-
-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pass public key when mapping to localhost ? #48
Comments
thus, I started a YAML upstream to replace it last week. my YAML upstream does support it, you can have an early preview if you want I will update you how YAML to do so. otherwise, the only way to do it is via building a customized sshpiper |
Yeah sure, i will test it. But i'm not sure than still assigning to a private key will work (or i have to modify their own authorized_keys on the go to allow the internal private key, but that can be considered as MITM ? And i use oddjob_mkhomedir modules too, so their home doesn't exist before, that can be a problem too). |
you can build and test yaml branch now here is how to use it
here is the example config and explained
how this will be solution to your case note: the different from
|
Hello, i'm testing it, but i dont see how this usercases can solve my problems, since the upstream auth still use a internal private key, so git can't use it to retrieve the good repositery, and if fallbackuser (so return on localhost sshd), the private key can't still be validated by all users. |
is this your case?
|
For git, it will not work since it uses the passkey to authenticate you, and allows you go clone the project. (it will be just asking for the git password, which is generated by Gitlab, so no access possible). |
I am a bit confused, does for 2nd case, how can you identify a user is a GOOD one now? |
Yep it was allright with workingdir and git, the problem is the same : git (the upstream server) need the publickey from the user to auth him and give him access to the good repository, so any transformation of the original public key will always fail to log on the upstream. |
can you elaborate on
a little bit? do you mean that fallback user use a SHARED authorized_keys? that is not true in in new yaml config a fallback user can have multiple authorized_keys and each of them can map to a private_key somethings like below:
|
Sure, but this means i still have to modify their own .ssh/authorized_keys with mapped_private_key, so it can be considered as a MITM. |
do you mean so for localhost
right? here to support dynamic placeholder |
The idea seems the right one, but i'm still blocking on the fact that this require to create for each user a pair of public/private key on their home, and adding the public key on their own authorized_keys. |
sshpiper is MITM no matter you use public key or not sshpiper works in steps below
this happens no matter password/public auth or even none auth. the reason publickey cannot send to upstream is that
the reason why password works is that asymmetric keys are designed to prevent some one steals your password in the mid back to your case, you have to be a man in the mid to do piper things. |
Hi, thank you for this explanation ! I tested, and it can be used to do what i want, using several private keys. It's a less invasive solution, so it's ok for me :) Thanks a lot ! |
Hi, running in the same use case (git) Do I understand it correct, that to work with SSH_KEYS (authorized keys) So - if I want to use that scenario - the keys must be available also on the sshpiperd server? Just to make it clear
on CLIENT PC there is an id (ssh-keygen) like me@gitea / [email protected] The content of .pub is installed as SSH Key on a gitea User Profile (like Github) To allow:
normally the local private key is used. Is this possible to config via sshpiper? |
Hello,
I try to map an user (git) to another server (which is Gitlab), in order to allow git ssh clone, but i have the same issue as the issue 30. I understand that, in order to avoid MITM, the public key can't be passed directly to the upstream.
But there's a side effect i did not see at first : i created a "other" upstream users, which is the fallback user when it's not git. The mapping is very easy : it only remap on localhost, on port 23 for example, where i mapped the original sshd process. It allows to ssh using the current configuration of server when it's not the git user, so it's a quite simple process.
It works perfectly using password, but not with ssh keys : as the "other" users did not have a private key, i have the
mapping private key error : no key found
. I don't think that creating a private/public pair key will work, as "other" users can be everyone else than "git". Something that can be considered is to pass the public key when it's on localhost ? If you have any others ideas, i'm in :)When this will be solved, i still will have the same issue as the 30, and i don't know how to bypass it... If you have ideas on this too, it will be awesome.
Thanks,
The text was updated successfully, but these errors were encountered: