How to use the SSH protocol with Go – part 1/2 (opens in new tab)

(blog.appsdeck.eu)

35 points_Soulou11y ago12 comments

12 comments

10 comments · 4 top-level

fvt11y ago· 3 in thread

Very interesting read.

GitHub explained in "How We Made GitHub Fast"(2009) [1] they patched their ssh daemon, so that it would do some lookups in a MySQL DB.

I wonder if daemons like OpenSSH now have some kind of plugin mechanism that lets one use their own lookup strategy.

[1]: https://github.com/blog/530-how-we-made-github-fast

1_player11y ago

Not yet.. I've set up a GitHub clone and had to patch OpenSSH: the authorisation process can execute an external command (AuthorizedKeysCommand option IIRC) but doesn't provide enough information to do a DB lookup à-la-GitHub.

josegonzalez11y ago

Is there a reason AuthorizedKeysCommand can't suffice in this case?

2 more replies

_SoulouOP11y ago

Post author here, unfortunately no, after some time, we realized it was quicker to develop a complete SSH server than patching some legacy C code. It was really confortable to work with go to do that.

josegonzalez11y ago· 2 in thread

Question by someone who has no real knowledge about the ssh protocol - is using something like this secure? And if not, what can be done to make their implementation secure?

Separately, I don't know what other - if any - features a db-backed ssh server needs to provide. Is this all that is necessary?

_SoulouOP11y ago

As jerf said, it's always difficult to see if an implementation of a protocol respects it completely. Most of us trust OpenSSH because of its background. It's old enough, the codebase is mature enough and maintained by the OpenBSD team. However it's quite a massive project, I don't know how they would be able that their implementation fits completely the 6 RFCs, I mean, more than the go implementation.

In our case, the SSH server is not for general purpose, but for something really specific, so it's really easier to test. What other feature? As I will explain next week, our SSH server is actually an authentication/autorization proxy which forwards connections to another server. By building our solution, it is now easier to control the logics for the load balancing etc.

jerf11y ago

That's really hard to answer.

On the other hand, OpenSSH's server has become so big that even when it is perfectly implementing the security contract its authors intend it can still allow users to do things that may surprise the heck out of you. Given what I've seen of trying to secure things that use SSH and really shouldn't, I would believe it might be easier to audit your own server rather than a deployment of opensshd.

j_s11y ago· 1 in thread

Nice!

That’s two problems in one : we had to find a synchronization mechanism, and, sensitive data are spread out on several machines

I was confused by the implication that public keys are sensitive data. I guess the list of usernames and commands could be?

_SoulouOP11y ago

Hi j_s,

By sensitive data, we meant part of the identity of all our users (there is quite often user@host at the end of the public keys sent by our users), and the second point is linked to the internal commands.

In the `command="ssh-handler" ssh-rsa....` the command doesn't receive the SSH public key as argument, so we would have to provide additional information like: `command="ssh-handler <user_id|username|key_id>" ssh-rsa....` So yes, if we have a way to avoid having a copy of that on all our servers able to authenticate users, we take it!

akerl_11y ago

Worth noting that newer OpenSSH supports AuthorizedKeysCommand, which will call out to an external tool for key data.

Obviously this doesn't solve all problems, but it does provide a middle ground between flat keyfiles and rolling your own daemon.

j / k navigate · click thread line to collapse

12 comments

10 comments · 4 top-level

fvt11y ago· 3 in thread

Very interesting read.

GitHub explained in "How We Made GitHub Fast"(2009) [1] they patched their ssh daemon, so that it would do some lookups in a MySQL DB.

I wonder if daemons like OpenSSH now have some kind of plugin mechanism that lets one use their own lookup strategy.

[1]: https://github.com/blog/530-how-we-made-github-fast

1_player11y ago

josegonzalez11y ago

Is there a reason AuthorizedKeysCommand can't suffice in this case?

2 more replies

_SoulouOP11y ago

josegonzalez11y ago· 2 in thread

Question by someone who has no real knowledge about the ssh protocol - is using something like this secure? And if not, what can be done to make their implementation secure?

Separately, I don't know what other - if any - features a db-backed ssh server needs to provide. Is this all that is necessary?

_SoulouOP11y ago

jerf11y ago

That's really hard to answer.

j_s11y ago· 1 in thread

Nice!

That’s two problems in one : we had to find a synchronization mechanism, and, sensitive data are spread out on several machines

I was confused by the implication that public keys are sensitive data. I guess the list of usernames and commands could be?

_SoulouOP11y ago

Hi j_s,

akerl_11y ago

Worth noting that newer OpenSSH supports AuthorizedKeysCommand, which will call out to an external tool for key data.

Obviously this doesn't solve all problems, but it does provide a middle ground between flat keyfiles and rolling your own daemon.

j / k navigate · click thread line to collapse