github-duo-ssh-ca
Authenticate to GitHub Enterprise in a secure way by requiring users to go through a Duo flow to get a short-lived SSH certificate that works for their yubikey. This client will function as an SSH agent that will communicate with the YubiKey and authenticate to the API server component whenever necessary. It will popup a browser window for the Duo flow and request your yubikey PIN.
Usage
- Get Duo credentials ("protect web SDK").
- Create an RSA 4K keypair with
ssh-keygen -t rsa -b 4096
. - Run the server component.
- Generate credentials with
client new
. - Run it as an agent with
client agent
.
Overview
Server
duo:
client_id: "xxx"
client_secret: "xxx"
api_host: "api-xxx.duosecurity.com"
github:
token: "xxx"
orgs: ["ironpeakservices"]
signer:
private_key_path: "ca"
expires_seconds: 36000
listener:
address: "localhost:9999"
token_secret_hex: "32byteshex"
tls:
certificate_path: ""
key_path: ""
./server -log=debug -config=server.yml
Client
api: "http://localhost:9999"
email: "[email protected]"
socket_path: "/tmp/.shh"
./client -log=debug -config=client.yml agent