Start yubikey certificates and subkeys example

08_ssh/SSH_CERTIFICATES.md

@@ -0,0 +1,103 @@
+# SSH CERTIFICATES
+
+Demonstrate how to use a SSH certificates rather than keys.  
+
+## Reason
+
+Keys never expire. Neither users nor hosts are forced to refresh their keys.
+
+### Run example
+
+The `nginx` container is not available on the network. We use the `ssh` server to allow access.  
+
+```sh
+# create keys
+mkdir -p ./ssh_server/keys
+ssh-keygen -o -a 100 -t ed25519 -f ./ssh_server/keys/id_ed25519 
+ssh-keygen -o -a 100 -t rsa -f ./ssh_server/keys/id_rsa 
+```
+
+Start the containers.
+
+```sh
+# start server
+docker compose up -d --build --force-recreate
+
+# quick test
+docker compose logs internalnginx  
+docker compose logs sshserver        
+docker compose logs caserver        
+```
+
+### Configure Certificate Authority
+
+```sh
+docker compose exec -it caserver /bin/bash
+
+
+
+
+```
+
+
+SSH to get access to `nginx`.  
+
+```sh
+# ssh onto server 
+ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0
+# curl against the nginx container
+curl 172.16.238.64:80
+```
+
+### 🧼 Cleanup
+
+```sh
+# bring it down and delete the volume
+docker compose down 
+```
+
+### Debugging and troubleshooting
+
+```sh
+docker compose exec -it sshserver /bin/bash
+
+# start ssh
+rsyslogd
+service ssh start
+nano /etc/ssh/sshd_config  
+service ssh restart
+
+passwd
+cat /root/.ssh/authorized_keys
+cat /var/log/auth.log
+
+#PasswordAuthentication yes
+#PermitEmptyPasswords yes
+#PermitRootLogin without-password
+
+# open connections (only rsa seems to work)
+ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_ed25519 -p 2822 root@0.0.0.0
+ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0
+```
+
+
+## Resources
+
+https://www.devseccon.com/blog/3-reasons-to-use-ssh-certificates-instead-of-ssh-keys-secadvent-day-22
+
+
+https://berndbausch.medium.com/ssh-certificates-a45bdcdfac39
+
+- If you’re not using SSH certificates you’re doing SSH wrong [here](https://smallstep.com/blog/use-ssh-certificates/)
+
+
+https://www.reddit.com/r/devops/comments/s1zzz1/what_is_the_best_way_to_manage_ssh_identities_and/
+
+
+- Facebook: Scalable and secure access with SSH [here](https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/)
+
+
+
+
+/Users/chris.guest/Code/scratch/docker_build_examples/40_ssl_nginx
+

08_ssh/docker-compose.yaml

@@ -0,0 +1,30 @@
+services:
+    internalnginx:
+        image: nginx:1.21.1      
+        networks:
+            app_private_network:
+                ipv4_address: 172.16.238.64
+
+    sshserver:
+        build: 
+            context: ./ssh_server
+            dockerfile: ./Dockerfile.server
+        ports:
+            - 2822:22
+        networks:
+            app_private_network:
+                ipv4_address: 172.16.238.3
+
+    caserver:
+        build: 
+            context: ./ssh_server
+            dockerfile: ./Dockerfile.ca
+
+networks:
+    app_private_network:
+        ipam:
+            driver: default
+            config:
+                - subnet: "172.16.238.0/24"
+
+

08_ssh/ssh_server/.gitignore

@@ -0,0 +1 @@
+keys

08_ssh/ssh_server/Dockerfile.ca

@@ -0,0 +1,52 @@
+# syntax=docker/dockerfile:1.4
+FROM ubuntu:20.04
+
+RUN apt-get update && apt-get install --no-install-recommends \
+        rsyslog \
+        openssh-server \
+        nano \
+        curl \
+        lsof \
+        iproute2 nmap \
+        iputils-ping -y \ 
+        && apt-get clean \
+        && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /scratch
+
+# NOTE: Escape the \$ otherwise they are rendered at buildtime
+COPY --chmod=755 <<EOF /bin/hold.sh
+#!/usr/bin/env bash
+
+echo "Holding..."
+
+function trap_hup_handler() {
+    echo "SIGHUP handler exiting"
+    exit $(( 128 + 1 ))
+}
+function trap_int_handler() {
+    echo "SIGINT handler exiting"
+    exit $(( 128 + 2 ))
+}
+function trap_quit_handler() {
+    echo "SIGQUIT handler exiting"
+    exit $(( 128 + 3 ))
+}
+function trap_term_handler() {
+    echo "SIGTERM handler exiting"
+    exit $(( 128 + 15 ))
+}
+
+trap trap_hup_handler SIGHUP
+trap trap_int_handler SIGINT
+trap trap_quit_handler SIGQUIT
+trap trap_term_handler SIGTERM
+
+rsyslogd
+service ssh start
+echo "Start sleep infinity"
+sleep infinity
+EOF
+
+
+CMD [ "/bin/bash", "-c", "/bin/hold.sh" ]

08_ssh/ssh_server/Dockerfile.server

@@ -0,0 +1,65 @@
+# syntax=docker/dockerfile:1.4
+FROM ubuntu:20.04
+
+RUN apt-get update && apt-get install --no-install-recommends \
+        rsyslog \
+        openssh-server \
+        nano \
+        curl \
+        lsof \
+        iproute2 nmap \
+        iputils-ping -y \ 
+        && apt-get clean \
+        && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /scratch
+
+# NOTE: Escape the \$ otherwise they are rendered at buildtime
+COPY --chmod=755 <<EOF /bin/hold.sh
+#!/usr/bin/env bash
+
+echo "Holding..."
+
+function trap_hup_handler() {
+    echo "SIGHUP handler exiting"
+    exit $(( 128 + 1 ))
+}
+function trap_int_handler() {
+    echo "SIGINT handler exiting"
+    exit $(( 128 + 2 ))
+}
+function trap_quit_handler() {
+    echo "SIGQUIT handler exiting"
+    exit $(( 128 + 3 ))
+}
+function trap_term_handler() {
+    echo "SIGTERM handler exiting"
+    exit $(( 128 + 15 ))
+}
+
+trap trap_hup_handler SIGHUP
+trap trap_int_handler SIGINT
+trap trap_quit_handler SIGQUIT
+trap trap_term_handler SIGTERM
+
+rsyslogd
+service ssh start
+echo "Start sleep infinity"
+sleep infinity
+EOF
+
+COPY keys/id_ed25519.pub /scratch/id_ed25519.pub 
+COPY keys/id_rsa.pub /scratch/id_rsa.pub 
+
+COPY --chmod=755 <<EOF /bin/preparekeys.sh
+mkdir -p /root/.ssh
+cat /scratch/id_ed25519.pub > /root/.ssh/authorized_keys
+cat /scratch/id_rsa.pub >> /root/.ssh/authorized_keys
+EOF
+
+RUN /bin/preparekeys.sh
+
+RUN chown -R root /root/.ssh/authorized_keys
+RUN chmod 644  /root/.ssh/authorized_keys
+
+CMD [ "/bin/bash", "-c", "/bin/hold.sh" ]

19_yubi/GIT_SSH.md

@@ -0,0 +1,23 @@
+# GIT SSH
+
+Goto [git-server/README.md](./git-server/README.md) and install a local server.  
+
+TODO:
+
+* gitea rsa key has to be 3072 key length
+
+## User SSH key
+
+```sh
+# copy thumbprint
+LIBYKCS11_PATH=$(realpath /usr/local/lib/libykcs11.dylib)
+LIBYKCS11_PATH=/home/linuxbrew/.linuxbrew/lib/libykcs11.so
+
+# copy the key to gitea
+ssh-keygen -D ${LIBYKCS11_PATH} -e | grep Signature 
+```
+
+
+## Resources
+
+* SSH key cannot be verified due to 2047 lengt [here](https://github.com/go-gitea/gitea/issues/20249)