SSH Principal and CA Playground
Ever wanted to play around with SSH Principals and see how they work? This little package I put together creates a series of Docker containers which make use of Principals in SSH.
- Clone this repo with
./test.shwhich will do the following:
- Create a key, a CA, and a certificate of that key signed by the CA
- (re)build 3 Docker containers:
- Run tests on the
clientcontainer to verify that it can/cannot SSH into certain accounts on the
A successful run will end in something like this:
I said this project was a playground, and I meant it! If you'd like to play around yourself, here's how to get started:
First, attach to the
client container with
docker-compose exec client bash.
From there, you can try SSHing into the
server or the
ca containers. The
container has the users
user3, and you can SSH into any
of those user accounts.
ca container trusts the CA certificate that we created, and has principals set up.
As such, you can only SSH to the
user3 will not work.
If you want to prove to yourself that you fully understand Principals in SSH, try some of these exercises:
caso you can log in as
cawith the existing Principals of
- Add the Principal
user3to the user key, and use it to log in as
- Replace the
rootPrincipal from the user key and add
caso that you can log in as the
These are some helper scripts I wrote to help streamline my development:
./bin/clean.sh- Kill all containers (or an existing container, if specified), remove them, (re)build them, and start them back up.
./bin/attach.sh- Attach to any running container.
./bin/clean-and-attach.sh- Nice wrapper script for the previous two commands. :-)
./bin/logs.sh- Display logs from all containers, or a single container if specified.
- I recommend making heavy use if
docker-compose logs -f ca, as status messages from
sshdwill be sent there. On a successful login, a message like this will appear:
Accepted publickey for user1 from 172.21.0.3 port 34756 ssh2: ECDSA-CERT ID playground (serial 1) CA ECDSA SHA256:nR3ohRIBi2b29PgwLrqXvaO+qGlTdQBQyrI1KSHWG6k
- Logging in as the
rootuser in this app is for demo purposes only. DO NOT allow root logins on a production system!
- My blog post that covers SSH CAs and Principals
- Scalable and secure access with SSH - The original article from Facebook's engineering blog which got me started down this path.
- If you’re not using SSH certificates you’re doing SSH wrong
- OpenSSH Principals
- SSHD Container for Docker - It's used in this package, and I've found it to be quite handy!
- The logo was made over at https://www.freelogodesign.org/