• Stars
    star
    361
  • Rank 117,939 (Top 3 %)
  • Language
    Go
  • Created over 9 years ago
  • Updated over 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Secure login distribution service

shadowd

shadow horse

shadowd is the secure login distribution service, which consists of two parts: server and client.

In a typical server configuration case you should manually update the /etc/shadow and copy it on all servers (or via automatic configuration system); afterwards each server will have same hash in the /etc/shadow. Supposed that attacker successfully gained access to one of your servers and found collision to that single hash attacker actually got access to all servers with that hash.

shadowd is summoned to solve that obscure problem.

shadowd solution is to generate hash tables for specified passwords mixed with random salt for specified users and guarantee that a client receive unique hash.

One shadowd instance can be used for securely instanciate thousands of servers with same root password for each one. Without any doubts about possible break-in.

If attacker has user (non-root) access to the one server and try to repeat request to shadowd server and get actual hash during the hash TTL period (one day by default), then shadowd will give him another unique hash entry. Actually, shadowd can give only two unique hash entries for hash TTL period for one client, first hash entry may be received only for first request per hash TTL period, all other requests will be served by another hash.

If attacker has root access to the one server and will try to brute-force hash entry for root from /etc/shadow, it will not give him any access for other servers with same password, because shadowd will give different hashes for each server.

If attacker will gain root access to the shadowd server (worst-case scenario), it's will be very time-consuming to brute-force thousands of hashes without any knowledge about which server is using specific hash entry.

shadowd can act as SSH keys publisher too.

shadowd can also configure with passwords containers or any other type of nodes in your infrastructure.

REST API is used for communication between server and client.

Plan

FAQ

Why not LDAP/AD/SSSD/Whatever?

LDAP/AD/SSSD is monstrous software which requires massive configuration. It's far from just installing package to make it work. LDAP by itself just ugly, it's not so "lightweight" as it supposed to be from it's name.

shadowd is very easy to install and do not even have configuration file.

In comparison to LDAP, shadowd is not a remote authorisation provider, so when network or shadowd host will go down, you still will be able to login on concrete hosts configured with shadowc, because all shadow hashes stored locally on concrete host.

Isn't attacker will brute-force actual password faster instead of finding a collision in SHA?

It is possible indeed, but having sufficiently long password like thecorrecthorsebatterystapleinspace (https://xkcd.com/936/) will neglect this probability.

What is actual use case for this?

Local authentication as well as password authentication should be always possible for ops engineers. If something wrong goes with LDAP or any other remote authentication agent, you will blame that day you integrated it into your environment.

There is no way of configuring local root (like, available only through IPMI) on the frontend load-balancing servers through remote authorisation agent.

shadowd can be safely used for setting root password even on load-balancing servers.

shadowd configuration

  1. Generate hash tables
  2. Generate SSL certificates
  3. Start shadowd
  4. Adding SSH keys
  5. REST API

Hash Tables

For generating hash table you should run:

shadowd [options] -G <token> [-n <size>] [-a <algo>]

shadowd will prompt for a password for specified user token, and after that will generate hash table with 2048 hashed entries of specified password, hash table size can be specified via flag -n <size> sha256 will be used as default hashing algorithm, but sha512 can be used via -a sha512 flag.

Actually, user token can be same as login, but if you want to use several passwords for same username on different servers, you should specify <token> as <pool>/<login> where <pool> it is name of role (production or testing for example).

Already running instance of shadowd do not require reload to serve newly generated hash-tables.

loading message

SSL certificates

Assume that attacker gained access to your servers, then he can wait for next password update and do man-in-the-middle attack, afterwards passwords on servers will be changed on his password and he will get more access to the servers.

For solving that problem one should use SSL certificates, which confirms authority of the login distribution server.

For generating SSL certificates you should have trusted host (shadowd server DNS name) or trusted ip address, if you will use localhost for shadowd server, you can skip this step and shadowd will automatically specify current hostname and ip address as trusted, in other cases you should pass options for setting trusted hosts/addresses of shadowd.

Possible Options:

  • -h --host <host> - set specified host as trusted. (default: current hostname)
  • -i --address <ip> - set specified ip address as trusted. (default: current ip address)
  • -d --till <date> - set time certicicate valid till (default: current date plus one year).
  • -b --bytes <length> - set specified length of RSA key. (default: 2048)

And for all of this you should run one command:

shadowd [options] -C [-h <host>...] [-i <ip>...] [-d <date>] [-b <length>]

Afterwards, cert.pem and key.pem will be stored in /var/shadowd/cert/ directory, which location can be changed through flag -c <cert_dir>.

Since client needs certificate, you should copy cert.pem on server with client to /etc/shadowc/cert.pem.

shadowd will generate certificate with default parameters (can be seen in program usage) on it's first run.

Start shadowd

As mentioned earlier, shadowd uses REST API, by default listening on :443, but you can set specified address and port through passing argument -L <listen>:

shadowd [options] -L <listen> [-s <time>]

For setting hash TTL duration you should pass -s <time> argument, by default hash TTL is 24h.

TTL is amount of time after which shadowd will serve different unique pair of hash entries to the same requesting client.

General options:

  • -c -certs <dir> - use specified directory for storing and reading certificates.
  • -t --tables <dir> - use specified directory for storing and reading hash tables. (default: /var/shadowd/ht/)
  • -k --keys <dir> - use specified dir for reading ssh-keys. (default: /var/shadowd/ssh/).

Success, you have configured server, but you need to configure client, for this you should see documentation here.

Adding SSH keys

shadowd can act as public ssh keys distribution service. Keys can be added per token by using command:

shadowd -K <token>

After that command shadowd will wait for public SSH key to be entered on stdin. Then, specified key will be added to keys list, which is stored under the directory, set by -k flag (/var/shadowd/ssh/ by default).

Optionally, key file can be truncated by using flag -r --truncate to the standard -K invocation.

shadowd will serve that keys by HTTP, as mentioned in following section.

Scalability

shadowd can work in multiple instance mode, but it requires to use external storage – MongoDB.

shadowd will store/read shadow entries and public ssh key from mongodb, so all of your need is configure mongodb cluster, setup replication and place shadowd configuration file using following syntax:

[backend]
use = "mongodb"
dsn = "mongodb://[user[:password]@]host[,[user2[:password2]@]host2]/dbname"

shadowd's' configuration file can be specified using -f --config <path> flag.

REST API

shadowd offers following REST API:

  • /t/<token>, where token can be any string, possibly containing slashes. Most common interpretation for <token> is <pool>/<username>, e.g. dev/v.pupkin.

    GET on this URL will return unique hash for specified <token> from pre-generated via shadowd -G hash-table. The first requested hash guaranteed to be unique among different hosts, The second and later GET requests will return same hash again and again until <hash_ttl> expires. <hash_ttl> is configured on server by -a flag. Working in that way shadowd offers secure way of transmitting one hash only once, and legitimate client (e.g. shadowc) can always be sure that hash, obtained from shadowd, has not been transferred to someone else on that host.

  • /ssh/<token>, where <token> is same as above.

    GET on this URL will return SSH keys, that has been added by shadowd -K command in authorized_keys format (e.g. key per line).

    No special security restrictions apply on that requests.

  • /v/<token>/<hash>, where <token> is same as above, <hash> is hash of a password, if <token> contains / (<pool>/<username>) then the last part of URI will be used as <hash>. i.e. dev/v.pupkin/$5$NqjWijImgEOapAJw$NL5K7g8SwMferONwiskz6bcluwlO7zbu3V/ZyLzavZD

    GET on this URL will return HTTP status 200 OK if specified hash exists in hash table for specified token, in other case, 404 Not Found will be returned.

    No special security restrictions apply on that requests.

More Repositories

1

orgalorg

Parallel SSH commands runner and file synchronization tool
Go
888
star
2

shdoc

Documentation generator for shell scripts (bash, sh, zsh). Javadoc for shell scripts.
Awk
263
star
3

barely

Simple and extensible status bar to pretty display of Golang program's progress
Go
257
star
4

tubekit

πŸ§ͺ kubectl alternative with quick context switching, kubectl on steroids
Go
203
star
5

hierr-go

Hierarchical errors reporting done right in Golang
Go
73
star
6

vim-autosurround

Automatically insert pairs (brackets, quotes) where they are supposed to be
Python
54
star
7

atlassian-external-hooks

External Hooks plugin for Atlassian Bitbucket
Go
45
star
8

loreley

Simple and extensible colorizer for programs' output
Go
39
star
9

goava

The research project based on the draft design of Go Generics
33
star
10

gunter

Simple configuration system
Go
27
star
11

vim-pythonx

Python libraries for making coding in vim easier
Python
26
star
12

import.bash

Golang-like import statement in bash
Shell
25
star
13

tests.sh

Simple test library for integration and functional testing of daemons, services and command line tools
Shell
21
star
14

coproc.bash

Missing parallel routines (coprocesses) in bash
Shell
16
star
15

karma-go

Everything has a reason.
Go
15
star
16

archiso-zfs

archlinux iso with zfs (archzfs archiso)
Shell
14
star
17

shadowc

Client for the secure login distribution service.
Go
13
star
18

resources-go

Cache that always has a value. Cache that automatically loads values. Refresh caches automatically in background.
Go
11
star
19

rex

Ultimate XKB bindings for insane typing productivity
8
star
20

zeus

zfs backup tool
Go
7
star
21

guntalina

Create and execute command list basing on list of modified/created files and list of rules
Go
7
star
22

opts.bash

Missing very simple option parser for bash
Shell
6
star
23

marvex

Tiling terminal multiplexor
Go
6
star
24

args

Simple CLI parser for bash
Shell
6
star
25

atlassian-pull-request-labels

Pull Request Labels Bitbucket Add-On
Java
5
star
26

taild

Go
5
star
27

executil-go

just do what golang authors can't
Go
5
star
28

bitbucket-external-hook

A cli for enabling/configuring hooks in Atlassian Bitbucket
Go
5
star
29

colorgful

Simple and extensible colorizer for lorg, Go-lang logger
Go
5
star
30

treetrunks

Go
3
star
31

sould

Service for mirroring git repositories
Go
3
star
32

go-test.bash

Collect code coverage while running Go-lang binary
Shell
3
star
33

bmo

The missing tool for parsing structured text, like logs
Go
3
star
34

snippets

marvelous snippets which will change your life
Vim Snippet
3
star
35

health-go

Go
2
star
36

fresh

2
star
37

classes.bash

Classes. In bash.
Shell
2
star
38

ser-go

Go
2
star
39

test-runner.bash

Integrations Test Runner for tests.sh
Shell
2
star
40

snobs

Go
2
star
41

sign-go

Simplest Go signals-per-callback handler.
Go
2
star
42

progress.bash

Shell
2
star
43

cog

Structured key-value logger without breaking order of fields. πŸ”§
Go
2
star
44

monk

Based on philosophical papers
Go
2
star
45

workers-go

Go
2
star
46

snake-runner

Snake Runner β€” The Job Runner for Snake CI
Go
2
star
47

threadpool-go

Go
1
star
48

regexputil-go

Extract subexp names in golang regexp
Go
1
star
49

types.bash

Type checking functions for bash scripts
Shell
1
star
50

charts

Smarty
1
star
51

mrdig

Makefile
1
star
52

when

Go
1
star
53

highlight

easy interface to bash (terminal) escape codes highlighting
Shell
1
star
54

ssh-test.bash

Library for accessing remote nodes by ssh, commonly used in tests
Shell
1
star
55

tmux.bash

Shell
1
star
56

cli

Go
1
star
57

stats-go

Go
1
star
58

vim-colorscheme

Vim Script
1
star
59

xcsyncd

C
1
star
60

pipe

Go
1
star
61

uuid-go

Go
1
star
62

orgalorg-bottlebreaker

Sync tool for orgalorg
Go
1
star
63

bash-get

go get inspired bash get
Shell
1
star
64

zen-go

Go
1
star
65

lexec-go

exec.Command, but with logging
Go
1
star
66

pom

Maven POM parser in Go
Go
1
star