A Discord Bot that handles SSH Certificate Authorization
- OpenSSH Version >= 5.4
- SSH Server with SSH Certificate Support (Check for
TrustedUserCAKeys
) - Docker
-
Create a Discord account
-
Add New Application from Discord Development Portal
-
Name the Application as you want
-
Go to
Bot
menu and add a Bot -
Go to
OAtuh2
,enu and select these scopesbot
-
Select those Bot Permissions
Text Permissions
Send Messages
Needed for Sending MessagesManage Messages
Needed for Message DeletionAdd Reactions
Needed for/clean
Result
-
Invite Bot to your Discord server by allowing it
Note : You can just Copy This Link and ChangeCLIENT_ID
Part
https://discord.com/api/oauth2/authorize?client_id=(CLIENT_ID)&permissions=10304&scope=bot -
Set adequate roles for Bot if you restricted users from reading message from some of your Channels
- Run
ssh-keygen -f (SSH_CONFIG_LOCATION)/ca_user_key
to generate SSH User CA Key
- For Debian and Ubuntu,
SSH_CONFIG_LOCATION
is/etc/ssh
- You may need root access to generate CA there
- You can select other key types, such as
ecdsa
ored25519
, but we recommended25519
andrsa
over 2048 bits.
(IMO, I prefered25519
overrsa
) - You Must Set Passpharase to the CA Key
-
Run
touch (SSH_CONFIG_LOCATION)/ssh_revoked_keys
to make Key Revoke List file -
Edit
(SSH_CONFIG_LOCATION)/sshd_config
and add these Lines
TrustedUserCAKeys /etc/ssh/ca_user_key.pub
RevokedKeys /etc/ssh/ssh_revoked_keys
- Restart OpenSSH
-
Clone this project to your Server that you want to give SSH Access
-
Copy
.env.template
to.env
and setBOT_TOKEN
andDATABASE_PATH
-
Set
CA_PASS
to CA Key passpharse -
Set
ENFORCE_STRONG_KEYS
toTrue
if you want to enforce client keys to bersa
over 2048 bits ored25519
key -
Set
CERTIFICATE_VALID_DAYS
to adequate days to duration of validity of certificate after certificate creation -
Run
check_channel_id.py
and setDISCORD_CHANNELS
that you want Bot to listen on
Note : It supports multiple channels. Please give channel id as CSV(Comma Seperated List) to Listen on Multiple Channels
-
Check
hostname
andcontainer_name
values and change as you want -
Check
ca_user_key
andssh_revoked_keys
are set well to the SSH config location
Do Not Change Path After the Colon(:
) such as/root/ca_user_key
and/root/ssh_revoked_keys
-
Run
docker-compose up -d
to start the container
-
/authorize [public_key]
public_key: OpenSSH Format Public Key
Authorize Key and Create Key Certificate (starts withsha-rsa
orsha-ed25519
) -
/revoke [key_index]
key_index: run /manage to find key index
Revoke key when key is exposed, leaked, or lost -
/manage
Manage keys authorized before -
/clear
Remove all bot-generated messages -
/help
Show help message
- Use branch server for deployment.
git clone -b server --single-branch https://github.com/maxswjeon/authentication-bot
/revoke
does not revoke Certificates that are generated, they revoke Keys. Use with caution.- All environment variables in
.env
are Required or it will cause error.