Kanav Gupta — April 05, 2020

Easy Access Distribution using Keyhouse and Watchdog

Access distribution is always a problem. Every organization is looking for an easy way to do access management, but at the same time, also wants to ensure security. We at SDSLabs also need to ensure that the server which is responsible for access management is always live, or one might end up being locked out of the server. Hence we developed a tool to address this problem, which started as a couple of bash scripts but is now a Rust project. It is called Watchdog, and the ever-live database is called Keyhouse.

Motivation and Design

So what made us develop Watchdog? We wanted a tool that is -

Extremely easy to use Watchdog aims to be a tool that saves us from the hassle of adding and removing ssh keys from the authorized_keys file, and replaces it with simpler steps.
Has a simple and auditable codebase With just 700 lines of code, this tool is very easy to understand. Anyone can just casually look into the source repository to understand how it works. We also welcome your contributions :)
Non reliant on servers Access control should not be reliant on a machine that is prone to shutdowns or servers prone to high downtime.

What is Keyhouse?

What do we do if we cannot ensure a database that is almost always live? Well, host your database as a GitHub repository ;) That’s what we did, and it has worked very well.

The first thing to look at should be the structure of Keyhouse.

tl;dr the file keys contains the SSH Keys of all members, and the hosts folder contains a file for each server which contains access configuration.

Let’s have a look at Keyhouse.

To register yourself as a part of an organization (and get a username), add your SSH key to file data/keys in the format name|ssh-key. Make sure the name you choose doesn’t collide with someone else’s.

To gain access to user study in the server called ratchet, we edit the file data/hosts/ratchet to add the line name|study at the bottom, open a pull request

and get it merged by an admin.

As simple as that! You got access to study@ratchet (no, not really, we won’t give you access to our ratchet).

What is Watchdog?

As we mentioned it earlier, Watchdog is a rust binary installed on the server which communicates with the Keyhouse repository to check for privileges, and notifies of any login attempts, successful or otherwise, through Slack messages. As an added feature, we also notify you about any administrative activities like sudo.

It works by plugging callbacks to the commands sudo, su, and ssh using Pluggable Authentication Module (PAM) (to send messages to Slack) and SSH Authorization Keys Command (to authenticate with Keyhouse).

The Road Ahead

We are working on developing a simple web application for the Keyhouse repository, where a user can request access from admins by automatically making a PR to the repository by submitting a form on the webpage. We are also working on the issue that the sudo notifications don’t show which user invoked them. This issue is a priority for us at the moment.

Check out the project homepage at https://watchdog.sdslabs.co to set up Watchdog for your machine. You can also check out the source code for Watchdog at https://github.com/sdslabs/watchdog. We would love your valuable contributions and feedback to the project there. Up for a chat? Head to https://chat.sdslabs.co. Ciao!