Skip to content
This repository has been archived by the owner. It is now read-only.
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

SSH Keys from Remotes

Warning: Still unstable—before 1.0, automatic updates may lock you out of systems.

Build Status

Disclaimer: No serious security testing has been performed. Use at your own risk!

Allow ssh login via keys automatically updated from an external source (e.g. GitHub).


It can be challenging keeping SSH keys up to date across infrequently accessed machines. On the other hand, services like GitHub and Gitlab are easier to remember, and publish the SSH public keys for each user via easily-accessed URLs. Alternatively, you can centralise your public keys in a place you control and rely upon that.

ssh-keys-from-remotes accepts a basic mapping of a UNIX user to remote lists of keys, and fetches these when an SSH login is attempted for mapped users. It also caches keys when accessed, to ensure the keys are still recognised when there are connectivity issues.

This model introduces new points of attack in your system, but may be an acceptable tradeoff vs the risk of a) losing access to infrequently accessed machines, or b) accidentally leaving compromised public keys on the system.

There are better ways to accomplish this if you have access to provisioning systems like Chef or Ansible, or if you want to enable access for GitHub/Gitlab teams. Otherwise, this tool provides a low-maintenance, low friction means of keeping your keys up to date.


The preferred approach is to use the repository (to ensure unattended updates work):

# Debian-based distros (using apt):

sudo apt-key adv --fetch-keys
sudo apt-add-repository 'deb stable main'
sudo apt install ssh-keys-from-remotes

Binary and deb releases are also published to GitHub Releases whenever a new release is created. Support for other environments is not planned at this time, but is negotiable.


Replace the following lines in /etc/ssh/sshd_config:

-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
+AuthorizedKeysCommand /usr/bin/ssh-keys-from-remotes pull %u
+AuthorizedKeysCommandUser ssh_keys_from_remotes

Edit /etc/ssh-keys-remotes.toml to map local users to remote keys. You may use multiple urls per user in an array format (e.g. allowing multiple GitHub users to log in to one local user account).

Please only use https:// urls, or you risk easily letting an attacker control the list of valid keys.

Finally, reload your SSH server with sudo systemctl reload ssh, and test your SSH configuration in a new terminal before closing the current connection.

Planned Work

  • Add tests to confirm and document expected behaviour
  • Add convenience config properties for GitHub and Gitlab
  • Support TTLs on cache


Allow ssh login via keys automatically updated from an external source (e.g. GitHub).



No packages published
You can’t perform that action at this time.