HIBA is a system built on top of regular OpenSSH certificate-based authentication that allows to manage flexible authorization of principals on pools of target hosts without the need to push customized authorized_users files periodically.

Overview

HIBA: Host Identity Based Authorization

Pronounce: /hiːba/

What is HIBA

HIBA is a system built on top of regular OpenSSH certificate-based authentication that allows to manage flexible authorization of principals on pools of target hosts without the need to push customized authorized_users files periodically.

The authorization is performed directly on the target host based on the user certificate content and the local host identity only. Not accessing external services makes it suitable for low dependency, last resort, SSH access.

For more details on how authorization are computed, see PROTOCOL.authorizations.

Concepts

HIBA defines two concepts: host identity and grants. See PROTOCOL.extensions for the exact specifications.

Host identity

This is a custom extension attached to host certificates that describes the main properties of a target host. The format is flexible and only mandates one field, domain, to help isolate different pools of hosts managed using the same CA keys.

An example of a host identity could be:

  • domain: dmz.example.com
  • owner: frontend-team
  • location: US

Grants

This is also a custom extension, attached to user certificates that describes which hosts this certificate should be accepted on. The grant contains a set of constraints that a host much match for the access to be authorized. These constraints are compared to the host identity at connection time by the hiba-chk helper. Due to the flexible nature of the host identity, the following semantics apply:

  • Any field present in the grant and missing for the host identity is considered invalid and will prevent access.
  • Any field missing from the grant and present in the host identity is ignored for authorization purposes (equivalent to a wildcard).

Mechanism

HIBA relies on a few properties provided by OpenSSH:

  • Certificate based authentication: a HIBA grant is a custom extension attached to the certificate. This means the CA is responsible for verifying the scope of the grant before attaching it. Similarly, the host identity is attached to the host certificate by the CA and must represent the target host.
  • AuthorizedPrincipalCommand: this option of the sshd_config allows invoking an external tool to dynamically generate the content of authorized_users. This option is used to invoke hiba-chk, which knows how to extract the HIBA extensions from user and host certificates and grants or denies access based on the comparison.

GRL (Grant Revocation List)

HIBA allows revoking individual grants rather than the whole certificate. See PROTOCOL.grl for more information.

Note: revocations at the grant granularity are not yet supported. The rationale for not priotizing these: full SSH certificate revocation is already supported by OpenSSH, only the finer granularity is lacking. Also, it is good practice to rely on short lived certificates, which often expire before the reovcation
list makes it to the target host.

Prerequisites

HIBA works on top of OpenSSH certificates. It relies on:

  • The AuthorizedPrincipalsCommand option that was added to OpenSSH 6.9
  • The %u and %k tokens that were added to OpenSSH 7.4

For compilation, configuration and installation instructions, see INSTALL.md.

Developers

The HIBA library can be used to add support for HIBA to a certificate authority.

Note: None of this code is thread safe, and it is the responsibility of the caller to ensure proper locking when accessing individual HIBA structures.

Generating HIBA enabled certificates

HIBA enabled certificates are generated using the HIBA API defined in extensions.h and the OpenSSH API defined in sshkey.h.

  • Using libhiba:
    • Import or generate the required HIBA extensions (identity or grant)
    • Serialize them into an sshbuf
  • Using libssh:
    • Import or generate the SSH public key
    • Attach generated extensions
    • Sign the certificate with the CA private key
    • Serialize it

Reading HIBA enabled certificates

HIBA extensions can be extracted from existing certificates by relying on OpenSSH to decode/verify the certificate, extracting the HIBA extensions and interpreting them with HIBA.

  • Using libssh:
    • Import certificate
    • Verify certificate signature
    • List and extract relevant extensions
  • Using libhiba:
    • Parse extensions
    • Extract extensions' content

libhiba provides convenience functions to parse and extract HIBA extensions directly from a certificate, but it does not verify the certificate. It assumes the certificate was validated by a prior stage.

You might also like...
UnrealKey is a tool for automatically finding the AES-256 decryption keys for Unreal Engine 4 encrypted pak files.

UnrealKey UnrealKey is a tool for automatically finding the AES-256 decryption keys for Unreal Engine 4 encrypted pak files.

HashLibPlus is a recommended C++11 hashing library that provides a fluent interface for computing hashes and checksums of strings, files, streams, bytearrays and untyped data to mention but a few.

HashLibPlus HashLibPlus is a recommended C++11 hashing library that provides a fluent interface for computing hashes and checksums of strings, files,

simple encryptor and decryptor for files written in c++
simple encryptor and decryptor for files written in c++

What this 3ndecf1le simple encryptor and decryptor for files written in c++ How To Setup 3ndecf1le sudo apt install g++;g++ encrypt.cpp -o encrypt;g++

A useful tool for identifying the architecture, platform type, compiler, and operating system specifications by preprocessor feature support.

Platform-Detector Cross-Platform Information Detector It is a useful tool for identifying the architecture, platform type, compiler, and operating sys

A basic C++ cryptocurrency/block-chain. Includes a basic wallet system. See README.md for all the inclusions and future additions.

Cryptocurrency Project C++ cryptocurrency/block-chain. Mostly basic blockchain for now. New Additions are in the works(see below). This file details w

Core - System components and backend.

Core System backend and start session and more. Compile dependencies sudo pacman -S extra-cmake-modules pkgconf qt5-base qt5-quickcontrols2 qt5-x11ext

High-level build system for distributed, multi-platform C/C++ projects.

fips fips is a highlevel build system wrapper written in Python for C/C++ projects. (this project has nothing to do with the Federal Information Proce

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows.
wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows.

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows.

Oceantoo is an XOR/LFSR based encryption algorithm

Oceantoo Oceantoo is an XOR/LFSR based encryption algorithm What is an LFSR? A linear-feedback shift register (LFSR) is a method of manipulating a num

Comments
  • build: Add bootstrap.sh for hiba

    build: Add bootstrap.sh for hiba

    This script is needed for bitbake to build it properly in https://gbmc-review.googlesource.com/c/meta-gbmc-staging/+/2001

    Tested: Able to build hiba after running bootstrap.sh

    ./bootstrap.sh
    autoreconf: export WARNINGS=
    autoreconf: Entering directory '.'
    autoreconf: configure.ac: not using Gettext
    autoreconf: running: aclocal --force -I m4
    autoreconf: configure.ac: tracing
    autoreconf: running: libtoolize --copy --force
    libtoolize: putting auxiliary files in '.'.
    libtoolize: copying file './ltmain.sh'
    libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
    libtoolize: copying file 'm4/libtool.m4'
    libtoolize: copying file 'm4/ltoptions.m4'
    libtoolize: copying file 'm4/ltsugar.m4'
    libtoolize: copying file 'm4/ltversion.m4'
    libtoolize: copying file 'm4/lt~obsolete.m4'
    autoreconf: configure.ac: not using Intltool
    autoreconf: configure.ac: not using Gtkdoc
    autoreconf: running: aclocal --force -I m4
    autoreconf: running: /usr/bin/autoconf --force
    autoreconf: running: /usr/bin/autoheader --force
    autoreconf: running: automake --add-missing --copy --force-missing
    configure.ac:13: installing './compile'
    configure.ac:17: installing './missing'
    autoreconf: Leaving directory '.'
    Run "./configure ${CONFIGURE_FLAGS} && make"
    

    Signed-off-by: Willy Tu [email protected]

    opened by wltu 1
  • Fix unexpected behavior when using a long certificate in command line.

    Fix unexpected behavior when using a long certificate in command line.

    Certificate passed via command line with a size larger than the expected maximum filename size fail the stat syscall with ENAMETOOLONG rather than ENOENT, which causes decode_file() to consider it as a filename rather than inline.

    opened by blunderer 1
  • Hiba multiple grants

    Hiba multiple grants

    Support for multiple HIBA grants attached to one certificate.

    This pull request also includes:

    • testing for multiple identities (this must result in access denied)
    • debug log rewording
    opened by blunderer 0
Owner
Google
Google ❤️ Open Source
Google
Internet Identity, a blockchain authentication system for the Internet Computer

Internet Identity Service See ./docs/internet-identity-spec.adoc for a details specification and technical documentation.

DFINITY 225 Sep 22, 2022
BlackDex is an Android unpack(dexdump) tool, it supports Android 5.0~12 and need not rely to any environment.

BlackDex is an Android unpack(dexdump) tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

null 4k Sep 30, 2022
An open source, portable, easy to use, readable and flexible SSL library

README for Mbed TLS Mbed TLS is a C library that implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocol

Arm Mbed 3.8k Oct 3, 2022
Header-only C++11 library to encode/decode base64, base64url, base32, base32hex and hex (a.k.a. base16) as specified in RFC 4648, plus Crockford's base32. MIT licensed with consistent, flexible API.

cppcodec Header-only C++11 library to encode/decode base64, base64url, base32, base32hex and hex (a.k.a. base16) as specified in RFC 4648, plus Crockf

Topology 479 Sep 20, 2022
John the Ripper (JtR) is a reliable, well-tested, and flexible password cracking software.

John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs

Dhiru Kholia 12 Sep 16, 2022
Onix is a decentralized blockchain project built on Bitcoin's UTXO model

What is Onix? Onix is a decentralized blockchain project built on Bitcoin's UTXO model, with support for Ethereum Virtual Machine based smart contract

Onix CryptoCurrency Development 4 Dec 16, 2021
This tool demonstrates the power of UAC bypasses and built-in features of Windows.

Auto-Elevate This tool demonstrates the power of UAC bypasses and built-in features of Windows. This utility auto-locates winlogon.exe, steals and imp

null 123 Sep 25, 2022
Distributed, Encrypted, Fractured File System - A custom distributed file system written in C with FUSE

A custom FUSE-based filesystem that distributes encrypted shards of data across machines on a local network, allowing those files to be accessible from any machine.

Charles Averill 15 Sep 4, 2022
FCracker is a command line tool designed to brute force encrypted files like zip, 7z, rar, pdf etc.

FCrack is a command-line tool designed to brute force encrypted files like zip, 7z, rar, pdf, gpg etc.

null 21 Oct 3, 2022
Parses existing Chia plotter log files and builds a .csv file containing all the important details

Chia Log Analysis Parses through Chia plotter log files and plops all the juicy details into a CSV file! Build See below for instructions if you prefe

Drew M Johnson 45 May 10, 2022