erikespinoza/keymaster

By erikespinoza

Updated 4 days ago

https://github.com/Cloud-Foundations/keymaster

Image
Security
0

5.0K

erikespinoza/keymaster repository overview

Keymaster in Docker

Keymaster is usable short-term certificate based identity system. With a primary goal to be a single-sign-on (with optional second factor with Symantec VIP or U2F tokens) for CLI operations (both SSHD and TLS).

Bootstrap

Now that you have the local container built, you will need to create keys and a default config for bootstrapping the server.

Create a directory and place your .env and docker-compose.yml files.

.env

TIMEZONE=America/Los_Angeles
KEYMASTER_DATA=/srv/docker/keymaster

docker-compose.yml

version: "2"

services:
  keymaster:
    image: "erikespinoza/keymaster"
    container_name: "keymaster"
    environment:
      - "TZ=${TIMEZONE}"
    ports:
      - "80:80"
      - "443:443"
      - "6920:6920"
    volumes:
      - "${KEYMASTER_DATA}/conf/:/etc/keymaster/"
      - "${KEYMASTER_DATA}/db/:/var/lib/keymaster/"
    restart: "unless-stopped"

Perform bootstrap

$ . .env
$ docker run --rm -it -v "${KEYMASTER_DATA}/conf/:/etc/keymaster/" -v \
 "${KEYMASTER_DATA}/db/:/var/lib/keymaster/" -e  "TZ=${TIMEZONE}" \
 erikespinoza/keymaster /app/keymasterd -generateConfig

This will generate a series of prompts. Here's how to answer them.

Enter and re-enter your passphrase

Please enter your passphrase:

Please re-enter your passphrase:

Due to a bug in config, enter / for Base dir

Default base Dir[/tmp]:/

Leave blank and hit enter for data directory

Data Directory[//var/lib/keymaster]:

Enter your public hostname

HostIdentity[keymaster.DOMAIN]:keymaster.example.com

Hit enter for the ports and accept the default.

HttpAddress[:443]:
AdminAddress[:6920]:

Fix the config issues mentioned in the main README.md

$ sudo sed -i 's% data_directory:.*% data_directory: "/var/lib/keymaster"%g' \
 ${KEYMASTER_DATA}/conf/config.yml
$ sudo sed -i 's% shared_data_directory:.*% shared_data_directory: "/usr/share/keymasterd/"%g' \
 ${KEYMASTER_DATA}/conf/config.yml

Configure Auth backend

Edit ${KEYMASTER_DATA}/conf/config.yml and set up your Auth Backend. Visit here for more info.

NOTE: "U2F", "TOTP" and "SymantecVIP" still need passwords in either LDAP or the passfile. For the webui you can also add "federated" and configure oauth2 against another provider. Be sure to use an internal oauth token if using a big provider like Google for Auth.

Start

After bootstrapping configs and keys you just start the container. This will start it sealed.

$ docker-compose up -d

Unseal

By default the CA will start in a sealed state. To unseal it you will need to enter your passphrase.

$ docker exec -e SSL_CERT_FILE=/etc/keymaster/server.pem -it keymaster \
 /app/keymaster-unlocker -cert /etc/keymaster/adminClient.pem \
  -key /etc/keymaster/adminClient.key -keymasterHostname localhost
Password for unlocking localhost: 
OK

Add users

By default a user is created. Let's start by deleting this and creating our own user.

$ rm -f ${KEYMASTER_DATA}/conf/passfile.htpass
$ docker exec -it keymaster /usr/bin/htpasswd -B -c \
 /etc/keymaster/passfile.htpass $USERNAME

SSH

Distribute the SSH CA to hosts

${KEYMASTER_DATA}/conf/masterKey.asc.pub -> destination:/etc/ssh/masterKey.asc.pub

Configure sshd to trust the CA by adding this line to /etc/ssh/sshd_config

TrustedUserCAKeys /etc/ssh/masterKey.asc.pub

SSH will allow clients who have run the keymaster client to login.

NOTE Username must match principal on all hosts or you will need to configure AuthorizedPrincipalsFile.

X509 Certs

The CA for X509 certificates is available via https://keymaster.example.com/public/x509ca for download

Tag summary

Content type

Image

Digest

sha256:6529cd091

Size

83 MB

Last updated

4 days ago

docker pull erikespinoza/keymaster:1.17.1