Google has published the source texts of the HIBA (Host Identity Based Authorization) project, which proposes the implementation of an additional authorization mechanism for organizing user access via SSH in relation to hosts (checking whether access to a specific resource is allowed or not during public key authentication). Integration with OpenSSH is provided by specifying the HIBA handler in the AuthorizedPrincipalsCommand directive in /etc/ssh/sshd_config. The project code is written in C language and distributed under the BSD license.
HIBA uses regular authentication mechanisms based on OpenSSH certificates for flexible and centralized management of user authorization in relation to hosts, but does not require periodic changes in the authorized_keys and authorized_users files on the side of the hosts to which the connection is made. Instead of storing a list of valid public keys and access conditions in authorized_(keys|users) files, HIBA integrates user-host binding information directly into the certificates themselves. In particular, extensions are proposed for host certificates and user certificates, which store host parameters and conditions for granting user access.
Host-side verification is initiated by calling the hiba-chk handler specified in the AuthorizedPrincipalsCommand directive. This handler decodes the extensions integrated into the certificates and, based on them, makes a decision to grant or block access. Access rules are determined centrally at the certification authority (CA) level and integrated into certificates at the stage of their generation.
On the side of the certification authority, a general list of available permissions (hosts to which connection is allowed) and a list of users who are allowed to use these permissions are maintained. The hiba-gen utility is proposed to generate certified certificates with integrated information about the authorities, and the functionality necessary to create a certification center is moved to the iba-ca.sh script.
When a user connects, the credentials specified in the certificate are confirmed by a digital signature of the certification authority, which allows all checks to be performed entirely on the side of the target host to which the connection is being made, without resorting to external services. The list of public keys of the certification authority that certifies SSH certificates is specified using the TrustedUserCAKeys directive.
In addition to directly linking users to hosts, HIBA allows you to define more flexible access rules. For example, hosts can be associated with information such as location and type of service, and when defining user access rules, allow connections to all hosts with a given type of service or to hosts in a specified location.
Source: opennet.ru