ssssh.py is a simple script to login to a remote server using SSHv2 after obtaining the required credentials (password) from StoredSafe.
- User do not have to copy and paste password from StoredSafe
- Every retrieval of logon credentials will be recorded in the StoredSafe audit log
The script is written in Python v3 and has been tested on macOS Catalina (10.15.5) and on Linux (any fairly recent version of Ubuntu or Red Hat should work fine).
Support for previous versions of StoredSafe (pre v2.1.0) can be found in the legacy branch.
ssssh.py uses Paramiko (A Python implementation of SSHv2) for all of it's SSH needs. Mad shouts to the Paramiko team for their excellent code.
This script requires Python v3 and some libraries.
It has been developed and tested using Python v3.7.7, on macOS Catalina 10.15.5.
Most of the required libraries are installed by default, but requests and paramiko might require manual installation.
sudo pip install -r requirements.txtor
requests:
sudo -H pip install requestsparamiko:
sudo -H pip install paramiko# ssssh.py --help
Usage: ssssh.py [-vdsuat] user@host.domain.cc[:port]
--verbose (or -v) (Boolean) Enable verbose output.
--debug (or -d) (Boolean) Enable debug output.
--rc <rc file> Use this file to obtain a valid token and a server address.
--storedsafe (or -s) <Server> Use this StoredSafe server.
--user (or -u) <user> Authenticate as this user to the StoredSafe server.
--apikey (or -a) <API Key> Use this unique API key when communicating with the StoredSafe server.
--token (or -t) <Auth Token> Use pre-authenticated token instead of --user and --apikey.
Obtain password for the user from StoredSafe and connect on port 1234:
$ ssssh.py user@server.domain.cc:1234--verboseAdd verbose output.
--debugAdd debug output.
--rc <RC file>Obtain credentials (token) and server information from this file. (Enabled by default to
~/.storedsafe-client.rc)
--storedsafe|-s <server>Upload certificates to this StoredSafe server.
--user|-u <user>Authenticate as this StoredSafe user.
--apikey|-a <apikey>Use this unique API key when communicating with StoredSafe. (Unique per application and installation)
--token <token>Use pre-authenticated token instead of
--userand--apikey, also removes requirement to login with passphrase and OTP.
user@host.domain.cc[:port]Login as user on host.domain.cc. Specify port number for SSH, unless it's 22.
ssssh.py utilizes StoredSafe's REST API to lookup credentials and will require either that pre-authentication has been performed by the StoredSafe token handler CLI module (storedsafe-tokenhandler.py) and stored in an init file which location can be specified with the --rc option. (By default ~/.storedsafe-client.rc)
Other authentication options includes specifying a valid token (--token) or perform an on-line, one-shot authentication (--user, --storedsafe and --apikey)
Using pre-authenticated REST API to the StoredSafe appliance, the user sven obtains the password for the user andreas (credentials which sven has been granted access to by an appropriate information owner in StoredSafe) and sven can silently use these credentials to login via SSHv2 to the host domain.cc.
[sven@client ~]$ ssssh.py --verbose andreas@domain.cc
Found credentials for "andreas@domain.cc" (Object-ID 744 in Vault-ID 182)
Connecting to "domain.cc" on port 22
Last login: Sun Oct 15 19:55:20 2017 from clients.domain.cc
[andreas@domain.cc ~]$It's also possible to authenticate in one-shot mode to StoredSafe to obtain the required credentials to log on to the remote server. Below, the StoredSafe user sven will use his StoredSafe account to obtain the password for the user andreas@domain.cc which will be used to open up an SSH connection to domain.cc and logon as the user andreas using the password obtained from StoredSafe.
[sven@client ~]$ ssssh.py -v --storedsafe safe.stored.safe --user sven --apikey myAPIKey andreas@10.44.44.203
Enter sven's passphrase:
Press sven's Yubikey:
Found credentials for "andreas@domain.cc" (Object-ID 744 in Vault-ID 182)
Connecting to "domain.cc" on port 22
Last login: Sun Oct 15 20:18:19 2017 from clients.domain.cc
[andreas@domain.cc ~]$- ssssh.py can only handle tunneled passwords.
- If multiple identical credentials are available in StoredSafe, ssssh.py will use the last one found.
GPL