keymaster
https://github.com/Cloud-Foundations/keymaster
5.0K
Keymaster is usable short-term certificate based identity system. With a primary goal to be a single-sign-on (with optional second factor with Symantec VIP or U2F tokens) for CLI operations (both SSHD and TLS).
Now that you have the local container built, you will need to create keys and a default config for bootstrapping the server.
Create a directory and place your .env and docker-compose.yml files.
.env
TIMEZONE=America/Los_Angeles
KEYMASTER_DATA=/srv/docker/keymaster
docker-compose.yml
version: "2"
services:
keymaster:
image: "erikespinoza/keymaster"
container_name: "keymaster"
environment:
- "TZ=${TIMEZONE}"
ports:
- "80:80"
- "443:443"
- "6920:6920"
volumes:
- "${KEYMASTER_DATA}/conf/:/etc/keymaster/"
- "${KEYMASTER_DATA}/db/:/var/lib/keymaster/"
restart: "unless-stopped"
Perform bootstrap
$ . .env
$ docker run --rm -it -v "${KEYMASTER_DATA}/conf/:/etc/keymaster/" -v \
"${KEYMASTER_DATA}/db/:/var/lib/keymaster/" -e "TZ=${TIMEZONE}" \
erikespinoza/keymaster /app/keymasterd -generateConfig
This will generate a series of prompts. Here's how to answer them.
Enter and re-enter your passphrase
Please enter your passphrase:
Please re-enter your passphrase:
Due to a bug in config, enter / for Base dir
Default base Dir[/tmp]:/
Leave blank and hit enter for data directory
Data Directory[//var/lib/keymaster]:
Enter your public hostname
HostIdentity[keymaster.DOMAIN]:keymaster.example.com
Hit enter for the ports and accept the default.
HttpAddress[:443]:
AdminAddress[:6920]:
Fix the config issues mentioned in the main README.md
$ sudo sed -i 's% data_directory:.*% data_directory: "/var/lib/keymaster"%g' \
${KEYMASTER_DATA}/conf/config.yml
$ sudo sed -i 's% shared_data_directory:.*% shared_data_directory: "/usr/share/keymasterd/"%g' \
${KEYMASTER_DATA}/conf/config.yml
Edit ${KEYMASTER_DATA}/conf/config.yml and set up your Auth Backend. Visit here for more info.
NOTE: "U2F", "TOTP" and "SymantecVIP" still need passwords in either LDAP or the passfile. For the webui you can also add "federated" and configure oauth2 against another provider. Be sure to use an internal oauth token if using a big provider like Google for Auth.
After bootstrapping configs and keys you just start the container. This will start it sealed.
$ docker-compose up -d
By default the CA will start in a sealed state. To unseal it you will need to enter your passphrase.
$ docker exec -e SSL_CERT_FILE=/etc/keymaster/server.pem -it keymaster \
/app/keymaster-unlocker -cert /etc/keymaster/adminClient.pem \
-key /etc/keymaster/adminClient.key -keymasterHostname localhost
Password for unlocking localhost:
OK
By default a user is created. Let's start by deleting this and creating our own user.
$ rm -f ${KEYMASTER_DATA}/conf/passfile.htpass
$ docker exec -it keymaster /usr/bin/htpasswd -B -c \
/etc/keymaster/passfile.htpass $USERNAME
Distribute the SSH CA to hosts
${KEYMASTER_DATA}/conf/masterKey.asc.pub -> destination:/etc/ssh/masterKey.asc.pub
Configure sshd to trust the CA by adding this line to /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/masterKey.asc.pub
SSH will allow clients who have run the keymaster client to login.
NOTE Username must match principal on all hosts or you will need to configure AuthorizedPrincipalsFile.
The CA for X509 certificates is available via https://keymaster.example.com/public/x509ca for download
Content type
Image
Digest
sha256:6529cd091…
Size
83 MB
Last updated
4 days ago
docker pull erikespinoza/keymaster:1.17.1