At a previous role I made something similar [0] in Golang, but used SSH certificates to manage authentication. This had the added benefit of logging the user connection information in each server’s auth.log based on the generated private key and signed (but short lived) certificate used for auth in the session. At one point I had changes that would sign certificates from Vault [1] directly.
I had it so that a user needed to login to the service with their GSuite account every 24H, and each login required 2fa as well. SSH sessions were recorded in asciicast format (which seems to be used here as well) and there was an audit log to track connections. They could be joined in real time and disconnected from a simple admin interface. The ACL system was a pretty basic method of using regex for defining auth rules.
Worked pretty well and helped with compliance audits we were completing at the time. I think the benefits here of being in Rust is definitely performance and memory safety. Granted, The Go implementation was pretty fast and safe as well. Go made it pretty easy to implement due to the SSH implementation in the standard library.
I had it so that a user needed to login to the service with their GSuite account every 24H, and each login required 2fa as well. SSH sessions were recorded in asciicast format (which seems to be used here as well) and there was an audit log to track connections. They could be joined in real time and disconnected from a simple admin interface. The ACL system was a pretty basic method of using regex for defining auth rules.
Worked pretty well and helped with compliance audits we were completing at the time. I think the benefits here of being in Rust is definitely performance and memory safety. Granted, The Go implementation was pretty fast and safe as well. Go made it pretty easy to implement due to the SSH implementation in the standard library.
[0] https://github.com/notion/bastion
[1] https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-cert...