Trusted Key SSH authkeys
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
scripts
vendor/src
.gitignore
.gitmodules
.travis.yml
COPYING
Makefile
README.org
ethereum.go
issuer.go
keyinfo.go
main.go
pub.go
revokedkeys.go
sequence.dot
shell.nix

README.org

Trusted Key SSH authkeys

https://travis-ci.org/trustedkey/tk-ssh-authkeys.svg?branch=master

SSH key management utilizing the Trusted Key app and the Ethereum block chain

Trusted Key Authkeys is an optional tool for installation on a server managed by the Trusted Key Secure SSH Key.

When a user gets a new phone and recovers their Trusted Key App the associated SSH key will change.

This tool leverages the Trusted Key (ethereum based) blockchain to check for revocations and establish equivalence between the old and the new recovered key, eliminating the need to deploy new keys.

Installation

Debian/Ubuntu

Add the following to your sources.list (or sources.list.d)

deb [arch=amd64] https://deb.trustedkey.com/ /
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ECF25D3C6EFE67F3C507613210FEB5D9B9357BB5
apt-get update
apt-get install tk-ssh-agent

Redhat/Fedora

Add the following to /etc/yum.repos.d/trustedkey.repo

[trustedkey]
name=Trusted Key repository
baseurl=https://rpm.trustedkey.com/
enabled=1
gpgcheck=1
gpgkey=https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&options=mr&search=0x10FEB5D9B9357BB5

NixOS

Use the Trusted key nixpkgs overlay

Configuring OpenSSH

Best practice configuration

Create openssh revoked keys file

sudo touch /etc/ssh-tk-revoked

Edit /eth/ssh/sshd_config

# Should be a user that _only_ does key checking and without login shell
AuthorizedKeysCommandUser=root

# Requires a local blockchain node syncing the trusted key blockchain
AuthorizedKeysCommand=/usr/bin/tk-ssh-authkeys --type %t --key %k --user %u --revokedkeys=/etc/ssh-tk-revoked --rpc http://localhost:8545 --contract '0x12c2ee109b17e20a2e5465a8d8ac6ccc2f9dfdbb'

# Run without a local blockchain
# AuthorizedKeysCommand=/usr/bin/tk-ssh-authkeys --type %t --key %k --user %u --revokedkeys=/etc/ssh-tk-revoked --issuer https://issuer.trustedkey.com/

# Disable non-trustedkey authentication
AuthorizedKeysFile=/dev/null
PasswordAuthentication=no
ChallengeResponseAuthentication=no
PubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256
KexAlgorithms=ecdh-sha2-nistp256
MACs=hmac-sha2-256

# Cache revocations and let openssh know about them
RevokedKeys=/etc/ssh-tk-revoked