{ "info": { "author": "Ved Vyas", "author_email": "ved@vyas.io", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Intended Audience :: Developers", "License :: OSI Approved :: MIT License", "Programming Language :: Python :: 3", "Topic :: System :: Networking" ], "description": "openSeSSHIAMe\n=============\n\nIntro\n-----\n\nopenSeSSHIAMe (picture Adam Sandler singing \"open sesame\") allows SSH access to\nan instance behind the great AWS firewall (security group for the instance) for\nauthorized users from their current location.\n\nGiven the credentials for an AWS IAM (Identity and Access Management) user, it:\n\n * Obtains the current machine's public IP address\n * Uses the AWS Python SDK (boto3) to allow incoming traffic to the instance\n on port 22 from the public IP address\n * Revokes previous ingress rules for this IAM user\n\nDisclaimer\n----------\n\nUse at your own risk, and only with trusted users. Follow best practices to\nsecure your EC2 instance and AWS account. Feedback, suggested improvements, and\ncontributions will be most appreciated. See [Notes](#notes) for known issues\nwith the current implementation.\n\nAWS Prerequisites\n-----------------\n\n * An EC2 instance with at least one associated security group that\n openSeSSHIAMe can operate on. It's probably a good idea to keep a dedicated\n security group for use with this tool.\n * For each openSeSSHIAMe user, an IAM user that:\n * Has an attached tag with `Key=openSeSSHIAMe-ID` and a unique `Value`\n among all openSeSSHIAMe users\n * Allows the following EC2 actions only on that particular security group:\n * `DescribeSecurityGroups` (List)\n * `AuthorizeSecurityGroupIngress` (Write)\n * `RevokeSecurityGroupIngress` (Write)\n * Allows the following IAM actions only on that particular IAM user (this\n can be achieved by using `${aws:username}` in the ARN when specifying\n resources):\n * `ListUserTags` (List)\n\nNotes\n-----\n\n * The IAM user will be able to describe security groups other than the one\n used by openSeSSHIAMe! This is because `DescribeSecurityGroups` cannot be\n restricted to a particular resource (the security group used by\n openSeSSHIAMe).\n * The service used to determine the current public IPv4 address could return\n an incorrect address, thus giving someone else access!\n\nRequirements\n------------\n\n * Python 3+\n * boto3 (>= 1.9.121)\n * docopt (>= 0.6.2)\n * requests (>= 2.21.0)\n\nInstallation\n------------\n\nTo install from source, execute the following in the directory containing\n`setup.py`:\n\n pip install [--user] [--upgrade] .\n\nTo install from `PyPI`:\n\n pip install [--user] [--upgrade] openSeSSHIAMe\n\nUsage\n-----\n\nThe openSeSSHIAMe CLI can be executed for oneshot authorization of the user's\ncurrent public IPv4 address:\n\n openSeSSHIAMe --verbose --config /path/to/config.json\n\nHere, `config.json` should look like `etc/openSeSSHIAMe-config.json`, found in\nthis repo and the installed package. It consists of the IAM credentials and\nusername for the current openSeSSHIAMe user, the ID of the security group to\nuse, and the region the EC2 instance is running in.\n\nopenSeSSHIAMe can be run at the time of starting an SSH session, just like\n[port-knockers][1]. One way is using `ProxyCommand` in your SSH client\nconfig:\n\n Host foo\n HostName ...\n ...\n ProxyCommand bash -c 'openSeSSHIAMe --verbose --config ...; sleep 1;\n exec nc %h %p'\n\nThis technique should also work with autossh.\n\nAlternatively (or additionally), a sample systemd service and timer for\nperiodic execution are included in `etc/`.\n\nFinally, feel free to import and use the `openSeSSHIAMe` class after installing\nthis package:\n\n from openSeSSHIAMe import openSeSSHIAMe\n sesame = openSeSSHIAMe(config_filename='...', verbose=True)\n # See main() in openSeSSHIAMe.py for further usage\n\nTODO\n----\n\n * If an existing rule for the current public IP address exists, don't revoke\n and re-authorize it -- just to reduce entries in CloudTrail. However, calls\n to `DescribeSecurityGroups` and `ListUserTags` are unavoidable.\n * Allow ports other than 22 and multiple ports. Might do this if and when the\n need arises.\n * Allow for multiple address per IAM user. Ditto.\n * Use PID file to handle concurrent runs for same IAM user.\n * Add option to use IPv6 addresses.\n\nLicense\n-------\n\nopenSeSSHIAMe is distributed under the terms of the MIT license. Please see\nCOPYING.\n\n[1]: https://lzone.de/blog/Port%20Knocking%20And%20SSH%20ProxyCommand\n\n\n", "description_content_type": "text/markdown", "docs_url": null, "download_url": "https://gitlab.com/vedvyas/openSeSSHIAMe/repository/archive.tar.bz2?ref=v0.1.0", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://gitlab.com/vedvyas/openSeSSHIAMe", "keywords": "AWS IAM SSH security-group boto3", "license": "MIT", "maintainer": "", "maintainer_email": "", "name": "openSeSSHIAMe", "package_url": "https://pypi.org/project/openSeSSHIAMe/", "platform": "", "project_url": "https://pypi.org/project/openSeSSHIAMe/", "project_urls": { "Download": "https://gitlab.com/vedvyas/openSeSSHIAMe/repository/archive.tar.bz2?ref=v0.1.0", "Homepage": "https://gitlab.com/vedvyas/openSeSSHIAMe" }, "release_url": "https://pypi.org/project/openSeSSHIAMe/0.1.0/", "requires_dist": [ "boto3 (>=1.9.121)", "docopt (>=0.6.2)", "requests (>=2.21.0)" ], "requires_python": "", "summary": "openSeSSHIAMe allows SSH access to an instance behind the great AWS firewall (security group for the instance) for authorized IAM users from their current location.", "version": "0.1.0" }, "last_serial": 5101404, "releases": { "0.1.0": [ { "comment_text": "", "digests": { "md5": "30e748b37a57f55330a0351fe3dbedac", "sha256": "60b69a8800282850e79bd00fb0c6143c15308388a56f37d65fcb6b9cf8df57a0" }, "downloads": -1, "filename": "openSeSSHIAMe-0.1.0-py3-none-any.whl", "has_sig": true, "md5_digest": "30e748b37a57f55330a0351fe3dbedac", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 12864, "upload_time": "2019-04-04T23:37:57", "url": "https://files.pythonhosted.org/packages/3f/33/110a6a381c8bb21572421f78c3f28bba0c05d75d673bd2c81f9dd1583d2d/openSeSSHIAMe-0.1.0-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "fcd928fcf4492feff062314f6523266b", "sha256": "a05c5fee76da08200b113cec860f3c96df04107f779dde421047133c357b0c4f" }, "downloads": -1, "filename": "openSeSSHIAMe-0.1.0.tar.gz", "has_sig": true, "md5_digest": "fcd928fcf4492feff062314f6523266b", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8036, "upload_time": "2019-04-04T23:38:00", "url": "https://files.pythonhosted.org/packages/d2/6e/e6b5a16a2ea7a39fd1857c79884eac6892ec3a7ded40997505d0ccb53fa1/openSeSSHIAMe-0.1.0.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "30e748b37a57f55330a0351fe3dbedac", "sha256": "60b69a8800282850e79bd00fb0c6143c15308388a56f37d65fcb6b9cf8df57a0" }, "downloads": -1, "filename": "openSeSSHIAMe-0.1.0-py3-none-any.whl", "has_sig": true, "md5_digest": "30e748b37a57f55330a0351fe3dbedac", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 12864, "upload_time": "2019-04-04T23:37:57", "url": "https://files.pythonhosted.org/packages/3f/33/110a6a381c8bb21572421f78c3f28bba0c05d75d673bd2c81f9dd1583d2d/openSeSSHIAMe-0.1.0-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "fcd928fcf4492feff062314f6523266b", "sha256": "a05c5fee76da08200b113cec860f3c96df04107f779dde421047133c357b0c4f" }, "downloads": -1, "filename": "openSeSSHIAMe-0.1.0.tar.gz", "has_sig": true, "md5_digest": "fcd928fcf4492feff062314f6523266b", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8036, "upload_time": "2019-04-04T23:38:00", "url": "https://files.pythonhosted.org/packages/d2/6e/e6b5a16a2ea7a39fd1857c79884eac6892ec3a7ded40997505d0ccb53fa1/openSeSSHIAMe-0.1.0.tar.gz" } ] }