Adds OpenPubkey Support to SSH3

auth/plugins/openpubkey/client/opk_auth.go

@@ -0,0 +1,150 @@
+package openpubkey_authentication
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/francoismichel/ssh3"
+	"github.com/francoismichel/ssh3/auth"
+	"github.com/francoismichel/ssh3/auth/plugins"
+	"github.com/francoismichel/ssh3/client/config"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/openpubkey/openpubkey/client"
+	"github.com/openpubkey/openpubkey/providers"
+	"github.com/quic-go/quic-go/http3"
+	"github.com/rs/zerolog/log"
+	"golang.org/x/crypto/ssh/agent"
+)
+
+func init() {
+	plugin := auth.ClientAuthPlugin{
+		PluginOptions: map[config.OptionName]config.OptionParser{OPENPUBKEY_OPTION_NAME: &OpenPubkeyOptionParser{}},
+		PluginFunc:    openpubkeyPluginFunc,
+	}
+	plugins.RegisterClientAuthPlugin("openpubkey_auth", plugin)
+}
+
+const OPENPUBKEY_OPTION_NAME = "github.com/openpubkey/ssh3-openpubkey_auth"
+
+// Implements client-side OpenPubkey authentication
+type OpenPubkeyAuthOption struct {
+	issuer string
+}
+
+// Issuer returns the OpenID Provider issuer URI specified by the user
+func (o *OpenPubkeyAuthOption) Issuer() string {
+	return o.issuer
+}
+
+// OpenPubkeyOptionParser handles SSH3 command line arguments relevant to OpenPubkey.
+// An example command: `./ssh3 -openpubkey https://accounts.google.com [email protected]:443/ssh3-term`
+type OpenPubkeyOptionParser struct{}
+
+// FlagName implements config.CLIOptionParser.
+func (*OpenPubkeyOptionParser) FlagName() string {
+	return "openpubkey"
+}
+
+// IsBoolFlag implements config.CLIOptionParser.
+func (*OpenPubkeyOptionParser) IsBoolFlag() bool {
+	return false
+}
+
+// OptionConfigName implements config.OptionParser.
+func (*OpenPubkeyOptionParser) OptionConfigName() string {
+	return "OpenPubkey"
+}
+
+// Parse implements config.OptionParser.
+func (*OpenPubkeyOptionParser) Parse(values []string) (config.Option, error) {
+	return &OpenPubkeyAuthOption{
+		issuer: values[0],
+	}, nil
+}
+
+// Usage implements config.CLIOptionParser.
+func (*OpenPubkeyOptionParser) Usage() string {
+	return "OpenID Provider to use"
+}
+
+var _ config.CLIOptionParser = &OpenPubkeyOptionParser{}
+
+// openpubkeyPluginFunc is set as the PluginFunc for the plugin in init(). Its purpose
+// is to:
+// 1. read the config/options set by the SSH3 client,
+// 2. determine if OpenPubkey auth would be appropriate given the config/options specified,
+// 3. and if so, return the OpenPubkeyAuthMethod for the specified options/config.
+var openpubkeyPluginFunc auth.GetClientAuthMethodsFunc = func(request *http.Request,
+	sshAgent agent.ExtendedAgent, clientConfig *config.Config,
+	roundTripper *http3.RoundTripper) ([]auth.ClientAuthMethod, error) {
+	for _, opt := range clientConfig.Options() {
+		if o, ok := opt.(*OpenPubkeyAuthOption); ok {
+			switch o.Issuer() {
+			// We only support Google
+			case "https://accounts.google.com":
+				providerOpts := providers.GetDefaultGoogleOpOptions()
+				providerOpts.GQSign = false
+				provider := providers.NewGoogleOpWithOptions(providerOpts)
+				methods := []auth.ClientAuthMethod{
+					&OpenPubkeyAuthMethod{
+						provider: provider,
+					}}
+				return methods, nil
+			// Add new OpenID Provider support here
+			default:
+				log.Error().Msgf("openID Provider is not supported by OpenPubkey: issuer=%s", o.Issuer())
+				return nil, nil
+			}
+		}
+	}
+	return nil, nil
+}
+
+// OpenPubkeyAuthMethod implements auth.ClientAuthMethod.
+type OpenPubkeyAuthMethod struct {
+	provider providers.OpenIdProvider
+}
+
+// PrepareRequestForAuth implements auth.ClientAuthMethod.
+// This function performs the client side of the OpenPubkey authentication.
+func (o *OpenPubkeyAuthMethod) PrepareRequestForAuth(request *http.Request,
+	sshAgent agent.ExtendedAgent, roundTripper *http3.RoundTripper,
+	username string, conversation *ssh3.Conversation) error {
+	opkClient, err := client.New(o.provider)
+	if err != nil {
+		return err
+	}
+	pkt, err := opkClient.Auth(context.Background())
+	if err != nil {
+		return err
+	}
+	pktCom, err := pkt.Compact()
+	if err != nil {
+		return err
+	}
+	convID := conversation.ConversationID()
+	b64ConvID := base64.StdEncoding.EncodeToString(convID[:])
+	claims := jwt.MapClaims{
+		"iss":       username,
+		"iat":       jwt.NewNumericDate(time.Now()),
+		"exp":       jwt.NewNumericDate(time.Now().Add(10 * time.Second)),
+		"sub":       "ssh3",
+		"aud":       "unused",
+		"client_id": fmt.Sprintf("ssh3-%s", username),
+		"jti":       b64ConvID,
+	}
+	msg, err := json.Marshal(claims)
+	if err != nil {
+		return err
+	}
+	osm, err := pkt.NewSignedMessage(msg, opkClient.GetSigner())
+	if err != nil {
+		return err
+	}
+	request.Header.Set("Authorization", fmt.Sprintf("Bearer %s#%s", osm, pktCom))
+	return nil
+}

auth/plugins/openpubkey/server/server_plugin.go

@@ -0,0 +1,167 @@
+package server_openpubkey_authentication
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/openpubkey/openpubkey/pktoken"
+	"github.com/openpubkey/openpubkey/providers"
+	"github.com/openpubkey/openpubkey/verifier"
+
+	"github.com/francoismichel/ssh3/auth"
+	"github.com/francoismichel/ssh3/auth/plugins"
+	"github.com/francoismichel/ssh3/server_auth"
+	"github.com/rs/zerolog/log"
+)
+
+const PLUGIN_NAME = "github.com/openpubkey/ssh3-server_openpubkey_auth"
+
+// OPENPUBKEY_TAG specifies an identity string as an OpenPubkey identity string in the authorized_identities file.
+const OPENPUBKEY_TAG = "openpubkey"
+
+func init() {
+	if err := plugins.RegisterServerAuthPlugin(PLUGIN_NAME, OpenPubkeyAuthPlugin); err != nil {
+		log.Error().Msgf("could not register plugin %s: %s", PLUGIN_NAME, err)
+	}
+}
+
+// OpenPubkeyIdentityVerifier implements server-side OpenPubkey authentication.
+type OpenPubkeyIdentityVerifier struct {
+	username     string
+	clientIdOidc string
+	issuerOidc   string
+	email        string
+}
+
+// Verify authenticates a new SSH3 TLS connection using OpenPubkey.
+// It does this by checking that:
+// 1. a PK Token has been provided,
+// 2. the identity in the PK Token matches an OpenPubkey identity in the authorized identities file,
+// 3. the conversationID of the TLS connection has been signed by PK Token.
+// If all these checks pass it accepts the SSH3 connection as the identity specified.
+func (v *OpenPubkeyIdentityVerifier) Verify(request *http.Request, base64ConversationID string) bool {
+	authStr, wellFormattedB64Token := server_auth.ParseBearerAuth(request.Header.Get("Authorization"))
+	if !wellFormattedB64Token {
+		log.Error().Msgf("!wellFormattedB64Token %s ", request.Header.Get("Authorization"))
+		return false
+	}
+
+	authStrArr := strings.Split(authStr, "#")
+	if len(authStrArr) != 2 {
+		log.Error().Msgf("authStr not properly formed")
+		return false
+	}
+	jwtToken := authStrArr[0]
+	pktCom := authStrArr[1]
+
+	var provider providers.OpenIdProvider
+	// Add new OpenID Provider support here
+	switch v.issuerOidc {
+	case "https://accounts.google.com":
+		providerOpts := providers.GetDefaultGoogleOpOptions()
+		providerOpts.ClientID = v.clientIdOidc
+		providerOpts.GQSign = false
+		provider = providers.NewGoogleOpWithOptions(providerOpts)
+	default:
+		log.Error().Msgf("openID Provider is not supported by OpenPubkey: issuer=%s", v.issuerOidc)
+		return false
+	}
+	opkVerifier, err := verifier.New(provider)
+	if err != nil {
+		log.Error().Msgf("failed to configure openpubkey verifier: %s", err)
+		return false
+	}
+	pkt, err := pktoken.NewFromCompact([]byte(pktCom))
+	if err != nil {
+		log.Error().Msgf("failed to deserialize compact PK Token: %s", err)
+		return false
+	}
+	err = opkVerifier.VerifyPKToken(context.Background(), pkt)
+	if err != nil {
+		log.Error().Msgf("failed to verify PK Token: %s", err)
+		return false
+	}
+
+	if _, err := pkt.VerifySignedMessage([]byte(jwtToken)); err != nil {
+		log.Error().Msgf("openPubkey JWT signature verification failed: %s", err)
+		return false
+	}
+
+	cic, err := pkt.GetCicValues()
+	if err != nil {
+		log.Error().Msgf("openPubkey CIC is wrong: %s", err)
+		return false
+	}
+
+	upk := cic.PublicKey()
+	var rawkey interface{} // This is the raw key, such as *rsa.PrivateKey or *ecdsa.PrivateKey
+	if err := upk.Raw(&rawkey); err != nil {
+		log.Error().Msgf("openPubkey CIC is wrong: %s", err)
+		return false
+	}
+
+	token, err := jwt.Parse(jwtToken,
+		func(unvalidatedToken *jwt.Token) (interface{}, error) {
+			switch unvalidatedToken.Method.Alg() {
+			case "RS256", "EdDSA", "ES256":
+				return rawkey, nil
+			}
+			return nil, fmt.Errorf("unsupported signature algorithm '%s' for %T", unvalidatedToken.Method.Alg(), v)
+		},
+		jwt.WithIssuer(v.username),
+		jwt.WithSubject("ssh3"),
+		jwt.WithIssuedAt(),
+		jwt.WithLeeway(120*time.Second), // Be forgiving of small clock differences
+		jwt.WithAudience("unused"),
+		jwt.WithValidMethods([]string{"RS256", "EdDSA", "ES256"}))
+	if err != nil || !token.Valid {
+		log.Error().Msgf("invalid OpenPubkey signed JWT: %s", err)
+		return false
+	}
+	if claims, ok := token.Claims.(jwt.MapClaims); ok {
+		if _, ok = claims["exp"]; !ok {
+			log.Error().Msgf("missing exp")
+			return false
+		}
+		if clientId, ok := claims["client_id"]; !ok || clientId != fmt.Sprintf("ssh3-%s", v.username) {
+			log.Error().Msgf("invalid client_id %s", clientId)
+			return false
+		}
+		if jti, ok := claims["jti"]; !ok || jti != base64ConversationID {
+			log.Error().Msgf("rsa verification failed: the jti claim does not contain the base64-encoded conversation ID")
+			return false
+		}
+	} else {
+		log.Error().Msgf("bad JWT claims type: %T", token.Claims)
+		return false
+	}
+	return true
+}
+
+// OpenPubkeyAuthPlugin takes a username and identityStr from the authorized_identities file
+// and either rejects the identity string or returns a verifier. This function is used to
+// search through the authorized_identities file to find a matching authorized identities.
+// An identity string matches if matches on the username and it is tagged as openpubkey.
+func OpenPubkeyAuthPlugin(username string, identityStr string) (auth.RequestIdentityVerifier, error) {
+	log.Debug().Msgf("OpenPubkey auth plugin: parse identity string %s", identityStr)
+
+	identityStrArr := strings.Split(identityStr, " ")
+	if len(identityStrArr) != 4 || identityStrArr[0] != OPENPUBKEY_TAG {
+		log.Debug().Msgf("the identity string is not a compatible openpubkey string, %s", identityStr)
+		return nil, nil
+	}
+	clientId := identityStrArr[1]
+	issuer := identityStrArr[2]
+	email := identityStrArr[3]
+
+	return &OpenPubkeyIdentityVerifier{
+		username:     username,
+		clientIdOidc: clientId,
+		issuerOidc:   issuer,
+		email:        email,
+	}, nil
+}

cmd/plugin_endpoint/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	_ "github.com/francoismichel/ssh3/auth/plugins/openpubkey/client"
 	_ "github.com/francoismichel/ssh3/auth/plugins/pubkey_authentication/client"
 	cmd "github.com/francoismichel/ssh3/cmd"
 )

cmd/ssh3-server/main.go

@@ -5,6 +5,7 @@ import (
 	"os"
 
 	// authentication plugins
+	_ "github.com/francoismichel/ssh3/auth/plugins/openpubkey/server"
 	_ "github.com/francoismichel/ssh3/auth/plugins/pubkey_authentication/server"
 )
 

cmd/ssh3/main.go

@@ -5,6 +5,7 @@ import (
 	"os"
 
 	// authentication plugins
+	_ "github.com/francoismichel/ssh3/auth/plugins/openpubkey/client"
 	_ "github.com/francoismichel/ssh3/auth/plugins/pubkey_authentication/client"
 )