Skip to content

nethershaw/keyholder

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
bin
bin
 
 
docs
docs
 
 
etc
etc
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
CREDITS
CREDITS
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.sh
build.sh
 
 

Repository files navigation

Keyholder

keyholder provides a means of allowing a group of trusted users to use a shared SSH identity without exposing the identity's private key. This is accomplished by running a pair of SSH agents as system services: keyholder-agent and keyholder-proxy:

  • keyholder-agent is the actual ssh-agent instance that holds the private key.
  • keyholder-proxy proxies requests to the agent via a domain socket that is world readable. The proxy implements a subset of the ssh-agent protocol, allowing users to list identities and to use them to sign requests, but not to add or remove identities.

The two services bind domain sockets at these addresses:

/run/keyholder
|__ agent.sock (0600)
|__ proxy.sock (0666)

Before the shared SSH agent can be used, it must be armed by a user with access to the private key. This can be done by running:

$ /usr/local/sbin/keyholder arm

Users in the trusted group can use the shared agent by running:

$ SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh remote-host ...

License

Apache 2.0

About

Securely share ssh agents among groups of users

phabricator.wikimedia.org/source/keyholder

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

3 tags

Packages

No packages published

Languages

  • Python 69.3%
  • Shell 30.7%