Google has published the source code for the project HIBA (Host Identity Based Authorization) , which proposes the implementation of an additional authorization mechanism for organizing user access via SSH in relation to hosts (checking whether or not access to a particular resource is allowed when authenticating using public keys). Integration with OpenSSH is provided by specifying the HIBA handler in the AuthorizedPrincipalsCommand directive in / etc / ssh / sshd_config. The project code is written in C and is distributed under the BSD license.
HIBA uses standard authentication mechanisms based on OpenSSH certificates for flexible and centralized management of user authorization in relation to hosts, but does not require periodic changes to authorized_keys and authorized_users files on the side of the hosts to which it is connected. Instead of storing a list of valid public keys and access conditions in authorized_ files (keys | users), HIBA integrates the host binding information directly into the certificates themselves. In particular, extensions are proposed for host certificates and user certificates, which store host parameters and conditions for granting user access.
Host-side verification is initiated by calling the hiba-chk handler specified in the AuthorizedPrincipalsCommand directive. This handler decodes the extensions integrated into the certificates and, based on them, makes a decision to grant or block access. Access rules are defined centrally at the certification authority (CA) level and integrated into certificates at the stage of their generation.
On the side of the certification center, there is a general list of available permissions (hosts to which you are allowed to connect) and a list of users who are allowed to use these permissions. The hiba-gen utility has been proposed to generate certified certificates with integrated information about permissions, and the functionality required to create a certification authority has been moved to the iba-ca.sh script.
During the user’s connection, the credentials specified in the certificate are confirmed by the digital signature of the certification authority, which allows all checks to be performed entirely on the side of the target host to which the connection is made, without contacting external services. The list of public keys of the CA certifying SSH certificates is specified through the TrustedUserCAKeys directive.
In addition to direct binding of users to hosts, HIBA allows you to define more flexible access rules. For example, hosts can be associated with information such as location and type of service, and when defining user access rules, allow connections to all hosts with a given type of service or to hosts at a specified location.