We added SSH certificates support to pico.sh [1] and it's been great. Utilizing principals gave us the ability to implement a RBAC like system for specific parts of the pico.sh ecosystem. Users get the flexibility they want with limited complexity.
Currently, you can either provide the `BORG_REPO_PERMISSIONS` env var to borg [0] or `--permissions` flag to `borg serve` [1]. You can then enforce this as part of your `authorized_keys` command, for example.
This has been replaced with a permissions feature that still provides both delete and overwrite protections. The difference is the underlying store needs to implement it rather than running a server that understands the permission differences. You can read more about this change here: https://github.com/borgbackup/borg/issues/8823#issuecomment-...
We’re actually using Unix sockets as the underlying transport layer for this. We’re also not using sshd, we custom wrote our own daemon that’s entire job is tunneling. If you’re curious about this, you can find the project here: https://github.com/antoniomika/sish
sish was actually my first foray into SSH apps. It was a lot of fun to write and pretty much implements tunnels with a routing system on top. It manages connectivity, routing, and reverse proxying all within user space. No namespaces required!
tuns can actually even tunnel UDP traffic over SSH, also entirely in user space. Docs for that can be found here: https://pico.sh/tuns#udp-tunneling
We're actually fully open source and all development occurs in the open! Here's the repo https://github.com/picosh/pico and you can find us on Libera IRC
I'd actually highly recommend taking a look at vaxis (https://github.com/rockorager/vaxis). We've moved away from wish/bubbletea and have really enjoyed working with vaxis!
We recently changed our tui framework and the functionality for focus is a bit different. You might have to hit <tab> until `ADD` is highlighted. You can also rsync/scp/sftp an authorized_keys file and we'll add that to your account!
And we're still free! Just added some payments to help keep things running smoothly and allow us to invest in more infrastructure. pgs (static sites) and tuns (tunneling) are both multi-region for example.
Honestly never had a chance to merge it/review it. Once the company wound down, I had to move onto other things (find a new job, work on other priorities, etc) and lost access to be able to do anything with it after. I thought about forking it and modernizing it but never came to fruition.
I wrote a system that did this >5 years ago (luckily was able to open source it before the startup went under[0]). The bastion would record ssh sessions in asciicast v2 format and store those for later playback directly from a control panel. The main issue that still isn't solved by a solution like this is user management on the remote (ssh server) side. In a more recent implementation, integration with LDAP made the most sense and allows for separation of user and login credentials. A single integrated solution is likely the holy grail in this space.
Nope! I utilize env files for all of my password/privileged settings. In the command entry for docker-compose.yml, you can then use a non-templated env var (one that docker-compose itself doesn't fill) by replacing a single dollar sign with two. That then loads the credential from the environment instead of command line.
[1] https://pico.sh/access-control#ssh-certificates