sshifu 0.4.0 → 0.5.0

package/package.json

@@ -1,12 +1,10 @@
 {
   "name": "sshifu",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "SSH authentication system with short-lived certificates and OAuth authentication (GitHub organizations)",
   "main": "bin/sshifu.js",
   "bin": {
-    "sshifu": "bin/sshifu.js",
-    "sshifu-server": "bin/sshifu-server.js",
-    "sshifu-trust": "bin/sshifu-trust.js"
+    "sshifu": "bin/sshifu.js"
   },
   "scripts": {
     "postinstall": "node scripts/install.js"

package/README.md

@@ -1,254 +0,0 @@
-# Sshifu
-
-<div align="center">
-  <img src="logo.png" alt="Sshifu Logo" width="250px">
-</div>
-
-**Sshifu** (SSH + Fu / 師傅 "master") is a lightweight SSH authentication system that uses short-lived OpenSSH certificates with OAuth authentication (GitHub organizations).
-
-A minimal alternative to complex SSH access platforms like Teleport, while remaining fully compatible with existing OpenSSH tooling.
-
-## Features
-
-- 🔐 **Short-lived SSH certificates** - Automatic certificate issuance with configurable TTL (default 8 hours)
-- 🌐 **GitHub OAuth authentication** - Authenticate users via GitHub organization membership
-- 🛠️ **Standard OpenSSH compatibility** - Works with existing `ssh` command without workflow changes
-- 📦 **Minimal infrastructure** - Single server component, no database required
-- 👥 **Designed for small teams** - Optimized for teams with <50 users
-
-## Quick Start
-
-```bash
-# Expose your server publicly (here we're using localhost.run for testing)
-ssh -R 80:localhost:8080 nokey@localhost.run
-
-# Prepare GitHub OAuth credentials & note the localhost.run URL from above.
-# In another terminal, start the sshifu server and follow the wizard.
-npx sshifu-server
-
-# On the SSH server machine, configure trust (requires sudo)
-sudo npx sshifu-trust <localhost.run address>
-
-# From another machine, connect to the SSH server
-npx sshifu <localhost.run address> <ssh server address>
-```
-
-## Architecture
-
-```
-┌─────────────┐
-│ User CLI    │  sshifu
-│ (sshifu)    │
-└──────┬──────┘
-       │
-       │ 1. Start login session
-       │ 2. Poll for approval
-       │ 3. Request certificate
-       ▼
-┌─────────────────────────┐
-│ sshifu-server           │
-│ - OAuth gateway         │
-│ - SSH Certificate Auth  │
-└─────────────────────────┘
-       │
-       │ Configure trust
-       ▼
-┌─────────────────────────┐
-│ Target SSH Server       │
-│ (configured via         │
-│  sshifu-trust)          │
-└─────────────────────────┘
-```
-
-## Components
-
-| Tool | Purpose |
-|------|---------|
-| `sshifu` | CLI used by users to authenticate and connect to SSH servers |
-| `sshifu-server` | Web server acting as OAuth gateway and SSH Certificate Authority |
-| `sshifu-trust` | Server-side CLI to configure SSH servers to trust the Sshifu CA |
-
-## Installation Options
-
-#### Option 1: Install Globally via npm
-
-For frequent use, install globally:
-
-```bash
-npm install -g sshifu
-```
-
-Then use commands directly:
-
-```bash
-sshifu auth.example.com user@target-server.com
-sshifu-server
-sshifu-trust auth.example.com
-```
-
-#### Option 2: Pre-built Binary
-
-Download the latest release for your platform from the [releases page](https://github.com/azophy/sshifu/releases):
-
-```bash
-# Linux (amd64)
-curl -L https://github.com/azophy/sshifu/releases/latest/download/sshifu-linux-amd64.tar.gz | tar xz
-sudo mv sshifu* /usr/local/bin/
-
-# macOS (Intel)
-curl -L https://github.com/azophy/sshifu/releases/latest/download/sshifu-darwin-amd64.tar.gz | tar xz
-sudo mv sshifu* /usr/local/bin/
-
-# macOS (Apple Silicon)
-curl -L https://github.com/azophy/sshifu/releases/latest/download/sshifu-darwin-arm64.tar.gz | tar xz
-sudo mv sshifu* /usr/local/bin/
-
-# Windows (amd64)
-curl -L https://github.com/azophy/sshifu/releases/latest/download/sshifu-windows-amd64.zip -o sshifu.zip
-unzip sshifu.zip
-# Move sshifu.exe to a directory in your PATH
-```
-
-#### Option 3: Build from Source
-
-Requires Go 1.25+:
-
-```bash
-go build ./cmd/sshifu
-go build ./cmd/sshifu-server
-go build ./cmd/sshifu-trust
-```
-
-## Getting GitHub OAuth Client ID & Secret
-
-To configure OAuth authentication with GitHub, you need to create a GitHub OAuth App:
-
-1. Go to your GitHub organization's settings: `https://github.com/organizations/<your-org>/settings`
-2. Navigate to **Developer settings** (left sidebar)
-3. Click **OAuth Apps** → **New OAuth App**
-4. Fill in the application details:
-   - **Application name**: `sshifu` (or any descriptive name)
-   - **Homepage URL**: Your sshifu-server public URL (e.g., `https://auth.example.com`)
-   - **Authorization callback URL**: Same as your sshifu-server public URL (e.g., `https://auth.example.com`)
-5. Click **Register application**
-6. After registration, you'll see your **Client ID** - copy it
-7. Click **Generate a new client secret** and copy the secret
-
-> ⚠️ **Important**: The client secret is only shown once. Store it securely and never commit it to version control.
-
-## Authentication Flow
-
-```
-┌──────────┐                    ┌───────────────┐                    ┌──────────┐
-│  sshifu  │                    │ sshifu-server │                    │  GitHub  │
-└────┬─────┘                    └───────┬───────┘                    └────┬─────┘
-     │                                  │                                  │
-     │  POST /api/v1/login/start        │                                  │
-     │─────────────────────────────────>│                                  │
-     │                                  │                                  │
-     │  session_id, login_url           │                                  │
-     │<─────────────────────────────────│                                  │
-     │                                  │                                  │
-     │  [Display login URL to user]     │                                  │
-     │                                  │                                  │
-     │                                  │  [User opens URL in browser]     │
-     │                                  │                                  │
-     │                                  │  Redirect to GitHub OAuth        │
-     │                                  │─────────────────────────────────>│
-     │                                  │                                  │
-     │                                  │  User authenticates              │
-     │                                  │<─────────────────────────────────│
-     │                                  │                                  │
-     │                                  │  Verify org membership           │
-     │                                  │─────────────────────────────────>│
-     │                                  │                                  │
-     │  GET /api/v1/login/status        │  Session approved                │
-     │─────────────────────────────────>│                                  │
-     │                                  │                                  │
-     │  status: approved, access_token  │                                  │
-     │<─────────────────────────────────│                                  │
-     │                                  │                                  │
-     │  POST /api/v1/sign/user          │                                  │
-     │─────────────────────────────────>│                                  │
-     │                                  │                                  │
-     │  SSH certificate                 │                                  │
-     │<─────────────────────────────────│                                  │
-     │                                  │                                  │
-     │  ssh -o CertificateFile=<cert>   │                                  │
-     │─────────────────────────────────>│                                  │
-     │         [SSH connection established]                                  │
-```
-
-## Configuration
-
-### Server Configuration
-
-| Field | Description | Default |
-|-------|-------------|---------|
-| `server.listen` | Address to listen on | `:8080` |
-| `server.public_url` | Public URL of the server | Required |
-| `ca.private_key` | Path to CA private key | `./ca` |
-| `ca.public_key` | Path to CA public key | `./ca.pub` |
-| `cert.ttl` | Certificate time-to-live | `8h` |
-| `auth.providers` | OAuth provider configurations | Required |
-
-### Certificate Extensions
-
-By default, issued certificates include:
-- `permit-pty` - Allow pseudo-terminal allocation
-- `permit-port-forwarding` - Allow TCP port forwarding
-- `permit-agent-forwarding` - Allow SSH agent forwarding
-- `permit-x11-forwarding` - Allow X11 forwarding
-
-## Project Structure
-
-```
-sshifu/
-├── cmd/
-│   ├── sshifu/          # User CLI
-│   ├── sshifu-server/   # Server component
-│   └── sshifu-trust/    # Server setup tool
-├── internal/
-│   ├── api/             # HTTP API handlers
-│   ├── cert/            # SSH certificate operations
-│   ├── config/          # Configuration loading
-│   ├── oauth/           # OAuth provider implementations
-│   ├── session/         # Login session management
-│   └── ssh/             # SSH utilities
-├── web/                 # Web frontend (login pages)
-├── config.example.yml   # Example configuration
-└── go.mod
-```
-
-## Security Considerations
-
-- **Short-lived certificates** reduce the impact of compromised keys
-- **CA private key** should be stored securely on the server
-- **GitHub organization membership** is verified on each login
-- **No long-term secrets** stored on client machines
-- **Transparent authorization** - the target server's OS determines final access permissions
-
-## Limitations (v1)
-
-The following features are intentionally out of scope for the initial release:
-
-- Role-based access control (RBAC)
-- Server access policies
-- Automatic account provisioning on SSH servers
-- Session recording or audit logging
-- Admin dashboard
-- Certificate revocation
-
-## Requirements
-
-- OpenSSH 6.7+ (for certificate support)
-- Linux/Unix-like operating system (server components)
-- Windows, macOS, or Linux (client CLI)
-
-## License
-
-[MIT License](LICENSE)
-
-## Contributing
-
-Contributions are welcome! Please read the contributing guidelines before submitting pull requests.

package/bin/sshifu-server.js

@@ -1,33 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * sshifu-server CLI wrapper
- * Executes the sshifu-server binary from the bin directory
- */
-
-const { spawn } = require('child_process');
-const path = require('path');
-const fs = require('fs');
-
-const binName = process.platform === 'win32' ? 'sshifu-server.exe' : 'sshifu-server';
-const binPath = path.join(__dirname, binName);
-
-if (!fs.existsSync(binPath)) {
-  console.error(`Error: sshifu-server binary not found at ${binPath}`);
-  console.error('The postinstall script may have failed. Try running:');
-  console.error('  npm rebuild sshifu');
-  process.exit(1);
-}
-
-const child = spawn(binPath, process.argv.slice(2), {
-  stdio: 'inherit',
-});
-
-child.on('error', (err) => {
-  console.error(`Failed to start sshifu-server: ${err.message}`);
-  process.exit(1);
-});
-
-child.on('close', (code) => {
-  process.exit(code);
-});

package/bin/sshifu-trust.js

@@ -1,33 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * sshifu-trust CLI wrapper
- * Executes the sshifu-trust binary from the bin directory
- */
-
-const { spawn } = require('child_process');
-const path = require('path');
-const fs = require('fs');
-
-const binName = process.platform === 'win32' ? 'sshifu-trust.exe' : 'sshifu-trust';
-const binPath = path.join(__dirname, binName);
-
-if (!fs.existsSync(binPath)) {
-  console.error(`Error: sshifu-trust binary not found at ${binPath}`);
-  console.error('The postinstall script may have failed. Try running:');
-  console.error('  npm rebuild sshifu');
-  process.exit(1);
-}
-
-const child = spawn(binPath, process.argv.slice(2), {
-  stdio: 'inherit',
-});
-
-child.on('error', (err) => {
-  console.error(`Failed to start sshifu-trust: ${err.message}`);
-  process.exit(1);
-});
-
-child.on('close', (code) => {
-  process.exit(code);
-});

package/scripts/install.js

@@ -1,272 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * Postinstall script for sshifu
- * Downloads the appropriate binary for the current platform from GitHub Releases
- */
-
-const https = require('https');
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const zlib = require('zlib');
-const { execSync } = require('child_process');
-
-const PACKAGE_NAME = 'sshifu';
-const BINARIES = ['sshifu', 'sshifu-server', 'sshifu-trust'];
-const DOWNLOAD_TIMEOUT = 60000; // 60 seconds
-
-// Map npm platform/arch to Go GOOS/GOARCH
-const PLATFORM_MAP = {
-  'linux-x64': { os: 'linux', arch: 'amd64' },
-  'linux-arm64': { os: 'linux', arch: 'arm64' },
-  'linux-arm': { os: 'linux', arch: 'arm' },
-  'darwin-x64': { os: 'darwin', arch: 'amd64' },
-  'darwin-arm64': { os: 'darwin', arch: 'arm64' },
-  'win32-x64': { os: 'windows', arch: 'amd64' },
-};
-
-function getPlatformInfo() {
-  const npmPlatform = `${process.platform}-${process.arch}`;
-  const mapped = PLATFORM_MAP[npmPlatform];
-
-  if (!mapped) {
-    throw new Error(
-      `Unsupported platform: ${npmPlatform}\n` +
-      `Supported platforms: ${Object.keys(PLATFORM_MAP).join(', ')}`
-    );
-  }
-
-  return mapped;
-}
-
-function getBinaryExtension() {
-  return process.platform === 'win32' ? '.exe' : '';
-}
-
-function getArchiveExtension() {
-  return process.platform === 'win32' ? '.zip' : '.tar.gz';
-}
-
-function getDownloadUrl(version, platformInfo) {
-  const ext = getArchiveExtension();
-  const archiveName = `${PACKAGE_NAME}-${platformInfo.os}-${platformInfo.arch}${ext}`;
-  return `https://github.com/azophy/sshifu/releases/download/${version}/${archiveName}`;
-}
-
-function getLatestVersion() {
-  return new Promise((resolve, reject) => {
-    const options = {
-      hostname: 'api.github.com',
-      path: '/repos/azophy/sshifu/releases/latest',
-      method: 'GET',
-      headers: {
-        'User-Agent': 'sshifu-npm-installer',
-        'Accept': 'application/vnd.github.v3+json',
-      },
-    };
-
-    const req = https.get(options, (res) => {
-      let data = '';
-
-      res.on('data', (chunk) => {
-        data += chunk;
-      });
-
-      res.on('end', () => {
-        if (res.statusCode === 200) {
-          try {
-            const parsed = JSON.parse(data);
-            resolve(parsed.tag_name || parsed.name);
-          } catch (e) {
-            reject(new Error('Failed to parse GitHub API response'));
-          }
-        } else {
-          reject(new Error(`GitHub API returned status ${res.statusCode}`));
-        }
-      });
-    });
-
-    req.on('error', reject);
-    req.on('timeout', () => {
-      req.destroy();
-      reject(new Error('Request timed out'));
-    });
-  });
-}
-
-function downloadFile(url, totalBytes = 0) {
-  return new Promise((resolve, reject) => {
-    const options = {
-      headers: {
-        'User-Agent': 'sshifu-npm-installer',
-      },
-      timeout: DOWNLOAD_TIMEOUT,
-    };
-
-    https.get(url, options, (res) => {
-      if (res.statusCode === 301 || res.statusCode === 302) {
-        // Follow redirect
-        downloadFile(res.headers.location, totalBytes).then(resolve).catch(reject);
-        return;
-      }
-
-      if (res.statusCode !== 200) {
-        reject(new Error(`Download failed with status ${res.statusCode}`));
-        return;
-      }
-
-      const chunks = [];
-      let downloaded = 0;
-
-      res.on('data', (chunk) => {
-        downloaded += chunk.length;
-        chunks.push(chunk);
-      });
-
-      res.on('end', () => {
-        resolve(Buffer.concat(chunks));
-      });
-    }).on('error', reject)
-      .on('timeout', () => {
-        reject(new Error('Download timed out'));
-      });
-  });
-}
-
-function extractArchive(archiveData, destDir) {
-  const ext = getArchiveExtension();
-  
-  if (ext === '.tar.gz') {
-    return new Promise((resolve, reject) => {
-      const tar = require('child_process').spawn('tar', ['xzf', '-', '-C', destDir], {
-        stdio: ['pipe', 'inherit', 'inherit'],
-      });
-      
-      tar.on('close', (code) => {
-        if (code === 0) resolve();
-        else reject(new Error(`tar exited with code ${code}`));
-      });
-      
-      tar.stdin.write(archiveData);
-      tar.stdin.end();
-    });
-  } else if (ext === '.zip') {
-    // For Windows, write to temp file and extract
-    const tempFile = path.join(destDir, 'temp.zip');
-    fs.writeFileSync(tempFile, archiveData);
-    
-    try {
-      // Try PowerShell first
-      execSync(`powershell -command "Expand-Archive -Path '${tempFile}' -DestinationPath '${destDir}' -Force"`, {
-        stdio: 'inherit',
-      });
-      fs.unlinkSync(tempFile);
-      return Promise.resolve();
-    } catch (e) {
-      // Fallback to other methods if needed
-      fs.unlinkSync(tempFile);
-      return Promise.reject(new Error('Failed to extract zip archive'));
-    }
-  }
-  
-  return Promise.reject(new Error(`Unsupported archive format: ${ext}`));
-}
-
-function makeExecutable(filePath) {
-  if (process.platform !== 'win32') {
-    fs.chmodSync(filePath, 0o755);
-  }
-}
-
-async function install() {
-  console.log(`🔐 ${PACKAGE_NAME} installer`);
-  console.log('========================\n');
-
-  const platformInfo = getPlatformInfo();
-  const binExt = getBinaryExtension();
-
-  console.log(`Platform: ${process.platform}-${process.arch}`);
-  console.log(`Mapped to: ${platformInfo.os}-${platformInfo.arch}\n`);
-
-  // Determine version
-  let version;
-  try {
-    version = process.env.SSHIFU_VERSION || await getLatestVersion();
-  } catch (e) {
-    console.error(`Failed to get version: ${e.message}`);
-    console.error('\nFalling back to latest release...');
-    version = 'v0.2.2';
-  }
-  console.log(`Version: ${version}`);
-
-  // Get download URL
-  const downloadUrl = getDownloadUrl(version, platformInfo);
-  console.log(`Downloading from: ${downloadUrl}\n`);
-
-  // Download archive
-  console.log('Downloading archive...');
-  let archiveData;
-  try {
-    archiveData = await downloadFile(downloadUrl);
-    console.log(`Downloaded ${Math.round(archiveData.length / 1024)} KB`);
-  } catch (e) {
-    console.error(`Failed to download: ${e.message}`);
-    console.error('\nMake sure you have a stable internet connection.');
-    console.error('If the problem persists, download manually from:');
-    console.error('https://github.com/azophy/sshifu/releases\n');
-    console.error('Then extract to: ' + path.join(__dirname, '..', 'bin'));
-    process.exit(1);
-  }
-
-  // Create bin directory
-  const binDir = path.join(__dirname, '..', 'bin');
-  if (!fs.existsSync(binDir)) {
-    fs.mkdirSync(binDir, { recursive: true });
-  }
-
-  // Create temp directory for extraction
-  const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), `${PACKAGE_NAME}-`));
-
-  try {
-    // Extract archive
-    console.log('Extracting binaries...');
-    await extractArchive(archiveData, tempDir);
-
-    // Move binaries to bin directory
-    console.log('Installing binaries...');
-    for (const binary of BINARIES) {
-      const srcName = binary + binExt;
-      const srcPath = path.join(tempDir, srcName);
-      const destPath = path.join(binDir, srcName);
-
-      if (fs.existsSync(srcPath)) {
-        fs.copyFileSync(srcPath, destPath);
-        makeExecutable(destPath);
-        console.log(`  ✓ ${binary}${binExt}`);
-      } else {
-        console.warn(`  ⚠ ${binary}${binExt} not found in archive`);
-      }
-    }
-
-    console.log('\n✅ Installation complete!');
-    console.log(`\nYou can now run:`);
-    console.log(`  ${BINARIES.map(b => b + binExt).join(', ')}`);
-    console.log(`\nOr use npx:`);
-    console.log(`  npx sshifu <server> <target>`);
-
-  } catch (e) {
-    console.error(`Installation failed: ${e.message}`);
-    console.error('\nStack:', e.stack);
-    process.exit(1);
-  } finally {
-    // Cleanup temp directory
-    try {
-      fs.rmSync(tempDir, { recursive: true, force: true });
-    } catch (e) {
-      // Ignore cleanup errors
-    }
-  }
-}
-
-install();