771+seyuboglu@users.noreply.github.com> Date: Fri Oct 21 09:02:58 2022 -0700 Add a check to the gcloud DNS record instructions (antoniomika#251) Add commands for checking that the DNS records were set up correctly. Inspired by the issue antoniomika#250 commit 9696686 Author: Antonio Mika <me@antoniomika.me> Date: Fri Oct 21 11:44:48 2022 -0400 Added streaming for httpmuxer (antoniomika#255) * Added streaming for httpmuxer * Fix gzip response checking commit 890c931 Author: Antonio Mika <antoniomika@gmail.com> Date: Mon Oct 17 12:17:52 2022 -0400 Added full route identifiers commit 7aecd2d Author: Artem Ivanov <ivanovart@users.noreply.github.com> Date: Sun Sep 11 18:56:59 2022 +0200 fix ondemand cert issuing (antoniomika#243) commit c49a1ca Author: Antonio Mika <me@antoniomika.me> Date: Sun Sep 11 12:55:54 2022 -0400 Fixed acme tls-alpn challenges (antoniomika#244) * Fixed acme tls-alpn challenges * Return connection to default handler if unable to read hello * Fix peek check * Simplify dockerfile and update dependencies * Cleanup build cache requirements commit b8ab4cf Merge: 8f44621 3768d42 Author: Antonio Mika <me@antoniomika.me> Date: Wed Aug 24 11:41:25 2022 -0400 Merge pull request antoniomika#241 from antoniomika/am/upgrade-go-1-19 Updated sish to go 1.19 commit 3768d42 Author: Antonio Mika <antoniomika@gmail.com> Date: Wed Aug 24 11:26:25 2022 -0400 Update dependencies commit 58df1cd Author: Antonio Mika <antoniomika@gmail.com> Date: Wed Aug 24 11:13:16 2022 -0400 Updated sish to go 1.19 commit 8f44621 Author: Tim Krins <timkrins@gmail.com> Date: Wed Aug 24 16:10:36 2022 +0100 Expanded debug logging, fix deprecations (antoniomika#240) * Add debug messages for aborted requests * Don't use %s for Println * Fix deprecated ioutil calls * Fix incorrect leading spaces for comment * Add debug-interval option * Align debug logging syntax with existing error logging * Fix linting errors, fix status logging * Ensure debug-interval is not zero commit 4a28b9e Author: Antonio Mika <me@antoniomika.me> Date: Fri Aug 5 22:22:38 2022 -0400 Update gcloud.md Closes antoniomika#238
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allows validating ssh public keys via an HTTP request to a separate service (if a key in the auth keys directory didn't already succeed).
The
authentication-key-request-urlflag allows specifying a URL which will receive an HTTP POST request whose body contains an OpenSSH 'authorized key' formatted public-key for each client key presented. If the request responds with a 200 status-code the auth is validated.This should enable my team to delegate auth controls to a separate service of ours, without having to manage a shared disk between sish and that service with the keys directory.
In the future I'd like to expand this to allow 'whitelisting subdomains' in the HTTP response which sish uses to allow only certain HTTP forwarding subdomains to be allocated to this connection.
Happy for any/all feedback!