 Welcome. Good afternoon. My name is Michele and I will talk to you about Theo, this tool I wrote with some friends, and you can find it on GitHub. So, let's start. So, okay, I'm a dad, first of all, full stack developer, and I'm an avid music listener, I live in Milan, I'm born in Milan, I still live in Milan. So, let's start with some words I will use during this speech. So, when you hear host, it's the computer you want to connect to through SSH, so where SSHD is running. User is the login name, operating system user you want to connect to via SSH, and with account is whoever connects physical person or virtual account. Basically, it's the private key owner. So, why? I use several laptops and I manage several servers and I work with different teams. So, what happens when a new laptop, a new desktop has to be activated and an old laptop or desktop has to be dismissed, or we are going to install a new server or a new member joins our team, or worse, a current member leaves the team. Well, you need to update your authorised keys everywhere. Of course, if you can use it, then if you don't, I think you should. So, I do this kind of stuff myself or some other teammates because it's very error prone, files are scattered in several places. So, it's full matrix of user and host. At the same time, it's a critical but monkey war. I mean, you have to do the same things over and over, so you have to copy and paste or SSH key, copy around your servers. And if you, I forget to add the key, someone will complain, she can do her job, and at the same time, if you forget to remove a key, someone will have access to the host while she shouldn't. So, at the same time, you miss the full picture. I mean, did I forget to add the key in some host or user? And there's no way to verify it but checking everything. So, the other question is, who can access this host, maybe with this user? You have to cut the authorised key files and remember each key was the owner of each public key. And so, so, I want a single place to manage all of this stuff. Then what? Okay, we can rely on configuration management, Ansible, Puppet, Chef or whatever you can choose. Or Science OpenSH 6.2, which is quite old, five years old. A new option is available. It's called authorised keys command. How many of you know this command? This option? Okay. And authorised key command supports fetching authorised keys from a common standard out beside or instead of the file system. And, okay, I got it. I want this. And thanks to Gianni, which is here, that's heading here there. So, the idea is to store accounts, public keys and permission in a single place and serve them through HTTPS to each host. So, from whatever client, you SSH with a user name, the US user, to the host. The host fetches authorised keys from an external server and it passes a host name and the user. So, like this, get authorised key, host name and user. The server, Theo, in this case, looks up for the key, which are authorised for the user, a.user in the example on host server one. If it finds any, it returns them to the host, like a normal authorised key files. So, this is Theo. Theo does exactly this. As three components. The first one is the two server where you will store the authorised, the public keys, the accounts and the permissions. Then we have a Theo agent. Theo agent is the command that SSHD will run when a new connection, when a new is requested. And then we have this Theo clip, which is the common tools you use to add new accounts, remove accounts and add permissions and so on. So, let's start with the fourth one. Theo server. So, it's already available as a Docker image. I'm sorry, it's not. It's in the Docker app as Theo app slash Theo and you can use SQL Live 3 or MariaDB or MySQL database to store data. It supports caching per user host authorised keys. So, if the cache for this couple user host is already in cache, it doesn't have to query the database. You can use memcache.do.radices as you prefer and it's written in Node.js. Theo server exposes several REST APIs for manipulating what? Accounts for sure, groups, authorised keys and permissions and it's consumed by Theo clip. Exposes also an endpoint for fetching authorised keys and it's consumed by the Theo agent. So, Theo agent is easy to use because it has a self-installed feature. You can execute it the first time passing the parameters you want and it will update the SHHD config and it will create the structure it needs. It's a per user local copy of the authorised keys in the event that the Theo server is unreachable. So, if Theo agent is unable to reach Theo server, it will use, if present of course, the local copy. So, it's the last time he was able to fetch the authorised key for that user. Theo agent can verify authorised key signatures and discount them if they are not valid. We will return on this later and it's written in Go. We've wrote an agent, yes, but it can be replaced by a shell script that cools Theo server because it's just HTTPS. It could be slightly harder if you enable the signature verification because you have to, it's not enough using code. OK, then Theo clip is already available as an MPM package. The MPM package name is Theo app dash clip. It supports authorised case signatures and it's written in Node.js of course. So, what is authorised case signing? The problem we thought is we need to avoid an authorised keys to be returned to SHD. So, Theo clip and Theo agent both support a way to sign, Theo clip signs and to verify Theo agent verifies each keys. When you set up Theo clip, you can create a certificate with a private key and when it uploads the public key to the Theo server, it attaches also the digital signature of the key. Theo agent on the other side when it downloads the authorised keys, it receives also the digital signatures and it verifies it using the public key. So, OK, right now we have, these slides will help you to go through the demo. And the first thing we do is to generate some tokens. We will use for administration, so used by Theo clip and for Theo agent. In this case, we will use the first one for Theo clip and the other two for Theo agent. We just run Theo server as a Docker image. We will see we just pass a local directory as a volume and we will pass the admin token and the client token. We will say to Docker which part we want to expose and we will run it. For Theo server is enough. Theo clip, we have to install it. I installed it globally with MPM. I will export two variables I need, Theo URL and Theo token, which this one is the admin token, used before. We can also store these variables in these two different places per user in dot Theo. OK, this is a mistake. This is still enough. Slash in the home directory is dot Theo, enough not Theo clip. Or in a system wide ATC Theo clip. So the first thing to do is using Theo clip to create a new account. So we just have to add a name and an email. Email, of course, must be unique. After that, we can add the public key. In this case, I will use my own public key in my own directory. And as you can see by the output to the first account, which is the first account we created, is assigned this public key. OK, then we can create another account here and also I will put the same public key and do the same for the third account. At this point, I'm going to create a group. A group is a way to assign the same permission to a group of users. So first I create a group and then I will add some users, some accounts to the same group. Now I can assign permission to the group. So I can say all the accounts of the group developers are granted to login as user node to the host test server. At the same time, I can add permission to a single account, of course. So in this case, I will say that the account sysop.a.example.com is granted to SACJS user admin on test server. You can have a quick overview using the common groups get developers and it will list all the accounts that are in this group and the permission of the group. The same thing you can do it for a single account and it will return all the public keys associated with this account and all the groups is into. And at the same time also the permissions. And that's all. Now we have to configure Theo agent. The easiest way is to download from GitHub. You can download the last test binary and after you downloaded it, you have to add the execution bit. Then you can create a specific user. In this case, I had no shell. So it's been false. It has no login. And at this point, you can use this install feature and say with this common, you say, okay, install me. Don't ask me anything. Do the default. Add this URL as the server and use this token to connect to. You have to reload SHIT after that. Before logging out from the server, I suggest to check that everything is working so you can execute. It's done. Okay, sorry. That's all. But basically after you do that, you should be able to log in from your local machine using the key to the users. You define it before. So that's it.