{ "info": { "author": "Danny Grove ", "author_email": "", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Intended Audience :: Developers", "Intended Audience :: End Users/Desktop", "Intended Audience :: System Administrators", "License :: OSI Approved :: Apache Software License", "Operating System :: OS Independent", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3 :: Only", "Topic :: Internet", "Topic :: Security", "Topic :: Security :: Cryptography", "Topic :: Software Development :: Libraries :: Python Modules" ], "description": "# Mutual TLS Client (mtls) #\n\n[![Known Vulnerabilities](https://snyk.io/test/github/drGrove/mtls-client/badge.svg)](https://snyk.io/test/github/drGrove/mtls-client)\n\n## Runtime Dependencies ##\n\n* gnupg\n* libnss (certutil/pk12util on linux/windows, security on MacOS)\n\n## Overview ##\n\nA mutual TLS (mTLS) system for authenticating users to services that need to be on the internet, but should only be\naccessible to users that specifically need it. This should be used as a initial security measure on top of normal login\nto handle multi-factor authentication.\n\nThe client generates a Certificate Signing Request (CSR) and use web of trust to ensure user has authentication to\nrecieve a short-lived client certificate. Short-lived certificates have a default timeout of 18 hours, but can be\nexpanded per need.\n\nThis system uses some of the base NSS primitives found in base tools for the associted operating systems.\n\nThis project currently works in the following OSes:\n\n* Linux (Arch/Ubuntu tested)\n* MacOS\n\nThis project is based on the whitepapers for [Beyond Corp](https://www.beyondcorp.com/), which is Googles Zero Trust\nSecurity Model.\n\n## Background ##\n\n### What is Mutual TLS? ###\n\nMutual TLS is a sub-category of [Mutual Authentication](https://en.wikipedia.org/wiki/Mutual_authentication), where the\nclient and server, or server and server are verifying the identity of one another to ensure that both parties should be\nallowed to access the requested information.\n\n### What is this Good For? ###\n\nCreating services that inheritely trust no one unless specifically authorized. This provides the basis for a zero\ntrust, multi-factor authentication scheme while also timeboxing access to the requested service in case of compromise or\nloss of access keys.\n\n### What parts of my system are affected by this? ###\n\nThis uses 2 certificate stores within your system. The primary is held at `~/.pki/nssdb` which is the default nssdb that\nmost of the OS trusts. A secondary nssdb will exist within `.mozilla/firefox/` which is a firefox specific nssdb and is\nrequired to interface with any mozilla products. There are slightly different commands that are required depending on\nthe operating system.\n\nTo list certificates via the commandline on Linux:\n`certutil -L -d ~/.pki/nssdb`\n\nTo verify a certificate via the commandline on Linux:\n`certutil -V -u C -d ~/.pki/nssdb -n ' - @'`\n\nA Root certificate is required for this. The CLI will by default pull the Root CA and install it into your Trust Store\nas a Trusted Root Certificate.\n\n## Installation ##\n\n### Building From Source ###\n\n```shell\n$ git clone https://github.com/drGrove/mtls-cli\n$ make build\n# If you'd like to install directly into ~/.local/bin you can also use\n$ make install\n```\n\n### Using The Latest Release ###\n\nThere are signed binaries that are shipped along with each release. To use a binary you can do the following:\n\n```shell\n$ VERSION= (ex. VERSION=v0.8.0)\n$ wget https://github.com/drGrove/mtls-cli/releases/download/$VERSION/mtls-$VERSION.tar.gz\n$ tar zxvf mtls-$VERSION.tar.gz\n$ cd mtls\n$ sha256sum mtls && cat mtls.sha256sum\n$ gpg --recv-keys C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD\n$ gpg --verify --trust-model always mtls.sig\n# From there you can install the binary wherever you'd like in your path\n```\n\n## Configuration ##\n\nConfiguring mtls is done via a `config.ini`. There is an example in the repo [here](config.ini.example).\n\nYou'll need a similar base configuration:\n\n```ini\n[DEFAULT]\nname=John Doe\nemail=johndoe@example.com\n; PGP Fingerprint\nfingerprint=XXXXXXXX\ncountry=US\nstate=CA\nlocality=Mountain View\norganization=myhost\n```\n\nThen for each server you'd like to connect to you can create a section for that service.\n\n```ini\n[myserver]\nemail=johndoe@myserver.com\nurl=https://certauth.myserver.com\n```\n\nThe `url` should match the base URL of the Certificate Authority you'll connect to. This will allow `mtls` to make the\nrequests to generate your client certificate.\n\n## Usage ##\n\nOnce configured and provided access by a Certificate Authority Administrator you will be able to begin creating\ncertificates for yourself. By default the lifetime of your certificate is 18 hours. But Certificate Authorities are able\nto set their own minimum and maximum lifetime. Speak to a certificate authority administrator about their settings.\n\n### Creating A Certificate ###\n\n```shell\n$ mtls -s myserver certificate create\n```\n\n### Revoking A Certificate ###\n\nIf you're certificate has become compromised you can revoke your certificate prior to it's expiration. Certificate\nAuthority Administrators can also expire certificates if they feel that you've been compromised or if they belive you\nshould no longer have access to the services.\n\nYou have a few options as far a certificate revoke goes.\n\n#### By Serial Number ####\n\n```shell\n$ mtls -s myserver certificate revoke --serial \n```\n\n#### By Certificate Name ####\n\nTo get a certificate name, it will follow the following convention: `ISSUER - USER@HOSTNAME`. On the first connection to\na Certificate Authority, you're `~/.config/mtls/config.ini` for a particular server will be updated to provide the\nissuer name as found in the Root CA Certificate. You can also find this by running `certutil -L -d ~/.pki/nssdb` or\nviewing the certificate in chrome or firefox\n\n```shell\n$ mtls -s myserver certicate revoke --name \n```\n\n### By Fingerprint ####\n\nNOTE: This will revoke all certificates related to a particular fingerprint\n\n```shell\n$ mtls -s myserver certificate revoke --fingerprint \n```\n\n## Administration ##\n\nAdministration of the `mtls` can be done via the CLI as well. Administrators can add and remove users as they see fit\nbut currently an administator needs to be removed individually from both trust stores.\n\n### Users ###\n\n#### Adding Users ####\n\n##### By Fingerprint #####\n\n```shell\n$ mtls -s myserver user add --fingeprint FINGERPRINT\n```\n\n##### By Email #####\n\nThis will poll pgp.mit.edu by default and return a list of PGP keys if more than 1 valid PGP key is returned. You can\nquery any keyserver via the `--keyserver KEYSERVER_URL` flag\n\n```shell\n$ mtls -s myserver user add --email johndoe@example.com\n```\n\n#### Removing Users ####\n\n##### By Fingerprint #####\n\n```shell\n$ mtls -s myserver user remove --fingeprint FINGERPRINT\n```\n\n##### By Email #####\n\nThis will poll pgp.mit.edu by default and return a list of PGP keys if more than 1 valid PGP key is returned. You can\nquery any keyserver via the `--keyserver KEYSERVER_URL` flag\n\n```shell\n$ mtls -s myserver user remove --email johndoe@example.com\n```\n\n### Administrators ###\n\n#### Adding Admins ####\n\n##### By Fingerprint #####\n\n```shell\n$ mtls -s myserver user add --fingeprint FINGERPRINT --admin\n```\n\n##### By Email #####\n\nThis will poll pgp.mit.edu by default and return a list of PGP keys if more than 1 valid PGP key is returned. You can\nquery any keyserver via the `--keyserver KEYSERVER_URL` flag\n\n```shell\n$ mtls -s myserver user add --email johndoe@example.com --admin\n```\n\n#### Removing Users ####\n\n##### By Fingerprint #####\n\n```shell\n$ mtls -s myserver user remove --fingeprint FINGERPRINT --admin\n```\n\n##### By Email #####\n\nThis will poll pgp.mit.edu by default and return a list of PGP keys if more than 1 valid PGP key is returned. You can\nquery any keyserver via the `--keyserver KEYSERVER_URL` flag\n\n```shell\n$ mtls -s myserver user remove --email johndoe@example.com --admin\n```\n\n## Development ##\n\n### Dependencies ###\n\n* make\n* pip\n* pipenv\n* gnupg\n* libnss (certutil/pk12util on linux/windows, security on MacOS)\n\n### Getting Started ###\n\nTo begin development run the following commands:\n\n```shell\nmake setup\nmkdir ~/.config/mtls\ncp config.ini.example config.ini\n```\n\nNOTE: You will need to add a server to communicate with. The URL must have a scheme.\n\nYou can run without compiling by using:\n\n```shell\nmake run SERVICE=myservice\n```\n\nTo build a binary:\n\n```shell\nmake build\n```\n\nNOTE: This will output to an mtls folder within the root of the project. This folder has been gitignored and only\nartifacts of the build belong in this directory\n\n\n", "description_content_type": "text/markdown", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/drGrove/mtls-cli", "keywords": "", "license": "", "maintainer": "", "maintainer_email": "", "name": "mtls", "package_url": "https://pypi.org/project/mtls/", "platform": "", "project_url": "https://pypi.org/project/mtls/", "project_urls": { "Homepage": "https://github.com/drGrove/mtls-cli", "Source": "https://github.com/drGrove/mtls-cli", "Tracker": "https://github.com/drGrove/mtls-cli/issues" }, "release_url": "https://pypi.org/project/mtls/0.10.4/", "requires_dist": [ "cryptography", "python-gnupg", "urllib3", "requests", "click", "pyOpenSSL" ], "requires_python": ">=3.6", "summary": "A short-lived certificate tool based on the Zero Trust network mode", "version": "0.10.4" }, "last_serial": 5464839, "releases": { "0.10.4": [ { "comment_text": "", "digests": { "md5": "5ed79c56f41ade6686a014c559d24bd4", "sha256": "11c8b1ad502234201b35357d35cb56fcdfe5e2665cfbbb28fc43902d8fae4611" }, "downloads": -1, "filename": "mtls-0.10.4-py3-none-any.whl", "has_sig": true, "md5_digest": "5ed79c56f41ade6686a014c559d24bd4", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": ">=3.6", "size": 310957, "upload_time": "2019-06-29T08:54:15", "url": "https://files.pythonhosted.org/packages/17/c2/ee546055499752ad74c4e5663670a3d700730ac7c1d33ae03d768971bf54/mtls-0.10.4-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "728c72832d52c4bc6a540732f692592e", "sha256": "15d89440da35ba7cedaffed4ba6e5a7a1f0eb428ad4c79794433eda6f132f83f" }, "downloads": -1, "filename": "mtls-0.10.4.tar.gz", "has_sig": true, "md5_digest": "728c72832d52c4bc6a540732f692592e", "packagetype": "sdist", "python_version": "source", "requires_python": ">=3.6", "size": 327749, "upload_time": "2019-06-29T08:54:18", "url": "https://files.pythonhosted.org/packages/21/8b/28a2a2426dd623c3dbc9fba216864f91c5ae58d247c7286698d865eb8a6e/mtls-0.10.4.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "5ed79c56f41ade6686a014c559d24bd4", "sha256": "11c8b1ad502234201b35357d35cb56fcdfe5e2665cfbbb28fc43902d8fae4611" }, "downloads": -1, "filename": "mtls-0.10.4-py3-none-any.whl", "has_sig": true, "md5_digest": "5ed79c56f41ade6686a014c559d24bd4", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": ">=3.6", "size": 310957, "upload_time": "2019-06-29T08:54:15", "url": "https://files.pythonhosted.org/packages/17/c2/ee546055499752ad74c4e5663670a3d700730ac7c1d33ae03d768971bf54/mtls-0.10.4-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "728c72832d52c4bc6a540732f692592e", "sha256": "15d89440da35ba7cedaffed4ba6e5a7a1f0eb428ad4c79794433eda6f132f83f" }, "downloads": -1, "filename": "mtls-0.10.4.tar.gz", "has_sig": true, "md5_digest": "728c72832d52c4bc6a540732f692592e", "packagetype": "sdist", "python_version": "source", "requires_python": ">=3.6", "size": 327749, "upload_time": "2019-06-29T08:54:18", "url": "https://files.pythonhosted.org/packages/21/8b/28a2a2426dd623c3dbc9fba216864f91c5ae58d247c7286698d865eb8a6e/mtls-0.10.4.tar.gz" } ] }