An app that serves an SSH key and a helper script for adding it temporarily to the ssh-agent. It authenticates the request against a Yubico auth server using a yubi OTP.
Go Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
Godeps
bin
testdata
vendor/github.com/GeertJohan/yubigo
.gitignore
Dockerfile
LICENSE
README.md
authenticator.go
config.json.example
configuration.go
configuration_test.go
loader.sh
main.go
server.go
server_test.go
yubi_authenticator.go
yubi_authenticator_test.go

README.md

KeyGuard

A little app to serve SSH keys over an authenticated endpoint. A helper script is used to add the key to the SSH agent with an expiry

Only YubiKey One-time password auth at the moment.

Usage

1. Create configuration

$ cat config.json
{
  "SSHKey": "id_rsa", # path to private key
  "LoaderScript": "loader.sh", # path to the loader script
  "PublicUrl": "https://key.yourdomain.org", # public URL where the /key endpoint can be queried
  "Auth": {
    "clientId": "12345", # yubico api credentials
    "apiKey": "apikey",
    "preferHttp": false
  }
}

3. Run

docker run -p 8000:8000 -v config.json:/app/config.json -v keys/:/app/keys cromega/keyguard

4. Load key!

$ curl -s https://key.yourdomain.org | bash
OTP: ccccsfrhkrucdedthkkrdkkrbjdhidjkljktflhvjgcl # this is where I pressed the YubiKey button
Identity added: /tmp/tmp.2GxYjzCLaE (/tmp/tmp.2GxYjzCLaE)
Lifetime set to 32400 seconds

Retrieve the public key

Sometimes it's rather handy to get the public key when you want to add it to certain services such as GitHub.

curl -s https://key.yourdomain.org/pubkey

Configuration options:

Usage of ./keyguard:
  -configPath string
        path to the config file (default "config.json")

Important

You have to create an API key at YubiCo to use the authenticator.

Building

$ go build

How it works

The service exposes three endpoints:

  • /
  • /key
  • /pubkey

/ responds with a shell script (check loader.sh for an example) that makes a second call to /keys with the right request parameters. The successful response to the second request is the SSH key. Different authentication mechanisms may need a tailored loader script as well.

/pubkey just responds with the public key without authentication.

Running it on Cloud Foundry

You can actually run KeyGuard on Cloud Foundry!

Build it, put your key and config.json in the folder and cf push. Don't forget to configure PublicUrl to the correct route beforehand.

You can use an encrypted SSH key if you are scared of pushing your key to a public cloud.

An example app manifest looks something like this:

applications:
- name: keyguard
  memory: 32m
  buildpack: binary_buildpack
  command: ./keyguard --configPath=config.json