Gitlab CE commit 02709334d40 seems to break Gitlab OAuth integration.

gorilla/mux#659

Maybe replace Gorilla with something else

Cashier uses Gorilla for

• csrf
• mux
• sessions
• some middleware handlers (http compression, logging)

Changing the database schema is fraught with peril. An ORM isn't necessarily warranted here, but being able to incrementally define and execute schema changes would be extremely useful.

Right now trying to use a private key with a passphrase will produce errors like:

ecdsa key:

2016/05/29 18:22:53 unable to parse CA key: asn1: structure error: tags don't match (16 vs {class:3 tag:2629 length:91 isCompound:false}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @4
exit status 1

rsa or ed25519 key:

2016/05/29 18:23:47 unable to parse CA key: asn1: structure error: length too large

Just stick with SQL (mysql, sqlite, maybe pg?) and use something to manage the schema

Hello,

is this project still under development? Is there any timeline when you think there will be the possibility to use host certs?

Thanks,
Thomas

Currently when deployed behind any sort of load balancing apparatus the logs will display the remote IP of the load balancer in the request logs. Most of these set an extra X-Forwarded-For header which we should log instead as the source of the request.

cashierd currently binds on 0.0.0.0 only, allow the user to choose which IP the daemon should bind to with a config entry

Hard fail on open defaults in both the Github and Google oauth providers instead of just documented foot-shotgun.

says @nsheridan "pull requests are accepted too" yep hopefully soon.

The config file is currently mandatory. Some parts of cashierd can be configured via environment variables (I'm really not sure why I did this) but ideally the config should be entirely settable using cmdline flags and the config file should be optional.

Right now the only way to bind to privileged ports is to start the program as root. Ideally we should:

1. start as root
2. read TLS certificate & key, if needed
3. bind to privileged port
4. drop privileges to some other user (www or www-data or whatever)
5. ...
6. profit!

After the google auth I am getting the following error

Error on /auth/callback: Post https://accounts.google.com/o/oauth2/token: x509: certificate signed by unknown authority

I have generated signing_key using ssh-keygen -f ssh_ca.
Am I missing any step?
Thank You.

On Ubuntu 16.04, the gnome-keyring-daemon gives this reply when I run cashier:

Your browser has been opened to visit https://sshca
Generating new key pair
Enter token: Created new window in existing browser session.
xxxxxxxxxxxxx
2017/01/10 12:37:38 error importing certificate: agent: client error: EOF

If I switch to ssh-agent it works fine. Trying to figure out where gnome-keyring-daemon logs things to...

Hi,

Maybe this was already considered and determined not to be an issue, but I am worried by the use of drop.DropPrivileges in the code, as this might result in some threads retaining their privileges due to the limitations of the golang runtime.

There is a discussion about this in the go issue tracker: golang/go#1435

By default, cashier allows setting the same expiration time for every certificate. Shouldn't it have option to have separate expiration time for each of the certificate? It has several use-cases.

Unsure what might have caused this. I got a 500 attempting to revoke a cert that definitely existed. A subsequent retry successfully revoked it.

Using a colon-delimited string for datastore configuration is complicated and annoying.
It should be converted to a key-value series. Examples:

server {
  datastore {
    type = "mysql"
    username = "user"
    password = "passwd"
    address = "my-db-host.corp:3306"
  }
}

server {
  datastore {
    type = "mongo"
    username = "user"
    password = "passwd"
    address = "my-mongo-host1.corp,my-mongo-host2.corp"
  }
}

server {
  datastore {
    type = "sqlite"
    filename = "/data/cashier.db"
  }
}

This has the benefit of making it easier to use vault for datastore passwords.
This will break existing configs so some form of detection and warning or compatibility should be employed.

https://github.com/hashicorp/hcl is much easier to read/write than json and also supports comments
Viper conveniently already supports parsing hcl config.

Such as hashicorp's vault

In the following set of steps:

1. navigate to root URL over plaintext HTTP
2. complete oauth flow
3. are redirected back to https:// callback URL

you'll be greeted with a 404 as the request handler is unable to read the auth_url out of the session cookie since in step 1 it was set on a cookie with the secure parameter meaning that it's dropped by the browser.

We should pre-empt this and redirect all http requests to https first, and also set HSTS headers to prevent subsequent visits from hitting this redirect.

having a default value doesn't make sense for other users, also passing it all the time is a PITA. let's have a really simple dotfile for storing these defaults. also makes provisioning in orgs much easier.

Similar to #30 it would be nice to specify passwords as vault locations and have cashier do the right thing.

Hi,

I run the docker-image as follows:

docker run -it --rm --net host --name cashier -v volumes/cashier:/cashier -v /etc/passwd:/etc/passwd:ro nsheridan/cashier

The cashierd.conf contains

  database {
    type = "sqlite"
    filename = "/cashier/cashier.db"
  }

I created the database file with sqlite3 cashier.db before running the container.

Stefan

Config files aren't always desirable. At a minimum the following should be configurable as from env vars:

server:
- port
- datastore

auth:
- oauth_client_id
- oauth_client_secret

When running the client UI which is supposed to show the token it won't open anything & server with google Oauth constantly gives Unauthorized even though It has the correct authorization credentials.

I have added sample commands and configs used to run it.
Need help running this is there any simple manual I can refer to.
To open/view the token on UI I'm using this.

./cashier --ca "http://sshca.example.com:11000"

cashierd in docker is compiled with CGO to support sqlite

I think this should be 2 images:

1. A 'cashierd' image, statically linked, CGO_ENABLED=0
2. A 'cashierd-sqlite' image, built for sqlite usage

Alternatively maybe replace C sqlite bindings with https://modernc.org/sqlite

Certs expire, there's no point keeping them in the agent after they're dead.

Right now we need to pass the bit length parameter which isn't going to be used.

Am I missing something, or isn't Go required on the Client machine as well, so that it can run the CLI interface?

It'd be very nice to be able to install the client and server separately via Debian packages for automated provisioning of new cashier instances.

Potentially 2 logs - a debug/info logging actions, and a weblog logging http interactions.

It probably makes sense to bake in support for things like AWS S3 and KMS to simplify setup of Cashier in this environment.

SSH certificates support both extensions and critical options. The former holds options such as permit-pty, permit-agent-forwarding, permit-X11-forwarding while critical options allows for options like source-address and force-command.
Cashier supports extensions via the permissions option. It should also support critical options.

I cloned the cashier repo on an RHEL 7.6 EC2 Instance. I filled out the server.conf with all the necessary information. I will create a systemd script to start the cashier service automatically and upon boot. I need to know how to run the server. I run the main.go under /cashier/cmd/cashier/main.go but it tries to launch a browser for me to get a token. I believe I need to put behind a web server (NGINX, APACHE) for it to work. Any info to get the server up and running is appreciated

The README is starting to look a little long

As it stands anyone can revoke certificates. We should potentially limit the revocation behavior to a list of whitelisted users.

OK, this was a longer post, but with some testing discovered there's a resolution that won't require cashier to write the private key/cert. It only needs to write the public key and the public certificate to files.

So the problem:

Say you have two ssh CAs. One signs keys for *.prod.acme-corp.com and the other signs them for *.test.acme-corp.com. With the traditional world of unsigned keys, you'd do something like this in your .ssh/config:

Host *.prod.acme-corp.com
  IdentityFile ~/.ssh/id_rsa_prod

Host *.test.acme-corp.com
  IdentityFile ~/.ssh/id_rsa_test

Normally it's a single key per device. But with signed keys, each set of servers covered by an ssh CA gets a key/cert. If we get to a world where services like Gitlab and Github are supporting signed keys the multiple key thing becomes an issue.

With the IdentitiesOnly ssh option, you can force ssh to pick a specific key with IdentityFile (and CertificateFile which we'd need for signed keys). And these options can use the public key.

The ssh-add -d command has the same issue - it also wants a filename and it too can take a public key (or public cert).

A cashier option to save the public part of the signed key/cert files allows IdentitiesOnly to work.

Currently you can specify everything about the connection except the actual MySQL database instance to use once you've connected. It'd be nice to be able to specify this alongside other parameters.

Hi,

I'm using AzureAD for login with the current docker-image. The log indicates a successful login:

Token found on /auth/callback, redirecting to /

but that just redirects me back to the sign-in page.

Stefan

While looking at Microsoft's OAuth for Azure AD I found that the token is too long to be pasted into a terminal - TTYs typically cap out at 1024 chars while the token can be much bigger than this.

Ideally any solution here should not break existing setups.

Potential workaround: compress the access token before displaying it. Something simple like gzip + base64 encoding should work here. When the client sends a token the server should be able to accept either compressed or uncompressed tokens, to avoid version mismatch problems.

There's a few steps needed here:

• Record issued certs somewhere (i.e. a database)
• A useful interface to mark keys as revoked
• An API endpoint which returns a revocation list which machines can pull from

I need to support Office365 as an Oauth provider. In case anyone else is working on this, I'm just putting this issue here.

In the case where one wants to use either the github or google authentication providers without an organisation of individuals it'd be nice to have a whitelist of either @gmail.com usernames or github usernames to which one could extend access via cashier.

Thinking it'd look like

  "provider_opts": {
    "usernames": ["patrickod", "nsheridan"]
  } 

for both, as usernames work for both @gmail.com or github. Not-so-minor edge-case for GApps folks who don't have @gmail.com addresses but to whom you'd like to extend access. Maybe for google it's an emails field instead?

I was thinking a PAM-based auth source and possibly some sort of machine-based auth would be nice.

There are certain situations where I'm in an interactive session and I'd like to get an ssh cert but lack a browser. There's obviously this way but I'm wondering if a cashierd that supports PAM auth would be an option?

It would also be nice to have a way for things like periodic jobs to be able to request an ssh key. But not really clear on how that would exactly work that would be much better than just putting ssh keys there to begin with.

OK, I have a version that works. So now I have some questions.

First, I have an addition to the vendor branch. Would it make things easier to review if I start with a single PR to add the gitlab api to it?

Next, design! For gitlab these are the provider options I've made:

So one thing I could do is condense the *url options into a single one (baseurl) onto which api/v3/, oauth/authorize and oauth/token are appended. You can deploy it such that the url is like https://some.host/some/prefix/ but other than changing from the root to a sub dir I don't think we need to be able to split it up that much.

It won't match the gitlab api's definition of baseurl though in case that might confuse people. Maybe siteurl? It would default to https://gitlab.com/.

Next design issue is group. It might be nice if that was groups. So instead of allowing users in the "wheel" group I could allow users from the [ "wheel", "wing" ] groups. However Config.Auth.ProviderOpts is a map[string]string. Maybe we could have a ProviderLists as map[string][]string (assuming I have that definition right)? BTW the group has to be looked up on the path name of the group - anyone can use "wheel" as a name, but only one group can use "wheel" as their path.

Lastly how much foot-protection should we offer? Having gitlab.com as the auth provider should exclude allusers. If you set allusers and then set group(s) or users_whitelist you're confused, so cashierd should refuse to start till you're not confused. Or no?

The sshd option TrustedUserCAKeys allows the specified CA file to contain multiple keys which makes rotating signing keys pretty easy. But if the signing key is compromised we should be able to revoke all certs by revoking the signing key - the sshd will automatically deny any cert signed with the revoked signing key.
This sounds easy enough to implement, but we don't currently record any data about the signing key and we probably should.

@patrickod I'm interested in your thoughts on this

• Revoking of Certificates doesnt work with anything but mysql.

• When using the binary executable it cant read out the username (it still succesfully generates a key)

Full report: https://codecov.io/gh/nsheridan/cashier/branch/master

TLS everywhere