operasoftware/ssh-key-authority operasoftware/ssh-key-authority

  • Stars
    star
    454
  • Rank 96,373 (Top 2 %)
  • Language
    PHP
  • License
    Apache License 2.0
  • Created over 7 years ago
  • Updated 11 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
operasoftware/ssh-key-authority
github

operasoftware

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A tool for managing SSH key access to any number of servers.

SKA - SSH Key Authority

Please see the Security Advisories section below for a recently addressed security issue

A tool for managing user and server SSH access to any number of servers.

Features

  • Easily manage SSH key access for all accounts on your servers.
  • Manage user access and server-to-server access rules.
  • Integrate with your LDAP directory service for user authorization.
  • Automatically remove server access from people when they leave your team.
  • Provides an easy interface for your users to upload their public keys.
  • Designate server administrators and let them manage access to their own server.
  • Create group-based access rules for easier management.
  • Specify SSH access options such as command=, nopty etc on your access rules.
  • All access changes are logged to the database and to the system logs. Granting of access is also reported by email.
  • Be notified when a server becomes orphaned (has no active administrators).

Demo

You can view the SSH Key Authority in action on the demonstration server.

Use one of the following sets of username / password credentials to log in:

  • testuser / testuser - normal user with admin access granted to a few servers
  • testadmin / testadmin - admin user

All data on this demonstration server is reset nightly at 00:00 UTC.

Requirements

  • An LDAP directory service
  • Apache 2.2 or higher
  • PHP 5.6 or higher
  • PHP JSON extension
  • PHP LDAP extension
  • PHP mbstring (Multibyte String) extension
  • PHP MySQL extension
  • PHP ssh2 extension
  • MySQL (5.5+), Percona Server (5.5+) or MariaDB database

Installation

  1. Clone the repo somewhere outside of your default Apache document root.

  2. Add the following directives to your Apache configuration (eg. virtual host config):

    DocumentRoot /path/to/ska/public_html
DirectoryIndex init.php
FallbackResource /init.php

  3. Create a MySQL user and database (run in MySQL shell):

    CREATE USER 'ska-user'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE `ska-db` DEFAULT CHARACTER SET utf8mb4;
GRANT ALL ON `ska-db`.* to 'ska-user'@'localhost';

  4. Copy the file config/config-sample.ini to config/config.ini and edit the settings as required.

  5. Set up authnz_ldap for your virtual host (or any other authentication module that will pass on an Auth-user variable to the application).

  6. Set scripts/ldap_update.php to run on a regular cron job.

  7. Generate an SSH key pair to synchronize with. SSH Key Authority will expect to find the files as config/keys-sync and config/keys-sync.pub for the private and public keys respectively. The key must be in pem format. The following command will generate the key in the required format:

    ssh-keygen -t rsa -b 4096 -m PEM -C 'comment' -f config/keys-sync

  8. Install the SSH key synchronization daemon. For systemd:

    1. Copy services/systemd/keys-sync.service to /etc/systemd/system/
    2. Modify ExecStart path and User as necessary. If SSH Key Authority is installed under /home, disable ProtectHome.
    3. systemctl daemon-reload
    4. systemctl enable keys-sync.service

    for sysv-init:

    1. Copy services/init.d/keys-sync to /etc/init.d/
    2. Modify SCRIPT path and USER as necessary.
    3. update-rc.d keys-sync defaults

Usage

Anyone in the LDAP group defined under admin_group_cn in config/config.ini will be able to manage accounts and servers.

Key distribution

SSH Key Authority distributes authorized keys to your servers via SSH. It does this by:

  1. Connecting to the server with SSH, authorizing as the keys-sync user.
  2. Writing the appropriate authorized keys to named user files in /var/local/keys-sync/ (eg. all authorized keys for the root user will be written to /var/local/keys-sync/root).

This means that your SSH installation will need to be reconfigured to read authorized keys from /var/local/keys-sync/.

Please note that doing so will deny access to any existing SSH public key authorized in the default ~/.ssh directories.

Under OpenSSH, the configuration changes needed are:

AuthorizedKeysFile /var/local/keys-sync/%u
StrictModes no

StrictModes must be disabled because the files will all be owned by the keys-sync user.

The file /var/local/keys-sync/keys-sync must exist, with the same contents as the config/keys-sync.pub file in order for the synchronization daemon to authenticate.

Screenshots

Homepage overview

Homepage overview

Server listing

Server listing

Server account access management

Server account access management

Activity log

Activity log

Getting started guide for new users

Getting started guide for new users

Security advisories

License

Copyright 2013-2017 Opera Software

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

More Repositories

1

dns-ui

Opera's LDAP-authenticated PowerDNS user interface
PHP
283
star
2

Emberwind

HTML5 port of the indie platform game Emberwind.
JavaScript
262
star
3

operachromiumdriver

OperaDriver for Chromium-based Opera releases
260
star
4

dragonfly

Opera Dragonfly is a fully featured development and debugging tool integrated into the Opera browser.
JavaScript
160
star
5

operaprestodriver

OperaPrestoDriver is a vendor-supported WebDriver implementation that enables programmatic automation of Presto-based Opera products (i.e. v12 and older).
Java
148
star
6

chrome-webstore-extension

Contains the code of the Download Chrome Extension hosted at https://addons.opera.com which allows users to install extensions from Google Chrome Web Store directly in Opera browser
JavaScript
97
star
7

devopera

Repository for Dev.Opera source code
HTML
93
star
8

Odin

A WebGL framework
JavaScript
81
star
9

devopera-static-backup

Static backup for the Dev.Opera site as it was in February 2014.
JavaScript
63
star
10

operawatir

Easily and automatically test your web pages just like a user would. OperaWatir simulates a user clicking links, entering text and submitting forms, reporting results back so you know that your website works.
Ruby
45
star
11

presto-testo

Opera's Presto test suite as it applies to W3C specifications
HTML
40
star
12

jsunzip

A JavaScript port of Jรธrgen Ibsens "tiny inflate library" and some additional code for reading a zip archive. All available under the zlib/libpng license.
JavaScript
39
star
13

bb8

A BB-8 controller built with web standards. Web Bluetooth API demo.
JavaScript
37
star
14

sentrycli

CLI tools to query and analyze data gathered by Sentry
Python
36
star
15

django-feeds

Django feeds provides an extensive database model for RSS feeds and a fault tolerant parser.
Python
30
star
16

logo

Opera Logo
HTML
29
star
17

git-splitter

A Git related tool to split a subdirectory and its commit history from a Git Repo and crate a new repo that can be used as a submodule in the same path as the original code, as well as reversing the process to allow reintegration of updated code
Python
29
star
18

toolkit

Opera Web UI Toolkit
JavaScript
27
star
19

TextureAtlas

A simple script to generate texture atlases.
Python
25
star
20

desktop

Repository of LGPL packages for Opera Desktop Browser
JavaScript
24
star
21

upstreamtools

Showing upstreamed patches from Opera
Python
23
star
22

operaextensions.js

Opera (.oex) Extensions JavaScript API Compatibility Layer for Chromium-based Opera 15+ (.nex) Extensions
JavaScript
18
star
23

oex2nex

Standalone tool to convert an Opera (.oex) extension into an Opera 15+ (.nex) extension
JavaScript
16
star
24

dragonkeeper

A standalone proxy to support Opera Dragonfly development. Dragonkeeper translates STP (Scope Transport Protocol) to HTTP.
Python
15
star
25

AndroidNotes

Sample Android application to manage notes using the Opera Link API
Java
15
star
26

tlsprober

Main repo for the TLS Prober project. Scans TLS Servers and registers feature information and compliance in a database
Python
14
star
27

chromevox

Chromevox only export of Chrome accessibility suite (https://code.google.com/p/google-axs-chrome/).
JavaScript
12
star
28

widgets-libraries

A handful of Opera Widgets utility libraries for use in Widget development.
JavaScript
11
star
29

xmarks-importer

Simple Xmarks importer for Opera Link, using the Opera Link API
Python
10
star
30

twisted-apns

Twisted client for Apple Push Notification Service (APNs)
Python
10
star
31

unite-libraries

Documentation of the core Opera Unite API and a handful of additional helper libraries. Please note that since April 2012 Opera Unite is no longer being developed or supported.
JavaScript
10
star
32

AndroidOperaLink

OBSOLETE Java library to access the Opera Link API. PLEASE USE https://github.com/operasoftware/JavaOperaLinkClient INSTEAD
Java
10
star
33

dragonfly-build-tools

Python
9
star
34

gn-opera

A fork of https://gn.googlesource.com/gn/ initially created to add Jumbo build mechanism with the support for Visual Studio projects.
C++
9
star
35

tlslite

Modified version of Public Domain TLSLite library. Extended and instrumented to handle TLS 1.2, extensions, and performing various tests of TLS Server compliance
Python
8
star
36

uwsgi-pypy-python3

PyPy Python 3 support for uwsgi
Python
8
star
37

tlscommon

The engine of the TLS Prober. Scans a given TLS Server, registering features and compliance. Also used by the TLS Web Prober. Uses a modified TLS Lite implementation as a TLS Protocol implementation.
Python
7
star
38

javascript-styleguide

Opera Software Javascript Styleguide
7
star
39

AI-Classifier

Perl
7
star
40

rollercoaster

A simple site featuring good tablet-optimized site concepts and design patterns
CSS
6
star
41

gstreamer

gstreamer modified by Opera Software
C
6
star
42

dragonfly-documentation

Documentation for Opera Dragonfly
6
star
43

graphite-cleaner

Graphite Whisper stale database files remover
Python
5
star
44

fake-store

Fake web store โ€” a Payment Request API demo
JavaScript
5
star
45

dragonfly-manual-test-suite

JavaScript
5
star
46

photo-tagger

JavaScript
5
star
47

perl5-net-operalink

Net::OperaLink, Perl interface to the Opera Link API
Perl
5
star
48

AI-NaiveBayes

Perl
5
star
49

Device-Stock-UA-RFC

A draft of the Device-Stock-UA request header.
4
star
50

Widgets-Plugin-for-Eclipse

Java
4
star
51

arepa

Apt REPository Assistant, a web application + command-line utilities to manage Debian package repositories
Perl
4
star
52

mpns-client

Microsoft Push Notification Service client
Python
4
star
53

live-news-feed

Opera Live News Feed extension
4
star
54

portal

portal.opera.com extension
JavaScript
4
star
55

twisted-gcmclient

Twisted client for Google Cloud Messaging (GCM)
Python
4
star
56

check_rabbitmq_queues

Nagios plugin written in python for checking if queue lengths do not exceed thresholds specified in config
Python
4
star
57

tlswebprober

Main repo for the TLS Web Prober project. Adjunct to, and used for testing of the TLS Prober project. Performs a scan of a given TLS Server, name entered in a form, and presents the result as a HTML page
Python
4
star
58

Do-it-Yourself---Dependency-Injection--Perl-

This is a Perl port of the original Java code from "Do it Yourself โ€“ Dependency Injection" by Chad Parry
Perl
4
star
59

php-myopera

PHP library to use the My Opera Community API
PHP
3
star
60

appearin-pop

Repository for the Appear.in Pop extension
JavaScript
3
star
61

scope-interface

Documentation of the Opera Scope interface
3
star
62

perl5-net-myopera

Net::MyOpera, Perl interface to the My Opera Community API
Perl
3
star
63

bragi

Bragi: JavaScript like Poetry
JavaScript
2
star
64

docker-registry-image

Dockerfile
2
star
65

touch

Java
2
star
66

appearin-social

Repository for the Appear.in Social extension
JavaScript
2
star
67

ted-ideas-worth-spreading

JavaScript
2
star
68

Text-WordCounter

counting words in multilingual texts
Perl
2
star
69

telestatsd

StatsD client in Python with support for Telegraf and SRV records in DNS
Python
2
star
70

Courriel--MMS

Courriel extension for dealing with MMSes forwarded as emails
Perl
2
star
71

operavox

Talkback and Brailleback helpers for Opera Devices SDK for Android based on Chromevox.
JavaScript
2
star
72

pyoperalink-article-code

Code for the pyoperalink library article
Python
2
star
73

Imager-GIF

a handy module for animated GIF processing
Perl
1
star
74

viewport-compliance-test

JavaScript
1
star
75

trade-doubler

JavaScript
1
star
76

watir3-spec

Proposal for Watir 3 API
Ruby
1
star
77

wmue

Worldโ€™s most useless extension
1
star
78

nettle-wycheproof-testsuite

This project (also known as PikeProof) aims to test the resilience/correctness of the Pike programming language's (and the Nettle cryptographic library's) cryptographic functions against the Wycheproof testsuite. It should run on (at least) Pike versions 8.0 and 8.1.
Pike
1
star