keybase
diff --git a/‎.gitignore‎
Lines changed: 5 additions & 1 deletion b/‎.gitignore‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 3 additions & 193 deletions b/‎README.md‎
Lines changed: 3 additions & 193 deletions
diff --git a/‎docker/Makefile‎
Lines changed: 1 addition & 1 deletion b/‎docker/Makefile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/Makefile‎
Lines changed: 19 additions & 0 deletions b/‎docs/Makefile‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎docs/architecture.md‎
Lines changed: 17 additions & 0 deletions b/‎docs/architecture.md‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎docs/bastions.md‎
Lines changed: 14 additions & 0 deletions b/‎docs/bastions.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎docs/best_practices.md‎
Lines changed: 31 additions & 0 deletions b/‎docs/best_practices.md‎
Lines changed: 31 additions & 0 deletions
@@ -3,4 +3,8 @@ keybaseca.config
 nohup.out
 env.sh
 __pycache__
-generated-env
+
+# sphinx generated files:
+_build
+_static
+_templates
@@ -22,197 +22,7 @@ This repo provides the pieces for anyone to build this workflow on top of Keybas
 
 Removing a user's ability to access a server is as simple as removing them from the Keybase team.
 
-# Getting Started
+# Documentation
 
-kssh allows you to define realms of servers where access is granted based off of
-membership in different teams. Imagine that you have a staging environment that everyone should be granted access to and
-a production environment that you want to restrict access to a smaller group of people. For this exercise we'll also set
-up a third realm that grants root access to all machines. To configure kssh to work with this setup, we will set it up 
-according to this diagram:
-
-![Architecture Diagram](https://raw.githubusercontent.com/keybase/bot-sshca/master/docs/Architecture%20Diagram.png "Architecture Diagram")
-
-On a secured server that you wish to use to run the CA chatbot:
-
-```bash
-git clone git@github.com:keybase/bot-sshca.git
-cd bot-sshca/docker/
-cp env.sh.example env.sh
-keybase signup      # Creates a new Keybase user to use for the SSH CA bot
-keybase paperkey    # Generate a new paper key
-# Create `{TEAM}.ssh.staging`, `{TEAM}.ssh.production`, `{TEAM}.ssh.root_everywhere` as new Keybase subteams
-# and add the bot to those subteams. Add users to those subteams based off of the permissions you wish to grant
-# different users
-nano env.sh         # Fill in the values including the previously generated paper key
-make generate       # Generate a new CA key
-```
-
-Running `make generate` will output a list of configuration steps to run on each server you wish to use with the CA chatbot. 
-These commands create a new user to use with kssh (the `developer` user), add the CA's public key to the server, and 
-configure the server to trust the public key. 
-
-Now you must define a mapping between Keybase teams the users and servers that they are
-allowed to access. If you wish to make the user foo available to anyone in team.ssh.bar,
-create the file `/etc/ssh/auth_principals/foo` with contents `team.ssh.bar`. 
-
-More concretely following the current example setup:
-
-* For each server in your staging environment:
-  1. Create the file `/etc/ssh/auth_principals/root` with contents `{TEAM}.ssh.root_everywhere`
-  2. Create the file `/etc/ssh/auth_principals/developer` with contents `{TEAM}.ssh.staging`
-* For each server in your production environment:
-  1. Create the file `/etc/ssh/auth_principals/root` with contents `{TEAM}.ssh.root_everywhere`
-  2. Create the file `/etc/ssh/auth_principals/developer` with contents `{TEAM}.ssh.production`
-
-Now on the server where you wish to run the chatbot, start the chatbot itself:
-
-```bash
-make serve    # Runs inside of docker for ease of use
-```
-
-Now download the kssh binary and start SSHing! See https://github.com/keybase/bot-sshca/releases to download the most 
-recent version of kssh for your platform. 
-
-```bash
-sudo mv kssh-{platform} /usr/local/bin/kssh 
-sudo chmod +x /usr/local/bin/kssh
-
-kssh developer@staging-server-ip        # If in {TEAM}.ssh.staging
-kssh developer@production-server-ip     # If in {TEAM}.ssh.production
-kssh root@server                        # If in {TEAM}.ssh.root_everywhere
-```
-
-We recommend building kssh yourself and distributing the binary among your team (perhaps in Keybase Files!). 
-
-# Network Architecture
-
-Since all communication between the kssh client and the SSH CA server happens over Keybase chat, it is possible (and recommended)
-to firewall off the SSH CA server so it cannot be reached from the general internet. Additionally, note that the SSH servers
-that trust the SSH CA do not need to communicate with Keybase's servers or with the CA server and thus it is also possible
-to firewall off the SSH servers from the general internet. Clients running kssh need to have Keybase running locally with
-a connection to Keybase's servers. 
-
-# OS Support
-
-It is recommended to run the server component of this bot on linux and running it in other environments is untested.
-`kssh` is tested and works correctly on linux, macOS, and Windows. If running on windows, note that there is a dependency
-on the `ssh` binary being in the path. This can be installed in a number of different ways including 
-[Chocolatey](https://chocolatey.org/packages/openssh) or the 
-[built in version](https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse) on 
-modern versions of windows. 
-
-# Using kssh with jumpboxes and bastion hosts
-
-kssh should work correctly with jumpboxes and bastion hosts as long as they are configured to trust the SSH CA and the usernames are correct. For example:
-
-```
-kssh -J developer@jumpbox.example.com developer@server.internal
-```
-
-This can also be made easier by setting the kssh default ssh-username locally, then you won't have to specify it for each server. 
-
-```
-kssh --set-default-user developer
-kssh -J jumpbox.example.com server.internal
-```
-
-# Contributing
-
-There are two separate binaries built from the code in this repo:
-
-## keybaseca 
-
-`keybaseca` is the CA server that exposes an interface through Keybase chat. This binary is meant to be run in a secure
-location. 
-
-```
-NAME:
-   keybaseca - An SSH CA built on top of Keybase
-
-USAGE:
-   keybaseca [global options] command [command options] [arguments...]
-
-VERSION:
-   0.0.1
-
-COMMANDS:
-     backup    Print the current CA private key to stdout for backup purposes
-     generate  Generate a new CA key
-     service   Start the CA service in the foreground
-     help, h   Shows a list of commands or help for one command
-
-GLOBAL OPTIONS:
-   --help, -h     show help
-   --version, -v  print the version
-```
-
-## kssh
-
-`kssh` is the replacement SSH binary. kssh handles provisioning (via the keybaseca-bot) new temporary SSH keys and is meant to be installed on each
-user's laptop. 
-
-```
-NAME:
-   kssh - A replacement ssh binary using Keybase SSH CA to provision SSH keys
-
-USAGE:
-   kssh [kssh options] [ssh arguments...]
-
-VERSION:
-   0.0.1
-
-GLOBAL OPTIONS:
-   --help                Show help
-   -v                    Enable kssh and ssh debug logs
-   --provision           Provision a new SSH key and add it to the ssh-agent. Useful if you need to run another 
-                         program that uses SSH auth (eg scp, rsync, etc)
-   --set-default-bot     Set the default bot to be used for kssh. Not necessary if you are only in one team that
-                         is using Keybase SSH CA
-   --clear-default-bot   Clear the default bot
-   --bot                 Specify a specific bot to be used for kssh. Not necessary if you are only in one team that
-                         is using Keybase SSH CA
-   --set-default-user    Set the default SSH user to be used for kssh. Useful if you use ssh configs that do not set 
-					     a default SSH user 
-   --clear-default-user  Clear the default SSH user
-   --set-keybase-binary  Run kssh with a specific keybase binary rather than resolving via $PATH 
-```
-
-## Architecture
-
-#### Config
-
-Keybaseca is configured using environment variables (see docs/env.md for information on all of the options). When keybaseca 
-starts, it writes a client config file to `/keybase/team/{teamname for teamname in $TEAMS}/kssh-client.config`. This 
-client config file is how kssh determines which teams are using kssh and the needed information about the bot (eg the
-channel name, the name of the bot, etc). When keybaseca stops, it deletes all of the client config files. 
-
-kssh reads the client config file in order to determine how to interact with a bot. kssh does not have any user controlled
-configuration. It does have one local config file stored in `~/.ssh/kssh-config.json` that is used to store a few settings 
-for kssh. By default, this config file is not used. It is only created and meant to be interacted with via the 
-`--set-default-bot`, `--clear-default-bot`, `--set-default-user`, `--clear-default-user` flags. 
-
-#### Communication
-
-kssh and keybaseca communicate with each other over Keybase chat. If the `CHAT_CHANNEL` environment variable is 
-specified in keybaseca's environment, keybaseca will only accept communication in the specified team and channel. 
-This configuration is passed to kssh clients via the client config file(s) stored in KBFS. If the `CHAT_CHANNEL` environment variable
-is not specified then keybaseca will accept messages in any channel of any team listed in the `TEAMS` environment variable.
-All communication happens via the Go chatbot library. 
-
-Prior to sending a `SignatureRequest`, kssh sends a series of `AckRequest` messages. An `AckRequest` message is sent until 
-kssh receives an `Ack` from keybaseca. This is done in order to ensure that kssh has correctly connected to the chat channel
-and that the bot is responding to messages. Afterwards, a `SignatureRequest` packet is sent and keybaseca parses it and 
-returns a signed key. Note that only public keys and signatures are sent over Keybase chat and private keys never 
-leave the devices they were generated on. 
-
-#### KBFS
-
-In order to ensure that keybaseca can run inside of docker (which does not support FUSE filesystems without adding
-the CAP_SYS_ADMIN permission), all KBFS interactions are done via `keybase fs ...` commands. This makes it so that 
-keybaseca can run in unprivileged docker containers. 
-
-# Integration Tests
-
-This project contains integration tests that can be run via `./integrationTest.sh`. The integration tests depend on 
-docker and docker-compose. The first time you run them, they will walk you through creating two new accounts to be 
-used in the tests. The credentials for these accounts will be stored in `tests/env.sh`. 
+See the [documentation website](https://keybase-ssh-ca-bot.readthedocs.io/en/latest/) for information on getting started,
+best practices, the architecture, and contributing. 
@@ -23,7 +23,7 @@ generate: env-file-exists build
 	@echo "echo \"AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u\" >> /etc/ssh/sshd_config"
 	@echo "chmod g-w /etc   # On some distributions /etc is group writable which will cause SSH to refuse to run"
 	@echo "service ssh restart"
-	@echo -e "\nSee the README for information on how to define which teams are allowed to access which servers"
+	@echo -e "\nSee the getting started docs for information on how to define which teams are allowed to access which servers"
 
 # Start the CA chatbot in the background
 serve: env-file-exists ca-key-exists build
 
@@ -0,0 +1,19 @@
+# Minimal makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS    =
+SPHINXBUILD   = sphinx-build
+SOURCEDIR     = .
+BUILDDIR      = _build
+
+# Put it first so that "make" without argument is like "make help".
+help:
+	@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+
+.PHONY: help Makefile
+
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
@@ -0,0 +1,17 @@
+# Architecture
+
+The Keybase SSH CA system works according to this diagram:
+
+![Architecture Diagram](https://raw.githubusercontent.com/keybase/bot-sshca/master/docs/Architecture%20Diagram.png "Architecture Diagram")
+
+Note that this means that you do not need to modify your servers in any
+way or run any additional processes on your servers other than a standard 
+OpenSSH daemon. 
+
+## Network Architecture
+
+Since all communication between the kssh client and the SSH CA server happens over Keybase chat, it is possible (and recommended)
+to firewall off the SSH CA server (where this bot is running) so it cannot be reached from the general internet. Additionally, note that the SSH servers
+that trust the SSH CA do not need to communicate with Keybase's servers or with the CA server and thus it is also possible
+to firewall off the SSH servers from the general internet. Clients running kssh need to have Keybase running locally with
+a connection to Keybase's servers. 
@@ -0,0 +1,14 @@
+# Jumpboxes and Bastion Hosts
+
+kssh should work correctly with jumpboxes and bastion hosts as long as they are configured to trust the SSH CA and the usernames are correct. For example:
+
+```
+kssh -J developer@jumpbox.example.com developer@server.internal
+```
+
+This can also be made easier by setting the kssh default ssh-username locally, then you won't have to specify it for each server. 
+
+```
+kssh --set-default-user developer
+kssh -J jumpbox.example.com server.internal
+```
@@ -0,0 +1,31 @@
+# Best Practices
+
+## Teams and Channels
+
+The SSH CA bot user needs to have write access in all of the teams used for granting SSH access in order for it to
+be able to store config files associated with each team. Since access to a team grants SSH access to servers, it is
+recommended to minimize the number of users with admin or owner permissions in the teams. Individual users of kssh
+only need to be given the read permission since they do not need to be able to edit or create files associated with
+a team. 
+
+It is also recommended to mute all notifications in the configured teams in order to minimize the number of notifications
+you get. 
+
+If you are using other bots in the same teams as the SSH CA bot (or if you wish to have normal conversation in those 
+teams), you can use the `CHAT_CHANNEL` environment variable in order to configure a specific chat channel for all
+SSH CA messages. 
+
+## Network Isolation
+
+Due to the highly sensitive nature of the SSH CA bot, it is recommended to configure firewalls in order to block all
+access to the server running the CA bot. It is not recommended to use kssh to access the server of the CA bot itself
+in order to make it easier to respond to any outages. 
+
+## Realms
+
+There are two general approaches one can take when defining realms of servers. The first approach (described in the
+getting started directions) is to define realms for staging and production. This approach is useful for the common
+scenario where all developers should be given access to the staging environment but only certain people should be given
+access to production. The second approach is a more granular approach where you can define realms associated with teams.
+For example, one could have a realm of web servers, a realm of database servers, ... where a specific group of people 
+is responsible for each class of server.