Skip to content
A tool for managing SSH key access to any number of servers.
PHP JavaScript Other
Branch: master
Clone or download
mettke and thomas-pike Improved Synchronisation
* Added configuration option to switch between timeout utils
* Modified user option to require value
Latest commit 8b67238 Apr 6, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
config Improved Synchronisation May 4, 2019
extensions Initial public commit Jun 6, 2017
migrations Add ability to specify SSH port number Apr 17, 2018
model Add ability to specify SSH port number Apr 17, 2018
public_html Use strict mode javascript May 8, 2018
scripts Improved Synchronisation May 4, 2019
services keys-sync service installation fixes Aug 30, 2017
templates Fix some misplaced parentheses Jan 20, 2019
views
.gitignore Initial public commit Jun 6, 2017
LICENSE Initial public commit Jun 6, 2017
NOTICE Initial public commit Jun 6, 2017
README.md Added LDAP directory service in requirements Oct 18, 2018
core.php Add setting to enable LDAP_OPT_REFERRALS, default off Jul 21, 2018
email.php Remove hardcoded gpg signing key ID Aug 22, 2017
ldap.php Add setting to enable LDAP_OPT_REFERRALS, default off Jul 21, 2018
pagesection.php Fix problems displaying error page if no valid $active_user Apr 17, 2018
requesthandler.php Fix access of $config variable in error 500 page Apr 4, 2018
router.php Initial public commit Jun 6, 2017
routes.php Add /pubkeys.json to URLs accessible by local accounts Mar 27, 2018

README.md

SKA - SSH Key Authority

Please see the Security Advisories section below for a recently addressed security issue

A tool for managing user and server SSH access to any number of servers.

Features

  • Easily manage SSH key access for all accounts on your servers.
  • Manage user access and server-to-server access rules.
  • Integrate with your LDAP directory service for user authorization.
  • Automatically remove server access from people when they leave your team.
  • Provides an easy interface for your users to upload their public keys.
  • Designate server administrators and let them manage access to their own server.
  • Create group-based access rules for easier management.
  • Specify SSH access options such as command=, nopty etc on your access rules.
  • All access changes are logged to the database and to the system logs. Granting of access is also reported by email.
  • Be notified when a server becomes orphaned (has no active administrators).

Demo

You can view the SSH Key Authority in action on the demonstration server.

Use one of the following sets of username / password credentials to log in:

  • testuser / testuser - normal user with admin access granted to a few servers
  • testadmin / testadmin - admin user

All data on this demonstration server is reset nightly at 00:00 UTC.

Requirements

  • An LDAP directory service
  • Apache 2.2 or higher
  • PHP 5.6 or higher
  • PHP JSON extension
  • PHP LDAP extension
  • PHP mbstring (Multibyte String) extension
  • PHP MySQL extension
  • PHP ssh2 extension
  • MySQL (5.5+), Percona Server (5.5+) or MariaDB database

Installation

  1. Clone the repo somewhere outside of your default Apache document root.

  2. Add the following directives to your Apache configuration (eg. virtual host config):

    DocumentRoot /path/to/ska/public_html
    DirectoryIndex init.php
    FallbackResource /init.php
    
  3. Create a MySQL user and database (run in MySQL shell):

    CREATE USER 'ska-user'@'localhost' IDENTIFIED BY 'password';
    CREATE DATABASE `ska-db` DEFAULT CHARACTER SET utf8mb4;
    GRANT ALL ON `ska-db`.* to 'ska-user'@'localhost';
    
  4. Copy the file config/config-sample.ini to config/config.ini and edit the settings as required.

  5. Set up authnz_ldap for your virtual host (or any other authentication module that will pass on an Auth-user variable to the application).

  6. Set scripts/ldap_update.php to run on a regular cron job.

  7. Generate an SSH key pair to synchronize with. SSH Key Authority will expect to find the files as config/keys-sync and config/keys-sync.pub for the private and public keys respectively.

  8. Install the SSH key synchronization daemon. For systemd:

    1. Copy services/systemd/keys-sync.service to /etc/systemd/system/
    2. Modify ExecStart path and User as necessary. If SSH Key Authority is installed under /home, disable ProtectHome.
    3. systemctl daemon-reload
    4. systemctl enable keys-sync.service

    for sysv-init:

    1. Copy services/init.d/keys-sync to /etc/init.d/
    2. Modify SCRIPT path and USER as necessary.
    3. update-rc.d keys-sync defaults

Usage

Anyone in the LDAP group defined under admin_group_cn in config/config.ini will be able to manage accounts and servers.

Key distribution

SSH Key Authority distributes authorized keys to your servers via SSH. It does this by:

  1. Connecting to the server with SSH, authorizing as the keys-sync user.
  2. Writing the appropriate authorized keys to named user files in /var/local/keys-sync/ (eg. all authorized keys for the root user will be written to /var/local/keys-sync/root).

This means that your SSH installation will need to be reconfigured to read authorized keys from /var/local/keys-sync/.

Please note that doing so will deny access to any existing SSH public key authorized in the default ~/.ssh directories.

Under OpenSSH, the configuration changes needed are:

AuthorizedKeysFile /var/local/keys-sync/%u
StrictModes no

StrictModes must be disabled because the files will all be owned by the keys-sync user.

The file /var/local/keys-sync/keys-sync must exist, with the same contents as the config/keys-sync.pub file in order for the synchronization daemon to authenticate.

Screenshots

Homepage overview

Homepage overview

Server listing

Server listing

Server account access management

Server account access management

Activity log

Activity log

Getting started guide for new users

Getting started guide for new users

Security advisories

License

Copyright 2013-2017 Opera Software

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

You can’t perform that action at this time.