A little app to serve SSH keys over an authenticated endpoint. A helper script is used to add the key to the SSH agent with an expiry
Only YubiKey One-time password auth at the moment.
$ cat config.json
{
"SSHKey": "id_rsa", # path to private key
"LoaderScript": "loader.sh", # path to the loader script
"PublicUrl": "https://key.yourdomain.org", # public URL where the /key endpoint can be queried
"Auth": {
"clientId": "12345", # yubico api credentials
"apiKey": "apikey",
"preferHttp": false
}
}
$ go build
$ nohup ./keyguard &
$ curl -s https://key.yourdomain.org | bash
OTP: ccccsfrhkrucdedthkkrdkkrbjdhidjkljktflhvjgcl # this is where I pressed the YubiKey button
Identity added: /tmp/tmp.2GxYjzCLaE (/tmp/tmp.2GxYjzCLaE)
Lifetime set to 32400 seconds
You have to create an API key at YubiCo to use the authenticator.
The service exposes two endpoints:
//key
/ responds with a shell script (check loader.sh for an example) that makes a second call to /keys with the right request parameters. The successful response to the second request is the SSH key. Different authentication mechanisms may need a tailored loader script as well.
You can actually run KeyGuard on Cloud Foundry!
Build it, put your key and config.json in the folder and cf push. Don't forget to configure PublicUrl to the correct route beforehand.
You can use an encrypted SSH key if you are scared of pushing your key to a public cloud.
An example app manifest looks something like this:
applications:
- name: keyguard
memory: 32m
buildpack: binary_buildpack
command: ./keyguard --configPath=config.json