Signmykey is an automated SSH Certificate Authority. It allows you to securly and centraly manage SSH accesses to your infrastructure.
Three types of backends are supported by Signmykey:
- Authorization: users can be authentified through different systems like LDAP or Local map.
- Principals: list of principals applied to SSH certificates can be created dynamically from LDAP groups or set staticaly in local config.
- Signer: cryptographic signing operations of SSH certificates can be done directly by Signmykey or via Hashicorp Vault.
Install
- Download signmykey zip file (on 64bits linux):
curl -Lo signmykey_linux_amd64.zip https://github.com/signmykeyio/signmykey/releases/download/v0.3.0/signmykey_linux_amd64.zip
unzip signmykey_linux_amd64.zip
sudo mv signmykey_linux_amd64 /usr/bin/signmykey
Quickstart
- Start server in dev mode (replace myremoteuser by the name of the user you want to connect on remote server):
signmykey server dev -u myremoteuser
- Follow "Server side" instructions displayed by previous command, ex:
### Server side
An ephemeral certificate authority is created for this instance and will die with it.
To deploy this CA on destination servers, you can launch this command:
$ echo "ssh-rsa fakeCApubKey" > /etc/ssh/ca.pub
You then have to add this line to "/etc/ssh/sshd_config" and restart OpenSSH server:
TrustedUserCAKeys /etc/ssh/ca.pub
- Follow "Client side" instructions, ex:
### Client side
A temporary user is created with this parameters:
user: myremoteuser
password: fakepassword
principals: myremoteuser
You can sign your key with this command:
$ signmykey -a http://127.0.0.1:9600/ -u myremoteuser
Documentation
Documentation is available at https://signmykey.io/