Homegrown implementation of Google Beyond Corp security system
After reading a interesting paper on how google handles their internal access to system called “BeyondCorp” I wanted to try and implement my own version. The Papers talks about using the ssh
ProxyCommand directive to send SSH traffic through a authorizing proxy server that can limit access to specific system.
I created by own version of this system in three parts:
- A Golang Client which uses a mTLS connection to Identity the client device (eg toms-dev-laptop). It then performs a OAuth localhost loopback with OpenID Connect to get a bearer token to authenticate to the proxy server. It then tunnels the traffic
- I Used IBM Datapower to perform the authentication of the mTLS connections + Oauth. It also handles the authorization and proxies the WebSocket connection
- A Golang Server when ingest the connection from Datapower and redirects it to localhost then the connection can be process by SSHD.
I created a video below explaining the entire system in detail.
Google BeyondCorp - SSH Over Websockets Demo