ssh_ws

Homegrown implementation of Google Beyond Corp security system (Zero Trust)

After reading a interesting paper on how google handles their internal access to system called “BeyondCorp” (Zero Trust). I wanted to try and implement my own version. The Papers talks about using the ssh ProxyCommand directive to send SSH traffic through a authorizing proxy server that can limit access to specific system.

I created by own version of this system in three parts:

A Golang Client which uses a mTLS connection to Identity the client device (eg toms-dev-laptop). It then performs a OAuth localhost loopback with OpenID Connect to get a bearer token to authenticate to the proxy server. It then tunnels the traffic
I Used IBM Datapower to perform the authentication of the mTLS connections + Oauth. It also handles the authorization and proxies the WebSocket connection
A Golang Server when ingest the connection from Datapower and redirects it to localhost then the connection can be process by SSHD.

I created a video below explaining the entire system in detail.

ssh_ws

Homegrown implementation of Google Beyond Corp security system (Zero Trust)

Google BeyondCorp (Zero Trust) - SSH Over Websockets Demo