forked from spotify/crtauth
a public key backed client/server authentication system
License
negz/crtauth
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
crtauth - a public key backed client/server authentication system The latest version of this software can be fetched from https://github.com/spotify/crtauth crtauth is a system for authenticating a user to a centralized server. The initial use case is to create a convenient authentication for command line tools that interacts with a central server without resorting to authentication using a shared secret, such as a password. crtauth leverages the public key cryptography mechanisms that is commonly used by ssh(1) to authenticate users to remote systems. The goal of the system is to make the user experience as seamless as possible using the ssh-agent program to manage access to encrypted private keys without asking for a password each time the command is run The name of the project is derived from the central concepts challenge, response, token and authentication, while at the same time reminding us old timers of the soon to be forgotten cathode ray tube screen technology. Technical details ----------------- Command line tools that connect to a central server to perform some action or fetch some information can be a very useful thing. Let's say you have a service that exposes information about servers using an http based API. The basic operation of the protocol follows the following pattern # The client requests a challenge from the server, providing a username. # The server creates a challenge that gets sent back to the client. # The client signs the challenge and returns the response to the server. # The server verifies that the response is valid and if so it issues an access token to the client. # The access token is provided to when calling protected services. # The server validates that the token is valid and if so, provides access to the client. The that implement this mechanism has two parts, one for the server and one for the client. A server that wants to authenticate clients instantiates an AuthServer instance (defined in the crtauth.server module) with a secret and a KeyProvider instance as constructor arguments. The very simple FileKeyProvider reads public keys from a filesystem directory. Once there is an AuthServer instance, it can generate a challenge string for a specific user using the create_challenge() method. The client part of the mechanism is also contained in the crtauth.server module, in the create_response() function. It takes a challenge string provided by the server and returns a response string suitable for sending back to the server. The server in turn validates the response from the client and if it checks out it returns an access token that can be used by the client to make authenticated requests. This validation is done in the create_token() method of the AuthServer class. For subsequent calls to protected services, the provided access token can be verified using the validate_token() method of the AuthServer instance. License ------- crtauth is free software, this code is released under the Apache Software License, version 2. The original code is written by Noa Resare with contributions from John-John Tedro, Erwan Lemmonier, Martin Parm and Gunnar Kreitz All code is Copyright (c) 2011-2013 Spotify AB
About
a public key backed client/server authentication system
Resources
License
Stars
Watchers
Forks
Packages 0
No packages published
Languages
- Python 100.0%