blob: 1a4744c31f99ab8e12c191ce8e993acc4ae8fb78 [file] [log] [blame] [view]
Sean McCullough7013e9e2025-05-14 02:03:58 +00001# Sketch SSH Mutual Authentication System
2
3This document describes how the Sketch SSH system implements mutual authentication between the host machine and containers using certificate-based authentication.
4
5## Architecture Overview
6
7The Sketch SSH system uses a certificate-based approach to establish mutual trust between the host machine and containers. This ensures that:
8
91. Host verifies container identity: The user can trust that they're connecting to the intended container
102. Container verifies host identity: The container can trust that connections are coming from authorized host machines
11
12## Component Interaction Diagram
13
14```mermaid
15sequenceDiagram
16 participant User
17 participant Host as Host Machine (SSHTheater)
18 participant Container as Container (SSH Server)
19 participant Client as SSH Client (ssh/VSCode)
20
21 %% Setup phase
22 Note over Host,Container: Initialization Phase
23 Host->>Host: Generate Container CA keys
24 Host->>Host: Generate host certificate signed by Container CA
25 Host->>Host: Generate user identity keys
26 Host->>Host: Generate server identity keys
27 Host->>Container: Init Container with:<br/>- Server identity<br/>- User public key<br/>- Container CA public key<br/>- Host certificate
28 Container->>Container: Start SSH server with certificate verification
29
30 %% Connection phase
31 Note over Host,Container: Connection Phase
32 User->>Client: Request SSH connection to container
33
34 Client->>Host: Get SSH config from ~/.ssh/config
35 Host->>Client: Config with:<br/>- Host identity path<br/>- Host certificate path
36
37 Client->>Container: Connect with host certificate
38
39 Container->>Container: Verify client certificate<br/>is signed by Container CA
40
41 opt Mutual Authentication
42 Container->>Client: Challenge for host certificate
43 Client->>Container: Present host certificate
44 Container->>Container: Verify host certificate<br/>is for 'root' user<br/>from localhost only
45 end
46
47 alt Valid Certificate
48 Container->>Client: Accept connection
49 Client->>User: Establish shell session
50 else Invalid Certificate
51 Container->>Client: Reject connection
52 Client->>User: Authentication failed
53 end
54```
55
56## Security Features
57
58### Certificate-Based Authentication
59
60- **Container CA**: A dedicated Certificate Authority for Sketch containers
61- **Host Certificates**: Signed by the Container CA, authorizing specific hosts to connect
62- **CA-Based Known Hosts**: Uses `@cert-authority localhost,127.0.0.1,[::1]` directive to trust only localhost certificates
63- **Certificate Constraints**:
64 - Valid only for 'root' user (the container user)
65 - Source address restricted to localhost (127.0.0.1, ::1)
66 - Limited validity period (30 days by default)
67
68### Security Benefits
69
701. **Defense in Depth Security**:
71 - Multiple layers of protection:
72 - Certificates require CA signature
73 - CA authority is restricted to localhost addresses only
74 - Certificate constraints limit to localhost source addresses
75 - Even if the CA key is compromised, it can only be used for localhost connections
76 - Even if SSH ports are exposed, unauthorized connections are rejected
77
782. **Localhost Restriction**:
79 - Host certificates only work from the local machine, preventing remote exploitation
80
813. **Seamless User Experience**:
82 - Certificate management happens automatically, requiring no user intervention
83
84## Implementation Components
85
86- **SSHTheater**: Manages certificate generation and SSH configuration on the host
87- **Custom SSH Server**: Enforces certificate validation in the container
88- **SSH Client Configuration**: Automatically configured to use the right certificates
89
90## Key Files
91
92- `~/.config/sketch/container_ca`: Container CA private key
93- `~/.config/sketch/container_ca.pub`: Container CA public key
94- `~/.config/sketch/host_cert`: Host certificate signed by Container CA
95- `~/.config/sketch/container_user_identity`: User identity for SSH connections
96- `~/.config/sketch/container_server_identity`: Server identity for container SSH server
97
98## SSH Configuration Approach
99
100### Hybrid Configuration Model
101
102SSHTheater uses a hybrid approach to balance security and practicality:
103
1041. **Localhost-Restricted CA Trust** for host verification:
105 - A single `@cert-authority localhost,127.0.0.1,[::1]` entry in known_hosts
106 - Only trusts certificates for localhost addresses
107 - Prevents CA misuse even if keys are compromised
108 - Simplifies management of multiple containers
109 - Provides strong cryptographic verification
110
1112. **Individual Host Entries** in SSH config:
112 - Each container still needs a dedicated entry for port configuration
113 - This is necessary because SSH doesn't support wildcards for ports
114 - Container-specific entries use shared identity files and certificates
115
116This approach maintains the convenience of "ssh container-name" commands while leveraging the security benefits of certificate-based authentication.
117
118## Cleanup Behavior
119
120The system is designed to support multiple concurrent Sketch instances:
121
122- **Container-Specific Cleanup**: When a Sketch instance exits, it only removes its own container's entries from the SSH configuration
123- **Preserved CA Authority**: Certificate authority entries are preserved during cleanup since they may be used by other running containers
124- **Independent Host Certificates**: Each Sketch instance maintains its own host certificate
125
126This approach allows multiple Sketch instances to run concurrently while preserving the security benefits of certificate-based authentication.