blob: 78f1a202c2bbedd73c620c55346bdfc374c1da1d [file] [log] [blame] [view]
# Sketch SSH Mutual Authentication System
This document describes how the Sketch SSH system implements mutual authentication between the host machine and containers using certificate-based authentication.
## Architecture Overview
The Sketch SSH system uses a certificate-based approach to establish mutual trust between the host machine and containers. This ensures that:
1. Host verifies container identity: The user can trust that they're connecting to the intended container
2. Container verifies host identity: The container can trust that connections are coming from authorized host machines
## Component Interaction Diagram
```mermaid
sequenceDiagram
participant User
participant Host as Host Machine (LocalSSHimmer)
participant Container as Container (SSH Server)
participant Client as SSH Client (ssh/VSCode)
%% Setup phase
Note over Host,Container: Initialization Phase
Host->>Host: Generate Container CA keys
Host->>Host: Generate host certificate signed by Container CA
Host->>Host: Generate user identity keys
Host->>Host: Generate server identity keys
Host->>Container: Init Container with:<br/>- Server identity<br/>- User public key<br/>- Container CA public key<br/>- Host certificate
Container->>Container: Start SSH server with certificate verification
%% Connection phase
Note over Host,Container: Connection Phase
User->>Client: Request SSH connection to container
Client->>Host: Get SSH config from ~/.ssh/config
Host->>Client: Config with:<br/>- Host identity path<br/>- Host certificate path
Client->>Container: Connect with host certificate
Container->>Container: Verify client certificate<br/>is signed by Container CA
opt Mutual Authentication
Container->>Client: Challenge for host certificate
Client->>Container: Present host certificate
Container->>Container: Verify host certificate<br/>is for 'root' user<br/>from localhost only
end
alt Valid Certificate
Container->>Client: Accept connection
Client->>User: Establish shell session
else Invalid Certificate
Container->>Client: Reject connection
Client->>User: Authentication failed
end
```
## Security Features
### Certificate-Based Authentication
- **Container CA**: A dedicated Certificate Authority for Sketch containers
- **Host Certificates**: Signed by the Container CA, authorizing specific hosts to connect
- **CA-Based Known Hosts**: Uses `@cert-authority localhost,127.0.0.1,[::1]` directive to trust only localhost certificates
- **Certificate Constraints**:
- Valid only for 'root' user (the container user)
- Source address restricted to localhost (127.0.0.1, ::1)
- Limited validity period (30 days by default)
### Security Benefits
1. **Defense in Depth Security**:
- Multiple layers of protection:
- Certificates require CA signature
- CA authority is restricted to localhost addresses only
- Certificate constraints limit to localhost source addresses
- Even if the CA key is compromised, it can only be used for localhost connections
- Even if SSH ports are exposed, unauthorized connections are rejected
2. **Localhost Restriction**:
- Host certificates only work from the local machine, preventing remote exploitation
3. **Seamless User Experience**:
- Certificate management happens automatically, requiring no user intervention
## Implementation Components
- **LocalSSHimmer**: Manages certificate generation and SSH configuration on the host
- **Custom SSH Server**: Enforces certificate validation in the container
- **SSH Client Configuration**: Automatically configured to use the right certificates
## Key Files
- `~/.config/sketch/container_ca`: Container CA private key
- `~/.config/sketch/container_ca.pub`: Container CA public key
- `~/.config/sketch/host_cert`: Host certificate signed by Container CA
- `~/.config/sketch/container_user_identity`: User identity for SSH connections
- `~/.config/sketch/container_server_identity`: Server identity for container SSH server
## SSH Configuration Approach
### Hybrid Configuration Model
LocalSSHimmer uses a hybrid approach to balance security and practicality:
1. **Localhost-Restricted CA Trust** for host verification:
- A single `@cert-authority localhost,127.0.0.1,[::1]` entry in known_hosts
- Only trusts certificates for localhost addresses
- Prevents CA misuse even if keys are compromised
- Simplifies management of multiple containers
- Provides strong cryptographic verification
2. **Individual Host Entries** in SSH config:
- Each container still needs a dedicated entry for port configuration
- This is necessary because SSH doesn't support wildcards for ports
- Container-specific entries use shared identity files and certificates
This approach maintains the convenience of "ssh container-name" commands while leveraging the security benefits of certificate-based authentication.
## Cleanup Behavior
The system is designed to support multiple concurrent Sketch instances:
- **Container-Specific Cleanup**: When a Sketch instance exits, it only removes its own container's entries from the SSH configuration
- **Preserved CA Authority**: Certificate authority entries are preserved during cleanup since they may be used by other running containers
- **Independent Host Certificates**: Each Sketch instance maintains its own host certificate
This approach allows multiple Sketch instances to run concurrently while preserving the security benefits of certificate-based authentication.