Is there an SSL equivelent to an ssh agent?

Question

Here is my situation: There are a number of developers who all need to have access to be able to install ruby gems and python eggs from a remote source. Currently, we have a server inside our firewall that hosts the gems and eggs. We now want the ability to be able to install things hosted on that server outside of our firewall. Since some of the gems and eggs that we host are proprietary I would like to somewhat lock access to that machine down, as unobtrusively as possible to the developers.

My first thought was using something like ssh keys. So, I spent some time looking at SSL mutual authentication. I was able to get everything set up and working correctly, testing with curl, but the unfortunate thing was that I had to pass extra arguments to curl so it knows about the certificate, key and certificate authority.

I was wondering if there is anything like the ssh agent that I can set up to provide that information automatically so that I can push the certificates and keys to the developer's machines so the developers don't have to log in or provide keys each time they try to install something.

Another thing that I want to avoid is having to modify the 'gem' command and the 'pip' command to provide keys when they make the http connection.

Any other suggestions that may solve this problem (not related to ssl mutual auth) are also welcome.

EDIT: I've been continuing to research this and I came across stunnel. I think this may be what I'm looking for, any feedback regarding stunnel would also be great!

Answer 1

A bit specific for HPC and the grid's Grid Security Infrastructure (APIs are public and available). MyProxy allows users to obtain RFC 3820 proxy credentials. You'd basically obtain the proxy certificate (short lived) after the original certificate's credentials have been verified by MyProxy. curl should work with RFC 3820 certificates. There's also a SSH available that can use GSI. See MyProxy - the X.509 credential manager.

Answer 2

(You're not saying which platform you're using.)

On OSX, the Keychain could handle this. Although it's not quite the same as ssh-agent, you can configure it to allow access to the private key by certain applications (with or without prompting, depending on the settings you choose).

On Linux, you could use the Gnome Keyring, which has similar objectives. I'm not sure whether it offers the same granularity as OSX's Keychain, in terms of granting different rights per application, but you can also unlock it upon login.

Answer 3

Why not use a IPSEC to setup a trusted tunnel for the services you need - it'll be a bit more work for you to setup and config the first time but thereafter it can be transparent.

The same can be true using SSH (let the sessions linger for a long time) - this can be done with a password required once at the beginning of an SSH session or if it's okay you can choose to use asymmetric keys without a password; you will have to make a config change or DNS tweak to get the names to work properly if you are using SSH since you will have to hit the local forwarding port with your client to reach the remote server.

Answer 4

I ended up taking a completely different approach. I set up a server outside of the firewall using Nginx with SSL and BasicAuth. This has been working out very well.