Skip to content

SSH CA Key / Certificate Issue Bot with Discord Integration

License

Notifications You must be signed in to change notification settings

maxswjeon/authentication-bot

Repository files navigation

Authentication Bot

A Discord Bot that handles SSH Certificate Authorization

Requirements

  • OpenSSH Version >= 5.4
  • SSH Server with SSH Certificate Support (Check for TrustedUserCAKeys)
  • Docker

Installation

1. Discord Setup

  1. Create a Discord account

  2. Add New Application from Discord Development Portal

  3. Name the Application as you want

  4. Go to Bot menu and add a Bot

  5. Go to OAtuh2 ,enu and select these scopes

    • bot
  6. Select those Bot Permissions

    • Text Permissions
      • Send Messages
        Needed for Sending Messages
      • Manage Messages
        Needed for Message Deletion
      • Add Reactions
        Needed for /clean Result
  7. Invite Bot to your Discord server by allowing it
    Note : You can just Copy This Link and Change CLIENT_ID Part
    https://discord.com/api/oauth2/authorize?client_id=(CLIENT_ID)&permissions=10304&scope=bot

  8. Set adequate roles for Bot if you restricted users from reading message from some of your Channels

2. SSH Setup

  1. Run ssh-keygen -f (SSH_CONFIG_LOCATION)/ca_user_key to generate SSH User CA Key
  • For Debian and Ubuntu, SSH_CONFIG_LOCATION is /etc/ssh
  • You may need root access to generate CA there
  • You can select other key types, such as ecdsa or ed25519, but we recommend ed25519 and rsa over 2048 bits.
    (IMO, I prefer ed25519 over rsa)
  • You Must Set Passpharase to the CA Key
  1. Run touch (SSH_CONFIG_LOCATION)/ssh_revoked_keys to make Key Revoke List file

  2. Edit (SSH_CONFIG_LOCATION)/sshd_config and add these Lines

TrustedUserCAKeys /etc/ssh/ca_user_key.pub
RevokedKeys /etc/ssh/ssh_revoked_keys
  1. Restart OpenSSH

3. Bot Setup

  1. Clone this project to your Server that you want to give SSH Access

  2. Copy .env.template to .env and set BOT_TOKEN and DATABASE_PATH

  3. Set CA_PASS to CA Key passpharse

  4. Set ENFORCE_STRONG_KEYS to True if you want to enforce client keys to be rsa over 2048 bits or ed25519 key

  5. Set CERTIFICATE_VALID_DAYS to adequate days to duration of validity of certificate after certificate creation

  6. Run check_channel_id.py and set DISCORD_CHANNELS that you want Bot to listen on
    Note : It supports multiple channels. Please give channel id as CSV(Comma Seperated List) to Listen on Multiple Channels

4. Docker Setup

  1. Check hostname and container_name values and change as you want

  2. Check ca_user_key and ssh_revoked_keys are set well to the SSH config location
    Do Not Change Path After the Colon(:) such as /root/ca_user_key and /root/ssh_revoked_keys

  3. Run docker-compose up -d to start the container

Usage

  • /authorize [public_key]
    public_key: OpenSSH Format Public Key
    Authorize Key and Create Key Certificate (starts with sha-rsa or sha-ed25519)

  • /revoke [key_index]
    key_index: run /manage to find key index
    Revoke key when key is exposed, leaked, or lost

  • /manage
    Manage keys authorized before

  • /clear
    Remove all bot-generated messages

  • /help
    Show help message

Notes

  • Use branch server for deployment.
    git clone -b server --single-branch https://github.com/maxswjeon/authentication-bot
  • /revoke does not revoke Certificates that are generated, they revoke Keys. Use with caution.
  • All environment variables in .env are Required or it will cause error.

About

SSH CA Key / Certificate Issue Bot with Discord Integration

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published