/keybot

Plumber tool for ssh and other auth methods

Primary LanguagePythonGNU Affero General Public License v3.0AGPL-3.0

Sample configuration

[general]
ssh_auth_sock = '~/.ssh/ssh-agent.socket'

[cards]
[cards.somecard]
path = '/usr/lib/ssl/engines/libpkcs11.so'
token_serial_number = 'ffffffffffffffff'
pin = '123456'
remember_pin = true

[keys]
[keys.main]
path = '~/.ssh/id_rsa'
pin = 'some passphrase'
remember_pin = true
ssh_auth_sock = '~/.ssh/agent2.sock'

[totp]
[totp.google]
secret = '33THUCKSECRET333'
path = '~/.totp_file_output'

systemd service sample

[Unit]
Description=Keybot daemon
PartOf=graphical-session.target

[Service]
Type=simple
ExecStart=/usr/local/bin/kb -c %h/.config/keybot/config
Restart=on-failure

[Install]
WantedBy=graphical-session.target

Copy sample to .config/systemd/user/keybot.service

systemctl --user enable keybot
systemctl --user start keybot

SSH config example

Host *.smartcard
    User thuck
    IdentitiesOnly yes
    PKCS11Provider /usr/lib/ssl/engines/libpkcs11.so

Host *.key
    User thuck
    IdentitiesOnly yes
    IdentityFile ~/.ssh/id_rsa

Using IdentitiesOnly together with PKCS11Provider or IdentityFile avoids the error Received disconnect from UNKNOWN port 65535:2: too many authentication failures since it makes ssh to send only the proper key to the remote host.

SSH agent systemd

[Unit]
Description=OpenSSH private key agent
StartLimitIntervalSec=1s

[Service]
Type=forking
ExecStartPre=/bin/rm -f %h/.ssh/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -a %h/.ssh/ssh-agent.socket -P '/usr/lib/*,/usr/local/lib/*,/lib/*'
Restart=on-failure

[Install]
WantedBy=default.target

Copy sample to .config/systemd/user/ssh-agent.service

systemctl --user enable ssh-agent
systemctl --user start ssh-agent

OS dependency

gir1.2-notify