Google company published Initial texts project hiba (Host Identity Based Authorization) offering the implementation of an additional authorization mechanism for organizing access users to SSH in binding to hosts (verification, permitted Or there is no access to a specific resource when authenticating open keys). Integration with OpenSsh is provided via the HIBA handler in the AUTHORIZEDPRINCIPALSCOMMAND directive in / etc / ssh / sshd_config. The project code is written in Si language and spreads under the license BSD.
Hiba uses standard authentication mechanisms based on OpenSSH certificates for flexible and centralized management of user authorization in binding to hosts, but does not require periodic change of authorized_keys files and authorized_users on the host side to which the connection is carried out. Instead of storing the list of acceptable public key and access conditions in the Authorized_users file, Hiba integrates user binding information to hosts directly to the certificates themselves. In particular, extensions are proposed for host certificates and user certificates in which host parameters and user access conditions are stored.
The host side check is initiated through the HIBA-CHK handler, prescribed in the AuthorizedPrincipalScommand directive. This handler decodes integrated expansion certificates and based on them decides on the provision or blocking access. Access rules are determined centrally at the level of the Certification Center (CA) and are integrated into certificates at the stage of their generation.
On the side of the Certification Center, a general list of available powers is maintained (hosts to which is allowed to connect) and a list of users who are allowed to use these powers.
To generate certificates with integrated authority information, the Hiba-Gen utility is proposed, and the functionality required to create a certifying center is submitted to the IBA-CA.SH script.
During the user connection, the authority specified in the certificate is confirmed by a digital signature of the Certifying Center, which allows you to perform all checks entirely on the target host side to which the connection is carried out without accessing external services. The list of open keys of the certifying center, assuring SSH certificates, is indicated through the TrustedUdUsercakeys directive.