-
Notifications
You must be signed in to change notification settings - Fork 15
/
hiba-chk.1
130 lines (127 loc) · 3.64 KB
/
hiba-chk.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
.\" Copyright 2021 The HIBA Authors
.\"
.\" Use of this source code is governed by a BSD-style
.\" license that can be found in the LICENSE file or at
.\" https://developers.google.com/open-source/licenses/bsd
.TH HIBA-CHK 1 "Dec, 1 2020"
.SH NAME
hiba-chk - OpenSSH helper for host identity based authorizations.
.SH SYNOSPSIS
.B hiba-chk
.RI "[-v] [-y] [-l " "facility" "] [-g " "grl_file" "] -i " "identity_file" " -r " "role" " -p " "principal" " " "grant_file"
.br
.B hiba-chk
.RI "[-v] [-y] [-l " "facility" "] [-g " "grl_file" "] -i " "host_certificate" " -r " "role" " " "user_certificate"
.SH DESCRIPTION
.B hiba-chk
performs checks between a
.I host_identity
and a
.I user_grant.
.PP
Both can be provided as OpenSSH host and user certificates containing HIBA extensions generated by
.B hiba-gen
and attached to the certificate using
.B hiba-ca.sh
(or any other certificate authority that supports HIBA extensions).
.PP
Alternatively,
.B hiba-chk
accepts direct HIBA extensions, mostly for testing, or debugging authorizations. In this case, the
.I -p principal
option must be provided as it can't be extracted from the
.RI "" "user_certificate" "."
The certificate serial and issued time will be hardcoded, causing revocations to be all or nothing and validity check to always pass.
.PP
.B hiba-chk
also requires the
.I role
to grant access to and optionally a
.I grl_file
that contains the list of revoked grants inside certificates.
.SH OPTIONS
This program only accepts short options (single dash).
.TP
.B \-v
Turn on verbose mode. This flag can be repeated up to 3 times for increased verbosity.
.TP
.B \-y
.RI "Turn on syslog mode. Log to syslog (" "auth" " facility by default) instead of stderr."
.TP
.B \-l
.RI "Facility to use for logging when -y is specified. Defaults to " "auth" "."
.TP
.B \-g
The path to a grl_file.
.TP
.B \-i
The host identity, either as an openssh host certificate with a HIBA identity extension, or a direct HIBA identity extension.
.TP
.B \-r
The role to grant access to.
.TP
.B \-p
The principal to allow. This option is only necessary when not using certificates.
.SH EXIT STATUS
.B hiba-chk
display the dynamically generated
.I authorized_users
file to stdout, as expected by
.B sshd
(nothing will be printed if access is denied). It will terminate with an exit code set to zero if access is granted. If the access is denied it will set the exit code to a non-zero value representing the authorization error:
.TP 24
.B HIBA_CHECK_NOKEY
(40) One of the key from the HIBA grant cannot be found in the host identity.
.TP
.B HIBA_CHECK_BADVERSION
(41) The HIBA grant and HIBA identity versions are incompatible.
.TP
.B HIBA_CHECK_EXPIRED
(42) The HIBA grant is expired.
.TP
.B HIBA_CHECK_REVOKED
(43) The HIBA grant was revoked.
.TP
.B HIBA_CHECK_NOGRL
(44) The
.I grl_file
is specified but cannot be found.
.TP
.B HIBA_CHECK_BADHOSTNAME
(45) The HIBA grant references another hostname.
.TP
.B HIBA_CHECK_BADROLE
(46) The HIBA grant doesn't allow access as current requested role.
.TP
.B HIBA_CHECK_NOGRANTS
(47) The user certificate doesn't contain any HIBA grants.
.TP
.B HIBA_CHECK_DENIED
(48) The HIBA grant contains a key/pair not matching the host identity.
.SH EXAMPLE
.RS 4
.nf
$ hiba-gen -d -f host.hiba
identity@hibassh.dev (v1):
[0] domain = 'google.com'
[1] owner = 'hiba'
$ hiba-gen -d -f user.hiba
grant@hibassh.dev (v1):
[0] domain = 'google.com'
[1] role = 'user'
# Test access denied
$ hiba-chk -i host.hiba -r root -p principal user.hiba
$ echo $?
46
# Test access granted
$ hiba-chk -i host.hiba -r user -p principal user.hiba
principal
$ echo $?
0
.fi
.SH SEE ALSO
.BR hiba-ca.sh (1),
.BR hiba-gen (1),
.BR hiba-grl (1),
.BR sshd_config (1),
.BR ssh-keygen (1)