alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
596c89ce24ac5974512a57ccd0380bde81818af8
alknet/tasks/auth/server-auth-handler.md
glm-5.1 596c89ce24 refactor!: rebrand wraith to alknet 
Rename all crates, CLI commands, constants, type names, doc comments,
and documentation from wraith to alknet. Includes wire-protocol changes:
ALPN wraith-ssh -> alknet-ssh, reserved destination prefix wraith- ->
alknet-, SSH auth username wraith -> alknet.
2026-06-05 10:04:32 +00:00

2.1 KiB
Raw Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
auth/server-auth-handler Implement server-side authentication (Ed25519 keys + OpenSSH cert-authority) pending
auth/key-loading
auth/error-types
moderate medium component implementation

Description

Implement the server-side SSH authentication logic per ADR-012:

  1. Ed25519 public key: auth_publickey() checks presented key against the authorized set using constant-time comparison
  2. OpenSSH certificate authority: validates presented certificate — checks CA signature, expiry, and principal restrictions (permit-port-forwarding, no-pty, source-address)

No password authentication over SSH. This is the russh::server::Handler::auth_publickey() implementation that the server handler will call.

Acceptance Criteria

  • crates/alknet-core/src/auth/server_auth.rs exports ServerAuthConfig and auth logic
  • ServerAuthConfig holds: authorized_keys: HashSet<PublicKey>, cert_authorities: Vec<CertAuthorityEntry>
  • ServerAuthConfig::from_keys_and_ca() constructor: loads authorized keys and cert-authority entries from provided key sources
  • Auth check function: given a presented key/certificate, return Accept or Reject
  • Ed25519 key matching uses constant-time comparison (via russh/ssh-key crate builtins)
  • Certificate validation checks: CA signature valid, cert not expired, principal restrictions enforced
  • Certificate options respected: permit-port-forwarding, no-pty, source-address
  • Returns AuthError::KeyRejected or AuthError::CertInvalid/CertExpired/CertPrincipalMismatch on failure
  • Unit tests: valid key accepted, invalid key rejected, cert-authority signed cert accepted, expired cert rejected, wrong principal rejected

References

  • docs/architecture/server.md — Authentication section
  • docs/architecture/decisions/012-auth-ed25519-and-cert-authority.md — ADR for key + cert-authority
  • docs/architecture/client.md — "Authentication is Ed25519 public key or OpenSSH certificate"

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink