sshpiper + openpubkey

This is an sshpiper plugin that authenticates upstream using openpubkey. Openpubkey plugin does not store any or require private key to upstream server. It generates a private key on the fly with Openpubkey and uses it to authenticate to upstream server.

The sshd accepts openpubkey

see example/sshd for how to create a sshd with openpubkey + google oidc public key

Run with docker compose

Get your Google OIdc client id and secret from Google Cloud Console

• SSHPIPERD_OPENPUBKEY_CLIENTID is the client id of your oidc client
• SSHPIPERD_OPENPUBKEY_CLIENTSECRET is the client secret of your oidc client

docker compose up -d

docker-compose.yml

version: '2'
services:
  nginx-proxy:
    image: jwilder/nginx-proxy
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /etc/nginx/vhost.d
      - /usr/share/nginx/html
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - certs:/etc/nginx/certs:ro
    environment:
      DEFAULT_HOST: opk.sshpiper.com
  letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    restart: always
    volumes_from:
      - nginx-proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - certs:/etc/nginx/certs:rw
  opk:
    image: farmer1992/sshpiper-openpubkey
    restart: always
    ports:
      - "22:2222"
    expose:
      - "3000"
    environment:
      - GIN_MODE=release
      - SSHPIPERD_LOGIN_GRACE_TIME=1m
      - VIRTUAL_HOST=opk.sshpiper.com
      - VIRTUAL_PORT=3000
      - LETSENCRYPT_HOST=opk.sshpiper.com
      - LETSENCRYPT_EMAIL=farmer1992@gmail.com
      - SSHPIPERD_OPENPUBKEY_BASEURL=https://opk.sshpiper.com
      - SSHPIPERD_OPENPUBKEY_CLIENTID=xxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
      - SSHPIPERD_OPENPUBKEY_CLIENTSECRET=xxxxxxxxxxxxxxx
      - SSHPIPERD_OPENPUBKEY_ISSUERURL=https://accounts.google.com
      - SSHPIPERD_SERVER_KEY_DATA=<base64 of server key>

volumes:
  certs: