Expose local age identities to remote machines via SSH

Related tags

Network programming age-plugin-remote
Overview

age-plugin-remote

TBD

Design Notes

Proxy identities act as bearer tokens. A proxy identity is only "active" if the authority provides it when starting the agent. The proxy identity may access all real identities that the authority provides when starting the agent.

A 32-bit TAG can be persisted in the proxy identity file, and then reused with a small-enough chance of collision (since we only care about collisions on a per-user level, and similar age tags in other identities are also 32 bits).

To reuse proxy identities, you might need a one-time remote server setup:

> /etc/ssh/sshd_config'"> 
sudo sh -c 'echo "StreamLocalBindUnlink yes" >> /etc/ssh/sshd_config'

Or if we end up querying the environment before we start, we could also take the time to clear out the old socket file, assuming we can verify that it isn't actually being used?

sequenceDiagram
    actor Authority
    participant Proxy
    participant RSock as Remote Machine
    participant Plugin
    participant Client
    actor User
    Note over RSock,User: Remote Machine
    Note over Authority,Proxy: Local Machine

    %% Opening delegation proxy
    Authority->>Proxy: -i real.identity
    activate Proxy
    Authority->>Proxy: -s [email protected]
    Note over Proxy,RSock: SSH connection
    Proxy->>RSock: Query environment
    activate RSock
    RSock-->>Proxy: valid TAG
    deactivate RSock
    Proxy->>RSock: -R TAG.sock:local
    activate RSock
    Note over RSock: Unix socket TAG.sock
    Note over Proxy: Prepares identity containing PAKE passphrase and TAG
    Proxy-->>Authority: proxy.identity

    %% User wants to decrypt a file
    User->>Client: -i proxy.identity
    activate Client
    User->>Client: encrypted file
    Note over Client,Plugin: plugin protocol
    Client->>Plugin: proxy.identity
    activate Plugin
    Client->>Plugin: file header
    Plugin->>RSock: TAG.sock
    Note over Proxy,Plugin: Encrypted session using PAKE
    Plugin->>Proxy: proxy.identity, file header
    Note over Proxy: Queries identities, local plugins
    Proxy-->>Plugin: file key
    Plugin-->>Client: file key
    deactivate Plugin
    Client-->>User: decrypted file
    deactivate Client

    %% Closing delegation proxy
    Authority->>Proxy: Ctrl+C
    Proxy-->RSock: Connection closed
    deactivate Proxy
    deactivate RSock

    %% When the proxy is off, the client gets an error
    User->>Client: -i proxy.identity
    activate Client
    User->>Client: encrypted file
    Client->>Plugin: proxy.identity
    activate Plugin
    Client->>Plugin: file header
    Plugin-XRSock: TAG.sock
    Plugin-->>Client: error
    deactivate Plugin
    Client-->>User: error
    deactivate Client

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

You might also like...
A simple cross-platform remote file management tool to upload and download files over HTTP/S

A simple cross-platform remote file management tool to upload and download files over HTTP/S

sexnine 13 Dec 30, 2022
Sanzu is a graphical remote desktop solution

Sanzu Sanzu is a graphical remote desktop solution. It is composed of: a server running on Unix or Windows which can stream a X11 or a Windows GUI env

CEA IT Security 95 Dec 23, 2022
A small utility to wake computers up or put them to sleep over the local network

WKSL - a wake and sleep utility An experiment in writing a small CLI utility in Rust. The program lets you wake a machine on your local network up fro

Henrik Ravn 0 Nov 14, 2021
Test the interception/filter of UDP 53 of your local networks or hotspots.

udp53_lookup Test the interception/filter of UDP 53 of your local networks or hotspots. Inspired by BennyThink/UDP53-Filter-Type . What's the purpose?

null 1 Dec 6, 2021
Automatic HTTPS certificates for trillium.rs, via Let's Encrypt and ACME tls-alpn-01 challenges

trillium-acme helps you serve HTTPS with Trillium using automatic certificates, via Let’s Encrypt and ACME tls-alpn-01 challenges. To use trillium-acm

Josh Triplett 12 Nov 6, 2023
A tool to aid in self-hosting. Expose local services on your computer, via a public IPv4 address.
A tool to aid in self-hosting. Expose local services on your computer, via a public IPv4 address.

innisfree A tool to aid in self-hosting. Expose local services on your computer, via a public IPv4 address. Why? Most of the data I maintain is local,

Conor Schaefer 7 Mar 19, 2022
Another Network Tunnel; A simple program for local/remote port forwarding over a SSH tunnel.

🐜 ANT Another Network Tunnel; A simple program for local/remote port forwarding over a SSH tunnel. Table of Contents Installation Pre-requisites Pre-

Hendrik Böck 20 Jun 25, 2023
◉ Arbitrary Protocols on top of Bitcoin (Bitcoin NFTs/Ordinals & Bitcoin Identities/Usernames)

◉ arb arb is a command-line wallet, index, and explorer interface that implements the arb protocol, which enables arbitrary protocols on top of Bitcoi

Ty Vazum 4 May 15, 2023
ssh-box: use ssh keys to encrypt files

ssh-box: use ssh keys to encrypt files work in progress ssh-box file format A file encrypted by ssh-box is an ASCII-armored binary file. The binary co

Tony Finch 3 Jun 27, 2022
Share clipboard between machines on your local network.

Clipshare Do you ever have to work on multiple machines? Do you ever used your Github™ Gists just to send some text between then? Clipshare is here to

Rodrigo Navarro 39 Jun 19, 2023
Expose standard or fully custom USB peripherals (gadgets) through a USB device controller (UDC) on Linux using Rust.

usb-gadget This library allows implementation of USB peripherals, so called USB gadgets, on Linux devices that have a USB device controller (UDC). Bot

Sebastian Urban 21 Oct 30, 2023
Expose various non-cryptographic hashing functions with Digest traits

noncrypto-digests Expose various non-cryptographic hashing functions with Digest traits. This allows users to use any hashing function with the same t

Yuri Astrakhan 3 Dec 9, 2023
Remote-Archive is a utility for exploring remote archive files without downloading the entire contents of the archive.

[WIP] REMOTE-ARCHIVE Remote-Archive is a utility for exploring remote archive files without downloading the entire contents of the archive. The idea b

null 4 Nov 7, 2022
A modern, simple TCP tunnel in Rust that exposes local ports to a remote server, bypassing standard NAT connection firewalls
A modern, simple TCP tunnel in Rust that exposes local ports to a remote server, bypassing standard NAT connection firewalls

bore A modern, simple TCP tunnel in Rust that exposes local ports to a remote server, bypassing standard NAT connection firewalls. That's all it does:

Eric Zhang 6.2k Dec 31, 2022
📮 load, write, and copy remote and local assets

axoasset This library offers read, write, and copy functions, for local and remote assets given a string that contains a relative or absolute local pa

axo 7 Jan 25, 2023
A command-line tool aiming to upload the local image used in your markdown file to the GitHub repo and replace the local file path with the returned URL.
A command-line tool aiming to upload the local image used in your markdown file to the GitHub repo and replace the local file path with the returned URL.

Pup A command line tool aiming to upload the local image used in your markdown file to the GitHub repo and replace the local file path with the return

SteveLau 11 Aug 17, 2022
Plugin for macro-, mini-quad (quads) to save data in simple local storage using Web Storage API in WASM and local file on a native platforms.

quad-storage This is the crate to save data in persistent local storage in miniquad/macroquad environment. In WASM the data persists even if tab or br

ilya sheprut 9 Jan 4, 2023
CLI search and replace | Space Age seD
CLI search and replace | Space Age seD

SAD! Space Age seD What does it do? Basically sad is a Batch File Edit tool. It will show you a really nice diff of proposed changes before you commit

i love my dog 986 Dec 29, 2022
age-encrypted secrets for NixOS; drop-in replacement for agenix

ragenix ragenix provides age-encrypted secrets for NixOS systems which live in the Nix store and are decrypted on system activation. Using ragenix to

YAXI 91 Jan 8, 2023
Owner
null
GitHub
A modern, simple TCP tunnel in Rust that exposes local ports to a remote server, bypassing standard NAT connection firewalls

bore A modern, simple TCP tunnel in Rust that exposes local ports to a remote server, bypassing standard NAT connection firewalls. That's all it does:

Eric Zhang 6.2k Dec 31, 2022
A metrics collection application for Linux machines. Created for MSCS 710 Project at Marist College.

Linux-Metrics-Collector A metrics collection application for Linux machines. Created for MSCS 710 Project at Marist College. Development Environment S

Christopher Ravosa 2 May 2, 2022
Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...

tosh Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code... Inspired fro

Mark Vainomaa 409 Oct 23, 2022
pam-send-slack-message is a program that publishes messages on slack when a linux server is accessed through ssh.

pam-send-slack-message pam-send-slack-message is a program that publishes messages on slack when the linux server is accessed through ssh. Installatio

Iuri Diniz 2 Aug 17, 2022
Simple SSH, TELNET connection manager written in rust

gcoma gcoma or Geri's Connection Manager is a small project, that I started to learn rust. The goal of this project is to create a MTPuTTY like cli ap

Bak Gergely János 2 Sep 30, 2022
A TCP proxy using HTTP - Reach SSH behind a Nginx reverse proxy

?? TCP over HTTP ?? The Questions ?? What does it do? You can proxy TCP traffic over HTTP. A basic setup would be: [Your TCP target] <--TCP-- [Exit No

Julian 185 Dec 15, 2022
QUIC proxy that allows to use QUIC to connect to an SSH server without needing to patch the client or the server.

quicssh-rs ?? quicssh-rs is a QUIC proxy that allows to use QUIC to connect to an SSH server without needing to patch the client or the server. quicss

Jun Ouyang 18 May 5, 2023
The best open source remote desktop software

The best open-source remote desktop software, written in Rust. Works out of the box, no configuration required. Great alternative to TeamViewer and AnyDesk! You have full control of your data, with no concerns about security. You can use our rendezvous/relay server, set up your own, or write your own rendezvous/relay server.

RustDesk 35.4k Jan 4, 2023
A remote shell, TCP tunnel and HTTP proxy for Replit.

Autobahn A remote shell, TCP tunnel and HTTP proxy for Replit. Hybrid SSH/HTTP server for Replit. Based on leon332157/replish. Autobahn runs a WebSock

Patrick Winters 12 Sep 24, 2022
Drpc-Correct, high performance, robust, easy use Remote invocation framework

Drpc - Correct, high performance, robust, easy use Remote invocation framework

darkrpc 30 Dec 17, 2022