Metadata-Version: 2.0
Name: ca-client
Version: 0.1.0
Summary: SSH CA Client
Home-page: https://github.com/commercehub-oss/ssh-ca-client
Author: CommerceHub
Author-email: UNKNOWN
License: UNKNOWN
Platform: UNKNOWN
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3.2
Classifier: Programming Language :: Python :: 3.3
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Requires-Dist: argparse (>=1.1)
Requires-Dist: requests (>=2.13.0)

# SSH CA Client

Client for interacting with [SSH CA Server](https://github.com/commercehub-oss/ssh-ca-server).


## Installation instructions

1. Install ca-client
    ```
    pip install ca-client
    ```

## Client Usage

ca-client is used to interact with the [SSH CA server]((https://github.com/commercehub-oss/ssh-ca-server)).  The client uses HTTP auth to verify identity and provides facilities for listing roles, signing public keys and getting CA certificates.

After completing a signing request ca-client will load the signed certificate and private key into memory with ssh-agent.  ssh-agent will sling certs at a remote host until a successful challenge response occurs granting access to the remote host.  By default sshd will reject the client after 5 failed attempts.  ca-client will not load a certificate with ssh-agent if it will exceed 5 active certificates.  The private key and signed certificate must be loaded with ssh-agent and both count towards the limit of 5.

Certificates loaded with ssh-agent do not persist a reboot.  Following a reboot you can reload using ssh-add or initiate a new signing request with ca-client.


The first time ca-client is executed you must provide the FQDN of the CA server and the default certificate authority to use when issueing a signing request.

```
$ ca-client

Failed to load configuration from /Users/username/.ca-client/config.json
Enter FQDN of CA Server: ca-server.mydomain.com
Enter name of default CA: nonproduction
Loading configuration from /Users/username/.ca-client/config.json
```

Client configuration example:
```
$ cat ~/.ca-client/config.json

{
  "DEFAULT_CA": "nonproduction",
  "BASE_URL": "https://ca-server.mydomain.com"
}
```

ca-client command line usage:
```
usage: ca-client [-h] [-s CA | -r | -c | -k CA]

Tool to sign your public SSH key

optional arguments:
	-h, --help           show this help message and exit
	-s CA, --sign CA     certificate signing request
	-u USER, --user USER  optional username for signing request
	-r, --list-roles     list my authorized roles
	-c, --list-cas       list available CAs
	-k CA, --get-key CA  list public key for CA
```

List your authorized roles:
```
$ ca-client -r

Role:                ssh-admin-group
Description:         Super Admin Role
Allowed Principals:  admin
Allowed CAs:         production,nonproduction
```

List available certificate authorities:
```
$ ca-client -c

CA name:         nonproduction
Max duration:    30d

CA name:         production
Max duration:    24h
```

Initiate signing request for the nonproduction certificate authority:
```
$ ca-client -s nonproduction
Please enter password for username:

/Users/username/.ssh/nonproduction_rsa-cert.pub updated

Identity added: /Users/username/.ssh/nonproduction_rsa (/Users/username/.ssh/nonproduction_rsa)
Certificate added: /Users/username/.ssh/nonproduction_rsa-cert.pub (username)
Identity loaded for current session but ssh-agent will not persist identities on reboot

If using bash you can add the following command to your .bash_profile
ssh-add /Users/username/.ssh/nonproduction_rsa
```

The ca-client will create a unique keypair for each of the requested certificate authorities within the users .ssh folder.

Example users .ssh folder after requesting certs from production and nonproduction certificate authority.
```
$ ls ~/.ssh

nonproduction_rsa          nonproduction_rsa-cert.pub nonproduction_rsa.pub
production_rsa             production_rsa-cert.pub    production_rsa.pub
```

The below examples shows the result of a successfully signed SSH certificate:

```
$ ssh-keygen -L -f ~/.ssh/nonproduction_rsa-cert.pub 

~/.ssh/nonproduction_rsa-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com user certificate
        Public key: RSA-CERT 3c:3d:47:...
        Signing CA: RSA 2b:2a:23:...
        Key ID: "username"
        Serial: 12515602213705584981
        Valid: from 2017-02-06T17:03:00 to 2017-03-08T17:04:44
        Principals: 
                username
                admin
        Critical Options: (none)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc
```


