github.com/yaegashi/msgraph.go@v0.1.4/cmd/msgraph-sshpubkey/README.md

github.com/yaegashi/msgraph.go@v0.1.4/cmd/msgraph-sshpubkey/README.md (about)

     1  # msgraph-sshpubkey
     2  
     3  ## Introduction
     4  
     5  msgraph-sshpubkey is a CLI utility to manage OpenSSH public keys
     6  in the custom property ([open extensions]) of user resources in Azure Active Directory.
     7  
     8  On SSH server hosts, it acquires SSH public keys via `AuthorizedKeysCommand`
     9  in /etc/ssh/sshd_config when users want to log in.
    10  
    11  It's still a PoC implementation, never use it in production.
    12  There're many security consideration to solve as well as feature and imporvement ideas (see todos below).
    13  
    14  ## Manage your keys in the directory
    15  
    16  By default msgraph-sshpubkey authenticates users using [Azure AD v2 device code flow].
    17  It will always ask you to open https://microsoft.com/devicelogin to enter the code then sign in with your Azure AD account.
    18  You can bypass sign-ins by specifying `-token-store /path/to/token.json`.
    19  
    20  Set SSH public keys with a file:
    21  
    22  ```console
    23  $ msgraph-sshpubkey -op set -in ~/.ssh/id_rsa.pub
    24  ```
    25  
    26  Set SSH public keys with keys kept in the SSH agent:
    27  
    28  ```console
    29  $ ssh-add -L | msgraph-sshpubkey -op set -in -
    30  ```
    31  
    32  Get SSH public keys (you can omit `-op get`):
    33  
    34  ```console
    35  $ msgraph-sshpubkey
    36  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTv2zRefcFMXafSRneDlULwCPh0v7SM9rJPIlySgd8WEJwk3/bY4B6j6hMPk3xS/JAqvQG0hc5cRSSmo4tG9H7TDjmGKBptIsGr5skTx181nbv/qRLYrej80KFrKyt2yHxg7BFOMGDSG1RnRVDUQJxlYxluavky0dv3KGRt6TtDuzuLGi6flHcqJymlZleqprEEwZwc0ju/ZNBfpEW2A+e69nJkudgT8jsO3a61iQ9myf7Jdk/0dxHPoHhu2VWEv/YcFPr0OX5fp7OHVL56vYb6yQVSVp1MtqjqSLpSK+O1eEGnwLsI9/93DXUj3gFncqjddgD75SQ1N9e1DPYK9sz /Users/yaegashi/.ssh/id_rsa
    37  ```
    38  
    39  Delete SSH public keys:
    40  
    41  ```console
    42  $ msgraph-sshpubkey -op delete
    43  ```
    44  
    45  ## Authenticate users on SSH server hosts
    46  
    47  First, you have to register the application with client credentials grant on Azure Portal.
    48  It will need `User.Read.All` permission to access exntension properties of users in the directory.
    49  
    50  On SSH server hosts, prepare /etc/msgraph-sshpubkey.json with something like the following in it:
    51  
    52  ```json
    53  {
    54    "tenant_id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    55    "client_id": "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY",
    56    "client_secret": "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ",
    57    "login_map": {
    58      "admin": "admin@l0wdev.onmicrosoft.com",
    59      "yaegashi": "yaegashi@l0wdev.onmicrosoft.com",
    60      "takeshi": "takeshi@l0wdev.onmicrosoft.com"
    61    }
    62  }
    63  ```
    64  
    65  Run msgraph-sshpubkey on the shell to see it can certainly retrieve SSH public keys that user has registered:
    66  
    67  ```console
    68  $ msgraph-sshpubkey -config /etc/msgraph-sshpubkey.json -login yaegashi
    69  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTv2zRefcFMXafSRneDlULwCPh0v7SM9rJPIlySgd8WEJwk3/bY4B6j6hMPk3xS/JAqvQG0hc5cRSSmo4tG9H7TDjmGKBptIsGr5skTx181nbv/qRLYrej80KFrKyt2yHxg7BFOMGDSG1RnRVDUQJxlYxluavky0dv3KGRt6TtDuzuLGi6flHcqJymlZleqprEEwZwc0ju/ZNBfpEW2A+e69nJkudgT8jsO3a61iQ9myf7Jdk/0dxHPoHhu2VWEv/YcFPr0OX5fp7OHVL56vYb6yQVSVp1MtqjqSLpSK+O1eEGnwLsI9/93DXUj3gFncqjddgD75SQ1N9e1DPYK9sz /Users/yaegashi/.ssh/id_rsa
    70  ```
    71  
    72  Put the following lines in /etc/ssh/sshd_config then reload sshd:
    73  
    74  ```
    75  AuthorizedKeysCommand /usr/bin/msgraph-sshpubkey -config /etc/msgraph-sshpubkey.json -login %u
    76  AuthorizedKeysCommandUser root
    77  ```
    78  
    79  ## Todo
    80  
    81  - [ ] Provide a reasonable way to translate from SSH login names to Azure AD user principal names (`login_map` is cumbersome)
    82  - [ ] Azure AD group authorization
    83  - [ ] SSH public key validation
    84  - [ ] File permission sanity check (config, token store)
    85  - [ ] Web app to manage keys
    86  - [ ] Caching to improve performance
    87  - [ ] Logging
    88  - [ ] [Managed identity][Managed identities] integration on Azure VMs
    89  
    90  ## Referenecs
    91  
    92  - [Open extensions]
    93  - [Managed identities]
    94  - [Azure Active Directory authentication for Linux]
    95  
    96  [Open extensions]: https://docs.microsoft.com/en-us/graph/extensibility-open-users
    97  [Managed identities]: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
    98  [Azure AD v2 device code flow]: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
    99  [Azure Active Directory authentication for Linux]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/login-using-aad