# webtech-admin SSH CA automation and frontend for webtech. # What does it do? `webtech-admin` largely exists in order to automate SSH credential provisioning for webtech. In order to do this, we use SSH certificates. Similarly to SSL certificates, SSH certificates provide a way of verifying that a user or host is who they say they are by way of trusting a third party (in this case, `webtech-admin`). In practice, this works as follows: - A user generates an SSH keypair, and sends the public key to `webtech-admin` for signing. - The user authenticates with `webtech-admin` by logging in with their UvA credentials. - `webtech-admin` signs the user's public key, returning a certificate to the user. - Individual SSH servers trust the signing key, and hence trust the certificates. - Therefore, a user can log into these servers by providing the certificate alongside their public key. The process is similar but reversed for host keys; the servers all have host key certificates, and the user trusts the host signing key. The above process is automated for the user through another tool, [`webtech-ssh`](https://github.com/UvA-FNWI/webtech-ssh). Aside from the SSH key provisioning side, `webtech-admin` has a small front-end, allowing a student to see information about their webtech credentials (username, group, server, ...). # Storage `webtech-admin` requires some persistent storage. Files that should persist are stored in the `/data` directory; this includes the signing keys and database. # Setup The docker image handles everything for you; building it and running it is the easiest way to run webtech-admin. If you want to run it locally, you will need: - Python 3.11 or newer - Poetry (https://python-poetry.org), to handle Python dependencies Simply run `poetry install` to install the dependencies to a virtualenv. You will also need to modify the default config; it assumes a /data directory which is used for persistent storage, which only really makes sense in a Docker context. Run the server using `poetry run python3 -m webtech_admin serve`.