sortedcord/bootstrap
1
0
Fork 0
Code Issues 18 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Bootstrap Authentication: b me and b trust #21

New Issue
Open
opened 2026-06-27 09:00:09 +05:30 by sortedcord · 0 comments
sortedcord commented 2026-06-27 09:00:09 +05:30
Owner
Copy Link

Bootstrap requires a mechanism for client-side authentication and provisioning flow. Bootstrap Auth Server introduces a secure way to provision secrets to client machines using SSH Ed25519 keys for identity verification and age for secure payload decryption, overseen by an administrator via a trust-verification mechanism.

Proposed / Implemented Architecture

The authentication logic is encapsulated within a modular Authentication Plugin (auth.sh), which is lazy-loaded upon triggering the commands.

  1. Requester Mode (b me):

    • Generates a local SSH Ed25519 key pair under ~/.config/bootstrap-client/ if not present.
    • Registers the device using POST /api/register with the public key, hostname, and OS.
    • Retrieves a user_code (e.g. Oi1r2P) and challenge_nonce.
    • Displays the verification code and polls POST /api/challenge/poll using standard ssh-keygen -Y sign signature on the nonce.
    • Decrypts the returned age payload using the client's local private key directly (age --decrypt -i <private_key>) and writes the decrypted secrets to ~/.config/bootstrap-client/secrets.decrypted.

  2. Approver Mode (b trust <user_code>):

    • Fetches the pending registration details via GET /api/pending/<user_code>.
    • Prompts the administrator for confirmation.
    • Sign the requester's public key with the admin's private key using ssh-keygen -Y sign under the bootstrap namespace.
    • Submits the cryptographic signature (base64 string inside the SSHSIG armor) and the administrator's public key fingerprint to POST /api/approve.
Bootstrap requires a mechanism for client-side authentication and provisioning flow. [Bootstrap Auth Server](https://git.adityagupta.dev/sortedcord/bootstrap-auth-server) introduces a secure way to provision secrets to client machines using SSH Ed25519 keys for identity verification and `age` for secure payload decryption, overseen by an administrator via a trust-verification mechanism. ## Proposed / Implemented Architecture The authentication logic is encapsulated within a modular **Authentication Plugin** (`auth.sh`), which is lazy-loaded upon triggering the commands. 1. **Requester Mode (`b me`)**: - Generates a local SSH Ed25519 key pair under `~/.config/bootstrap-client/` if not present. - Registers the device using `POST /api/register` with the public key, hostname, and OS. - Retrieves a `user_code` (e.g. `Oi1r2P`) and `challenge_nonce`. - Displays the verification code and polls `POST /api/challenge/poll` using standard `ssh-keygen -Y sign` signature on the nonce. - Decrypts the returned `age` payload using the client's local private key directly (`age --decrypt -i <private_key>`) and writes the decrypted secrets to `~/.config/bootstrap-client/secrets.decrypted`. 2. **Approver Mode (`b trust <user_code>`)**: - Fetches the pending registration details via `GET /api/pending/<user_code>`. - Prompts the administrator for confirmation. - Sign the requester's public key with the admin's private key using `ssh-keygen -Y sign` under the `bootstrap` namespace. - Submits the cryptographic signature (base64 string inside the SSHSIG armor) and the administrator's public key fingerprint to `POST /api/approve`.
sortedcord added this to the Release v3 milestone 2026-06-27 09:00:09 +05:30
sortedcord added reference feat/auth-plugin 2026-06-27 09:05:06 +05:30
sortedcord removed this from the Release v3 milestone 2026-06-27 09:08:57 +05:30
Sign in to join this conversation.
feat/auth-plugin
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
sortedcord
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sortedcord/bootstrap#21
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?