Skip to content

Latest commit

 

History

History
122 lines (101 loc) · 4.6 KB

README.md

File metadata and controls

122 lines (101 loc) · 4.6 KB

Portcullis

n. a strong, heavy grating that can be lowered down grooves on each side of a gateway to block it.



About

Designed after an IRC Bouncer, this project exists to be an intermediate between an SSH client and multiple SSH Servers.

Features:

  • IRC Bouncer style SSH session persistence via GNU Screen.
  • Simple, text-based, keyboard driven interface.
  • Configuration uses a basic text file.
  • Simplifies access control and identity management with a single entry point for clients;
    • All connections to upstream SSH servers are made through the Portcullis host.
    • Users/clients only need network access to and maintain identity with the Portcullis host, which itself may have more privileged access.
Note: No security is infalliable, a single point of entry is a single point of failure, followbest secuirty practices for your environment.

Planned:

  • In-program configuration editing. (Adding and removing connection options, etc)
  • Additional menus for killing or force detaching screen session.

Usage

On start the following menu is displayed:
Portcullis  ============================================================================================================================================================
1. Connect
2. List sessions
| b = Back | e = Exit |
======================================================================================================================================================================
Select menu option:
Navigation is done by entering the desired letter or number option and presing enter.
Otherwise uses GNU Screen bindings while connected to a session, for example, to detach from a session without disconnecting use Ctrl+a+d.

Installation

(Optional) Creating a user

Even when running on an existing multi-user host, a separate user is recommended, since, when configured as intended, you will lose ssh shell access for the user configured.
The app also has no user management, and will share sessions and connections within the same user, which may be undesired.
Additional notes for creating the account:
  • A shell is REQUIRED or the script won't be able to run on login, avoid options like --system or --shell /sbin/nologin.
  • Although a home directory isn't technically needed, if you don't have anywhere for OpenSSH to read/store configuration, you'll have to accept fingerprints every time, and have no way to specify configurations for individual SSH hosts.

Installing Portcullis


# Create a user
~ # {useradd||adduser} portcullis

# Clone the repo ~ $ git clone https://github.com/raku-cat/portcullis.git /opt/portcullis ~ $ chown -R portcullis:portcullis /opt/portcullis
# Create the python environment # If `make` is available on your system, a Makefile is included which # should create the virtualenv and install the pip requirements. ~ $ cd /opt/portcullis ~ $ make all # Otherwise, if `make` is unavailable ~ $ python3 -m venv python_modules ~ $ python_modules/bin/pip install -r requirements.txt
# Create the config # Note: An example config is included `servers.list.example`. ~ $ printf "user1@server1.tld user2@server2.tld user3@server3.tld" > servers.list
# Configure OpenSSH ~ # printf \ "Match User portcullis ForceCommand /opt/portcullis/python_modules/bin/python /opt/portcullis/app.py" >> /etc/ssh/sshd_config
# Restart sshd ~ # systemctl restart sshd

Post installation

Now that the app is set up, manually run it on the Portcullis host to verify functionality:
~ $ /opt/portcullis/python_modules/bin/python /opt/portcullis/app.py