CASSH

OpenSSH features reach their limit when it comes to industrialization. We don’t want an administrator to sign every user’s public key by hand every day, so we need a service for that. That is exactly the purpose of CASSH: signing keys! Developped for @leboncoin

https://medium.com/leboncoin-engineering-blog/cassh-ssh-key-signing-tool-39fd3b8e4de7

• CLI version : 1.8.1 (02/06/2022) +
• WebUI version : 1.3.1 (02/06/2022)
• Server version : 2.3.1 (06/03/2022) +

Usage

Client CLI

Add new key to cassh-server :

cassh add

Sign pub key :

cassh sign [--display-only] [--force]

Get public key status :

cassh status

Get ca public key :

cassh ca

Get ca krl :

cassh krl

Admin CLI

usage: cassh admin [-h] [-s SET] [--add-principals ADD_PRINCIPALS]
                   [--remove-principals REMOVE_PRINCIPALS]
                   [--purge-principals]
                   [--update-principals UPDATE_PRINCIPALS]
                   [--principals-filter PRINCIPALS_FILTER]
                   username action

positional arguments:
  username              Username of client's key, if username is 'all' status
                        return all users
  action                Choice between : active, delete, revoke, set, search,
                        status keys

optional arguments:
  -h, --help            show this help message and exit
  -s SET, --set SET     CAUTION: Set value of a user.
  --add-principals ADD_PRINCIPALS
                        Add a list of principals to a user, should be
                        separated by comma without spaces.
  --remove-principals REMOVE_PRINCIPALS
                        Remove a list of principals to a user, should be
                        separated by comma without spaces.
  --purge-principals    Purge all principals to a user.
  --update-principals UPDATE_PRINCIPALS
                        Update all principals to a user by the given
                        principals, should be separated by comma without
                        spaces.
  --principals-filter PRINCIPALS_FILTER
                        Look for users by the given principals filter, should
                        be separated by comma without spaces.

Active Client username key :

cassh admin <username> active

Revoke Client username key :

cassh admin <username> revoke

Delete Client username key :

cassh admin <username> delete

Status Client username key :

cassh admin <username> status

Set Client username key :

# Set expiry to 7 days
cassh admin <username> set --set='expiry=7d'

# Add principals to existing ones
cassh admin <username> set --add-principals foo,bar

# Remove principals from existing ones
cassh admin <username> set --remove-principals foo,bar

# Update principals and erease existsing ones
cassh admin <username> set --update-principals foo,bar

# Purge principals
cassh admin <username> set --purge-principals

Search Principals among clients :

cassh admin all search --principals-filter foo,bar

Install

Server

INSTALL.md

Client

INSTALL.md

Cassh WebUI

INSTALL.md

Quick test

Server side

Install docker : https://docs.docker.com/engine/installation/

Prerequisites

# install utilities needed by tests/test.sh
sudo apt install pwgen jq

# Make a 'sudo' only if your user doesn't have docker rights, add your user into docker group
pip install -r tests/requirements.txt

cp tests/cassh/cassh.conf.sample tests/cassh/cassh.conf
cp tests/cassh/ldap_mapping.json.sample tests/cassh/ldap_mapping.json

# Edit cassh.conf file to configure the hosts

# Generate temporary certificates
mkdir test-keys
ssh-keygen -C CA -t rsa -b 4096 -o -a 100 -N "" -f test-keys/id_rsa_ca # without passphrase
ssh-keygen -k -f test-keys/revoked-keys

############################################
# BEGIN THE ONE OR MULTIPLE INSTANCES STEP #
############################################

# Duplicate the cassh.conf
cp tests/cassh/cassh.conf tests/cassh/cassh_2.conf
# Generate another krl
ssh-keygen -k -f test-keys/revoked-keys-2
sed -i "s/revoked-keys/revoked-keys-2/g" tests/cassh/cassh_2.conf

One instance

# Launch this on another terminal
bash tests/launch_demo_server.sh --server_code_path ${PWD} --debug
$ /opt/cassh/src/server/server.py --config /opt/cassh/tests/cassh/cassh.conf

# When 'http://0.0.0.0:8080/' appears, start this script
bash tests/test.sh

Multiple instances

The same as previsouly, but launch this to specify a second cassh-server instance

# Launch this on another terminal
bash tests/launch_demo_server.sh --server_code_path ${PWD} --debug --port 8081
$ /opt/cassh/src/server/server.py --config /opt/cassh/tests/cassh/cassh_2.conf

Client side

Generate key pair then sign it !

git clone https://github.com/nbeguier/cassh.git /opt/cassh
cd /opt/cassh

# Generate key pair
mkdir test-keys
ssh-keygen -t rsa -b 4096 -o -a 100 -f test-keys/id_rsa

rm -f ~/.cassh
cat << EOF > ~/.cassh
[user]
name = user
key_path = ${PWD}/test-keys/id_rsa
key_signed_path = ${PWD}/test-keys/id_rsa-cert
url = http://localhost:8080

[ldap]
realname = [email protected]
EOF

# List keys
python cassh status

# Add it into server
python cassh add

# ADMIN: Active key
python cassh admin user active

# Sign it !
python cassh sign [--display-only]

License

Licensed under the Apache License, Version 2.0 (the "License").

Copyright

Copyright 2017-2025 Nicolas BEGUIER; (nbeguier - nicolas_beguier[at]hotmail[dot]com)