seamless provides an easy way to obtain an https session token via ssh. It automates creation of user accounts and manages their authorized_keys as well as session token creation via forced ssh commands. The authentication flow is as follows:
A client connects to seamless-realm@seamless-host via ssh and authenticates with a public key. The key is restricted to only execute the token creation command of the seamless binary. The seamless command returns session token that is signed with a secret specific to seamless-realm.
$ ssh -T seamless-realm@seamless-host username.VgfAwA.v-xKIZh3qYawqcm2RRh4q-LPfVE
The client sends the obtained token in the HTTP Authorization header of its requests to protected-app. The app uses the shared secret to validate the token.
GET / HTTP/1.1 Host: protected-app Authorization: seamless username.VgfAwA.v-xKIZh3qYawqcm2RRh4q-LPfVE
From a deb package:
$ wget https://github.com/emulbreh/seamless/releases/download/v0.1.0/seamless_0.1.0_amd64.deb $ sudo dpkg -i seamless_0.1.0_amd64.deb
As Python package:
$ pip install seamless
Setting up a seamless realm
A seamless realm is a user account on seamless-host. The creation and management of authorized_keys of these accounts is handled by seamless.
$ sudo seamless init seamless-realm $ sudo seamless add seamless-realm /path/to/public/key --user username
A user with this public key is now able to get tokens via ssh:
$ ssh -T seamless-realm@seamless-host username.VgfOLQ.EB6NTfXiyv7dWSKUMQJ38JXa5aw
or from Python
>>> import seamless >>> seamless.get_token('seamless-realm@seamless-host') 'username.VgfOBA.dRBDY5EUmQvhB8OnqPDWlC1tml4'
Protecting a webservice with WSGI middleware
seamless ships with WSGI middleware that verifies that a valid seamless token is passed via the Authorization header.
from seamless.wsgi import SeamlessMiddleware app = ... app = SeamlessMiddleware(app, max_age=60, secret='...')
Requests without a valid Authorization header will be rejected with a 401 response.
Making requests to such a protected app is made easy with an auth plugin for requests:
import requests from seamless.requests import SeamlessAuth session = requests.Session() session.auth = SeamlessAuth('name@seamless-host') session.get('http://protected-app/')
The token obtained from seamless-host is cached. It will be be automatically refreshed when it expires, and the failing request retried.
- If token validation is performed on a different host than token creation, clock skew may result in tokens that expire too early or too late.
|Filename, size||File type||Python version||Upload date||Hashes|
|Filename, size seamless-0.1.0.tar.gz (5.8 kB)||File type Source||Python version None||Upload date||Hashes View|