Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication #41

Open
imjasonh opened this issue Aug 6, 2021 · 1 comment
Open

Authentication #41

imjasonh opened this issue Aug 6, 2021 · 1 comment

Comments

@imjasonh
Copy link
Owner

imjasonh commented Aug 6, 2021

In order to accept pushes (#38) and enforce policy (#40), we'll need to bite the bullet and implement auth. I don't mind tying kontain.me's auth to GitHub for now, so that pushing to foo.kontain.me/user just has to check that you're user on GitHub.

On the client side, we'll need a credential helper, which would get installed on $PATH as docker-credential-kontaindotme and added to ~/.docker/config.json like:

{
  "credHelpers": {
    ...
    "foo.kontain.me": "kontaindotme"
  }
}

When pushing to foo.kontain.me (I'll need to set it up for each kontain.me subdomain 😭), the command gets passed the server URL (https://foo.kontain.me) on stdin, and needs to emit auth info on stdout, like:

{
  "Username": "david",
  "Secret": "passw0rd1"
}

That username+password is passed to the server, who verifies it before accepting the push.

Assuming GitHub's gh CLI is installed, the helper can look at ~/.config/gh/hosts.yml, which helpfully contains my configured GitHub username (and auth token 😢). I can do a client-side check that that config is sane by hitting https://api.github.com/user with the auth token and checking that the response says that's imjasonh. But that's not really a big deal, because it's kontain.me I'm trying to convince I'm me.

To assert that I'm imjasonh to kontain.me (without trusting kontain.me with that powerful GH auth token), I can use my locally configured SSH private keys, that I use to push commits to github.com, to sign some data, pass that signed blob to kontain.me as my password, and kontain.me can verify that against my GitHub account's public keys, available at https://github.com/imjasonh.keys.
@imjasonh
Copy link
Owner Author

imjasonh commented Aug 6, 2021

From https://superuser.com/a/1616656/21888:

$ echo "Hello, World" | ssh-keygen -Y sign -n file -f id_rsa > content.txt.sig
Signing data on standard input
$ echo "Hello, World" | ssh-keygen -Y check-novalidate -n file -f id_rsa.pub -s content.txt.sig
Good "file" signature with ED25519 key SHA256:4lXHbbWqyp6gNFYboqmdDlQhJE+rAl493tZbNaa5xoo
$ echo "Hello,rld" | ssh-keygen -Y check-novalidate -n file -f id_rsa.pub -s content.txt.sig
Signature verification failed: incorrect signature
Could not verify signature.

The cred helper would sign some const string "hello" with the private key (mine is ~/.ssh/id_ed25519), pass the signed blob as the password to kontain.me, who can verify it against the user's public keys -- if any matches the signature for "hello", they're the user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@imjasonh