Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spiffe-step-ssh server #198

Open
wants to merge 90 commits into
base: main
Choose a base branch
from
Open

spiffe-step-ssh server #198

wants to merge 90 commits into from

Conversation

kfox1111
Copy link
Collaborator

@kfox1111 kfox1111 commented Jan 22, 2024
edited
Loading

Add a feature to enable trading a spire based cert for a signed ssh host cert automatically.

This enables hosts to start from scratch at bringup, attest with spire, and then get a signed ssh certificate users can trust came from the ssh ca.

Server components involved:

  • spire-server (deployed with spire chart)
  • step-ca server (deployed with spire-step-ssh)
    • step - step certificate authority instance
    • spiffe-step-ssh-fetchca - lets you fetch the ca.pem for step using spiffe's certs for trust.
    • spiffe-step-sssh-config - generates and maintains the config file for step. Injects the spiffe ca into the config.

Host components involved:

  • spire-agent
  • spiffe-helper
  • step (step ca client)
  • sshd

User components:

  • ssh (client)
  • configure known_hosts with step-ca ssh signature.

@kfox1111 kfox1111 marked this pull request as draft January 22, 2024 02:25
@kfox1111 kfox1111 added the review ready Ready for review but not merge label Jan 23, 2024
@edwbuck
Copy link
Collaborator

edwbuck commented May 22, 2024

Please update this commit to the baseline, so we can better determine if it is nearly ready for 0.22.0.

@edwbuck
Copy link
Collaborator

edwbuck commented Jun 18, 2024

A small description of the architectural elements that are going to be impacted is needed. This request comes from having some SSH clients that are not managed within the HELM items being supported, which impacts the overall security of the solution. I think the feature could be very beneficial, but the original problem being solved (other than containerized process access) needs a description, as well as all the impacted components (within HELM and outside of HELM).

@kfox1111 kfox1111 changed the title Initial prototype of spire-step-ssh integration Initial prototype of spiffe-step-ssh integration Sep 20, 2024
@kfox1111
Update spiffe-helper
0652acb 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Use URLSAN rather then CN
f7a6527 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Lookup the sans.
bd333a4 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Make trust domain configurable
ae88813 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Add flag
fb3163f 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Make driver configurable
2de31ab 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Add more configurables. Fix up docs to pass test.
e1d3c09 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Add some metadata
cac07e2 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Fix metadata
29e8ad2 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Add default values for lint
58f4e5f 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Forgot values updates
785aab2 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Fix metadata
72773fa 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
More debug
a17fc17 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
More debug
b301aab 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Pass intermediates
42fa6b4 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Fix trustdomain
1c50c1b 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Add ca authority prefix
69429b6 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
fix
112fa6e 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
fix
5674ff6 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
fix
4c8af65 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
ci test is just broken. Revert trying to fix it.
8dba008 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111 kfox1111 changed the title Initial prototype of spiffe-step-ssh integration spiffe-step-ssh server Sep 24, 2024
@kfox1111 kfox1111 marked this pull request as ready for review September 24, 2024 00:16
@kfox1111 kfox1111 removed the review ready Ready for review but not merge label Sep 24, 2024
@kfox1111
Simplify the template
769e945 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Add cast
fccd986 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Add install notes
290d615 
Signed-off-by: Kevin Fox <[email protected]>
@kfox1111
Fix test
7696ffb 
Signed-off-by: Kevin Fox <[email protected]>
@faisal-memon faisal-memon added this to the 0.25.0 milestone Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcofranssen marcofranssen Awaiting requested review from marcofranssen marcofranssen is a code owner

@dfeldman dfeldman Awaiting requested review from dfeldman

@faisal-memon faisal-memon Awaiting requested review from faisal-memon faisal-memon is a code owner

@mrsabath mrsabath Awaiting requested review from mrsabath mrsabath is a code owner

@edwbuck edwbuck Awaiting requested review from edwbuck edwbuck is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.25.0
Development

Successfully merging this pull request may close these issues.
3 participants
@kfox1111 @edwbuck @faisal-memon