Authentication Bot

A Discord Bot that handles SSH Certificate Authorization

Requirements

• OpenSSH Version >= 5.4
• SSH Server with SSH Certificate Support (Check for TrustedUserCAKeys)
• Docker

Installation

1. Discord Setup

1. Create a Discord account

2. Add New Application from Discord Development Portal

3. Name the Application as you want

4. Go to Bot menu and add a Bot

5. Go to OAtuh2 ,enu and select these scopes

   • bot

6. Select those Bot Permissions

   • Text Permissions
     • Send Messages
       Needed for Sending Messages
     • Manage Messages
       Needed for Message Deletion
     • Add Reactions
       Needed for /clean Result

7. Invite Bot to your Discord server by allowing it
   Note : You can just Copy This Link and Change CLIENT_ID Part
   https://discord.com/api/oauth2/authorize?client_id=(CLIENT_ID)&permissions=10304&scope=bot

8. Set adequate roles for Bot if you restricted users from reading message from some of your Channels

2. SSH Setup

1. Run ssh-keygen -f (SSH_CONFIG_LOCATION)/ca_user_key to generate SSH User CA Key

• For Debian and Ubuntu, SSH_CONFIG_LOCATION is /etc/ssh
• You may need root access to generate CA there
• You can select other key types, such as ecdsa or ed25519, but we recommend ed25519 and rsa over 2048 bits.
  (IMO, I prefer ed25519 over rsa)
• You Must Set Passpharase to the CA Key

2. Run touch (SSH_CONFIG_LOCATION)/ssh_revoked_keys to make Key Revoke List file

3. Edit (SSH_CONFIG_LOCATION)/sshd_config and add these Lines

TrustedUserCAKeys /etc/ssh/ca_user_key.pub
RevokedKeys /etc/ssh/ssh_revoked_keys

4. Restart OpenSSH

3. Bot Setup

1. Clone this project to your Server that you want to give SSH Access

2. Copy .env.template to .env and set BOT_TOKEN and DATABASE_PATH

3. Set CA_PASS to CA Key passpharse

4. Set ENFORCE_STRONG_KEYS to True if you want to enforce client keys to be rsa over 2048 bits or ed25519 key

5. Set CERTIFICATE_VALID_DAYS to adequate days to duration of validity of certificate after certificate creation

6. Run check_channel_id.py and set DISCORD_CHANNELS that you want Bot to listen on
   Note : It supports multiple channels. Please give channel id as CSV(Comma Seperated List) to Listen on Multiple Channels

4. Docker Setup

1. Check hostname and container_name values and change as you want

2. Check ca_user_key and ssh_revoked_keys are set well to the SSH config location
   Do Not Change Path After the Colon(:) such as /root/ca_user_key and /root/ssh_revoked_keys

3. Run docker-compose up -d to start the container

Usage

• /authorize [public_key]
  public_key: OpenSSH Format Public Key
  Authorize Key and Create Key Certificate (starts with sha-rsa or sha-ed25519)

• /revoke [key_index]
  key_index: run /manage to find key index
  Revoke key when key is exposed, leaked, or lost

• /manage
  Manage keys authorized before

• /clear
  Remove all bot-generated messages

• /help
  Show help message

Notes

• Use branch server for deployment.
  git clone -b server --single-branch https://github.com/maxswjeon/authentication-bot
• /revoke does not revoke Certificates that are generated, they revoke Keys. Use with caution.
• All environment variables in .env are Required or it will cause error.