remotemoe icon indicating copy to clipboard operation
remotemoe copied to clipboard
verified publisher icon fasmide

Restrict usage to authorized keys

Open Oaz opened this issue 3 years ago • 3 comments

Hello,

I wanted to restrict the use of the service so that any random public key cannot be used. I was not able to find any way of doing this so I implemented an "authorized keys" check in the pubkey callback.

  • Is there a way of doing something equivalent that I might have missed?
  • If not, would you be interested in a PR of this commit?

Oaz avatar Jun 21 '22 09:06 Oaz

I eventually also added support for openssh certificates. This allows me to manage authentications in an easier way.

Extensions can be added in the certificate so the default route can be managed from here. Typically, with "-O extension:pubkey-ish=foobar" when generating the certificate.

Oaz avatar Jun 21 '22 20:06 Oaz

Hi @Oaz

Very nice - these seem like some handy additions - have you thought about how such authentication should be configured?

At the moment, remotemoe goes clear of any configuration other than runtime state - For example, if you added a custom hostname using key X, then other keys cannot take it over, and so on.

I would prefer not to introduce a configuration file. As such, the default behavior must be predictable for the administrators, especially considering this could have an unexpected security impact.

fasmide avatar Jul 12 '22 09:07 fasmide

Hi @fasmide Thanks for the feedback.

I'm not sure I get the "no config file" rationale. I understand that there's no equivalent to "sshd_config" in remotemoe. (if I compare to an openssh server)

The proposed features are equivalent to the AuthorizedKeysFile and TrustedUserCAKeys entries in sshd_config. My current implementation uses a "AUTHORIZED_KEYS_FILE" environment variable which is used as both entries in sshd_config. (I just took the simplest path but it could be 2 separate environment variables) If the environment variable is not defined, then it behaves as in your current implementation : no check on the submitted public key.

So, strictly speaking, there is no configuration file but only a keys file referenced through an environment variable. When you say "not to introduce a configuration file", do you also mean "not to introduce a keys file"? If so, then I have no solution to propose at the moment because I cannot think of any other mechanism to store the authorized public keys or CA.

Note : on my own remotemoe server, I just added an "EnvironmentFile" entry in the remotemoe.service to define the AUTHORIZED_KEYS_FILE environment variable.

Oaz avatar Jul 13 '22 20:07 Oaz