You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order to accept pushes (#38) and enforce policy (#40), we'll need to bite the bullet and implement auth. I don't mind tying kontain.me's auth to GitHub for now, so that pushing to foo.kontain.me/user just has to check that you're user on GitHub.
On the client side, we'll need a credential helper, which would get installed on $PATH as docker-credential-kontaindotme and added to ~/.docker/config.json like:
When pushing to foo.kontain.me (I'll need to set it up for each kontain.me subdomain 😭), the command gets passed the server URL (https://foo.kontain.me) on stdin, and needs to emit auth info on stdout, like:
{
"Username": "david",
"Secret": "passw0rd1"
}
That username+password is passed to the server, who verifies it before accepting the push.
Assuming GitHub's gh CLI is installed, the helper can look at ~/.config/gh/hosts.yml, which helpfully contains my configured GitHub username (and auth token 😢). I can do a client-side check that that config is sane by hitting https://api.github.com/user with the auth token and checking that the response says that's imjasonh. But that's not really a big deal, because it's kontain.me I'm trying to convince I'm me.
To assert that I'm imjasonh to kontain.me (without trusting kontain.me with that powerful GH auth token), I can use my locally configured SSH private keys, that I use to push commits to github.com, to sign some data, pass that signed blob to kontain.me as my password, and kontain.me can verify that against my GitHub account's public keys, available at https://github.com/imjasonh.keys.
The text was updated successfully, but these errors were encountered:
$ echo "Hello, World" | ssh-keygen -Y sign -n file -f id_rsa > content.txt.sig
Signing data on standard input
$ echo "Hello, World" | ssh-keygen -Y check-novalidate -n file -f id_rsa.pub -s content.txt.sig
Good "file" signature with ED25519 key SHA256:4lXHbbWqyp6gNFYboqmdDlQhJE+rAl493tZbNaa5xoo
$ echo "Hello,rld" | ssh-keygen -Y check-novalidate -n file -f id_rsa.pub -s content.txt.sig
Signature verification failed: incorrect signature
Could not verify signature.
The cred helper would sign some const string "hello" with the private key (mine is ~/.ssh/id_ed25519), pass the signed blob as the password to kontain.me, who can verify it against the user's public keys -- if any matches the signature for "hello", they're the user.
In order to accept pushes (#38) and enforce policy (#40), we'll need to bite the bullet and implement auth. I don't mind tying kontain.me's auth to GitHub for now, so that pushing to
foo.kontain.me/user
just has to check that you'reuser
on GitHub.On the client side, we'll need a credential helper, which would get installed on $PATH as
docker-credential-kontaindotme
and added to~/.docker/config.json
like:When pushing to
foo.kontain.me
(I'll need to set it up for each kontain.me subdomain 😭), the command gets passed the server URL (https://foo.kontain.me
) on stdin, and needs to emit auth info on stdout, like:That username+password is passed to the server, who verifies it before accepting the push.
Assuming GitHub's
gh
CLI is installed, the helper can look at~/.config/gh/hosts.yml
, which helpfully contains my configured GitHub username (and auth token 😢). I can do a client-side check that that config is sane by hittinghttps://api.github.com/user
with the auth token and checking that the response says that'simjasonh
. But that's not really a big deal, because it's kontain.me I'm trying to convince I'm me.To assert that I'm
imjasonh
to kontain.me (without trusting kontain.me with that powerful GH auth token), I can use my locally configured SSH private keys, that I use to push commits to github.com, to sign some data, pass that signed blob to kontain.me as my password, and kontain.me can verify that against my GitHub account's public keys, available at https://github.com/imjasonh.keys.The text was updated successfully, but these errors were encountered: