tg123
Support for certificate based authentication
I searched and saw some issues and even a PR that were relevant to certificate support, but it wasn't clear what plugin supports this nor how to configure it.
Our company has setup Step CA to enable certificate-based SSH access for service persons supporting customers with the devices we sell.
Does ssh-piper support certificate-based SSH authentication?
yes both downstream and upstream
but need a customized plugin to do the ca verification
auth downstream in your case only right?
to verify downstream ca, need new custom plugin to send ca+cert to upstream, you can check exmaple here https://github.com/tg123/sshpiper/blob/master/plugin/testcaplugin/main.go
Yes, we only need to use certificate authentication of the user that's initiating the ssh connection.
And just want to confirm my understanding...
Downstream means User -> ssh-piper Upstream meand ssh-piper -> device
At the moment, we're (re)planning out a solution.
full context
We designed, implemented and tested a solution based on ssh-piper V0, but project lost momentum and we never deployed it to production. The entire solution consisted of ssh-piper and AWS Step Functions to orchestrate transient jump hosts. The lifecycle of the jump host was tied to the lifecycle of the support case.
The solution involved two instances of ssh-piper, one to handle routing connections from our field service engineerings, and the second instance handled routing connections from the devices. We needed two instances of ssh-piper because people and machines needed to authenticate differently...
Now, we've been asked to resurrect the solution AND enhance it to support certificate based authentication and I'm trying to wrap my head around what, if any, changes we need to make to the prior solution.
i would suggest to take a look at https://github.com/tg123/sshpiper-openpubkey it integrates with google oauth with magic from open public key
also, CA support will be first added to yaml plugin soon