github.com/yaegashi/msgraph.go@v0.1.4/cmd/msgraph-sshpubkey/README.md (about) 1 # msgraph-sshpubkey 2 3 ## Introduction 4 5 msgraph-sshpubkey is a CLI utility to manage OpenSSH public keys 6 in the custom property ([open extensions]) of user resources in Azure Active Directory. 7 8 On SSH server hosts, it acquires SSH public keys via `AuthorizedKeysCommand` 9 in /etc/ssh/sshd_config when users want to log in. 10 11 It's still a PoC implementation, never use it in production. 12 There're many security consideration to solve as well as feature and imporvement ideas (see todos below). 13 14 ## Manage your keys in the directory 15 16 By default msgraph-sshpubkey authenticates users using [Azure AD v2 device code flow]. 17 It will always ask you to open https://microsoft.com/devicelogin to enter the code then sign in with your Azure AD account. 18 You can bypass sign-ins by specifying `-token-store /path/to/token.json`. 19 20 Set SSH public keys with a file: 21 22 ```console 23 $ msgraph-sshpubkey -op set -in ~/.ssh/id_rsa.pub 24 ``` 25 26 Set SSH public keys with keys kept in the SSH agent: 27 28 ```console 29 $ ssh-add -L | msgraph-sshpubkey -op set -in - 30 ``` 31 32 Get SSH public keys (you can omit `-op get`): 33 34 ```console 35 $ msgraph-sshpubkey 36 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTv2zRefcFMXafSRneDlULwCPh0v7SM9rJPIlySgd8WEJwk3/bY4B6j6hMPk3xS/JAqvQG0hc5cRSSmo4tG9H7TDjmGKBptIsGr5skTx181nbv/qRLYrej80KFrKyt2yHxg7BFOMGDSG1RnRVDUQJxlYxluavky0dv3KGRt6TtDuzuLGi6flHcqJymlZleqprEEwZwc0ju/ZNBfpEW2A+e69nJkudgT8jsO3a61iQ9myf7Jdk/0dxHPoHhu2VWEv/YcFPr0OX5fp7OHVL56vYb6yQVSVp1MtqjqSLpSK+O1eEGnwLsI9/93DXUj3gFncqjddgD75SQ1N9e1DPYK9sz /Users/yaegashi/.ssh/id_rsa 37 ``` 38 39 Delete SSH public keys: 40 41 ```console 42 $ msgraph-sshpubkey -op delete 43 ``` 44 45 ## Authenticate users on SSH server hosts 46 47 First, you have to register the application with client credentials grant on Azure Portal. 48 It will need `User.Read.All` permission to access exntension properties of users in the directory. 49 50 On SSH server hosts, prepare /etc/msgraph-sshpubkey.json with something like the following in it: 51 52 ```json 53 { 54 "tenant_id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", 55 "client_id": "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY", 56 "client_secret": "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ", 57 "login_map": { 58 "admin": "admin@l0wdev.onmicrosoft.com", 59 "yaegashi": "yaegashi@l0wdev.onmicrosoft.com", 60 "takeshi": "takeshi@l0wdev.onmicrosoft.com" 61 } 62 } 63 ``` 64 65 Run msgraph-sshpubkey on the shell to see it can certainly retrieve SSH public keys that user has registered: 66 67 ```console 68 $ msgraph-sshpubkey -config /etc/msgraph-sshpubkey.json -login yaegashi 69 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTv2zRefcFMXafSRneDlULwCPh0v7SM9rJPIlySgd8WEJwk3/bY4B6j6hMPk3xS/JAqvQG0hc5cRSSmo4tG9H7TDjmGKBptIsGr5skTx181nbv/qRLYrej80KFrKyt2yHxg7BFOMGDSG1RnRVDUQJxlYxluavky0dv3KGRt6TtDuzuLGi6flHcqJymlZleqprEEwZwc0ju/ZNBfpEW2A+e69nJkudgT8jsO3a61iQ9myf7Jdk/0dxHPoHhu2VWEv/YcFPr0OX5fp7OHVL56vYb6yQVSVp1MtqjqSLpSK+O1eEGnwLsI9/93DXUj3gFncqjddgD75SQ1N9e1DPYK9sz /Users/yaegashi/.ssh/id_rsa 70 ``` 71 72 Put the following lines in /etc/ssh/sshd_config then reload sshd: 73 74 ``` 75 AuthorizedKeysCommand /usr/bin/msgraph-sshpubkey -config /etc/msgraph-sshpubkey.json -login %u 76 AuthorizedKeysCommandUser root 77 ``` 78 79 ## Todo 80 81 - [ ] Provide a reasonable way to translate from SSH login names to Azure AD user principal names (`login_map` is cumbersome) 82 - [ ] Azure AD group authorization 83 - [ ] SSH public key validation 84 - [ ] File permission sanity check (config, token store) 85 - [ ] Web app to manage keys 86 - [ ] Caching to improve performance 87 - [ ] Logging 88 - [ ] [Managed identity][Managed identities] integration on Azure VMs 89 90 ## Referenecs 91 92 - [Open extensions] 93 - [Managed identities] 94 - [Azure Active Directory authentication for Linux] 95 96 [Open extensions]: https://docs.microsoft.com/en-us/graph/extensibility-open-users 97 [Managed identities]: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview 98 [Azure AD v2 device code flow]: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code 99 [Azure Active Directory authentication for Linux]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/login-using-aad