{"id":19957017,"url":"https://github.com/anmolnagpal/docker-keybox","last_synced_at":"2026-04-20T13:36:08.879Z","repository":{"id":94618987,"uuid":"85938981","full_name":"anmolnagpal/docker-keybox","owner":"anmolnagpal","description":null,"archived":false,"fork":false,"pushed_at":"2017-11-09T16:09:14.000Z","size":18248,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-08-23T19:47:29.137Z","etag":null,"topics":["docker","docker-composer","keybox"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anmolnagpal.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-03-23T10:51:47.000Z","updated_at":"2017-04-01T07:59:28.000Z","dependencies_parsed_at":"2023-04-26T15:16:45.323Z","dependency_job_id":null,"html_url":"https://github.com/anmolnagpal/docker-keybox","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/anmolnagpal/docker-keybox","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anmolnagpal%2Fdocker-keybox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anmolnagpal%2Fdocker-keybox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anmolnagpal%2Fdocker-keybox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anmolnagpal%2Fdocker-keybox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anmolnagpal","download_url":"https://codeload.github.com/anmolnagpal/docker-keybox/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anmolnagpal%2Fdocker-keybox/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32049084,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-20T11:35:06.609Z","status":"ssl_error","status_checked_at":"2026-04-20T11:34:48.899Z","response_time":94,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","docker-composer","keybox"],"created_at":"2024-11-13T01:36:19.890Z","updated_at":"2026-04-20T13:36:08.841Z","avatar_url":"https://github.com/anmolnagpal.png","language":"JavaScript","funding_links":["https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick\u0026hosted_button_id=KKRTX5GB9GDF8"],"categories":[],"sub_categories":[],"readme":"KeyBox\n======\nKeyBox is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users.\n\nAdministrators can login using two-factor authentication with [FreeOTP](https://freeotp.github.io/) or [Google Authenticator](https://github.com/google/google-authenticator). From there they can manage their public SSH keys or connect to their systems through a web-shell. Commands can be shared across shells to make patching easier and eliminate redundant command execution.\n\nKeyBox layers TLS/SSL on top of SSH and acts as a bastion host for administration. Protocols are stacked (TLS/SSL + SSH) so infrastructure cannot be exposed through tunneling / port forwarding. More details can be found in the following whitepaper: [The Security Implications of SSH](http://www.sans.org/reading-room/whitepapers/vpns/security-implications-ssh-1180). Also, SSH key management is enabled by default to prevent unmanaged public keys and enforce best practices.\n\n![Terminals](http://sshkeybox.com/img/screenshots/medium/terms.png)\n\nPrerequisites\n-------------\n* Java JDK 1.8 or greater\nhttp://www.oracle.com/technetwork/java/javase/downloads/index.html\n\n* Browser with Web Socket support\nhttp://caniuse.com/websockets *Note: In Safari if using a self-signed certificate you must import the certificate into your Keychain.\nSelect 'Show Certificate' -\u003e 'Always Trust' when prompted in Safari*\n\n* Maven 3 or greater  ( Only needed if building from source )\nhttp://maven.apache.org\n\n* Install [FreeOTP](https://freeotp.github.io/) or [Google Authenticator](https://github.com/google/google-authenticator) to enable two-factor authentication with Android or iOS\n\n    | Application          | Android                                                                                             | iOS                                                                        |             \n    |----------------------|-----------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------|\n    | FreeOTP              | [Google Play](https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp)               | [iTunes](https://itunes.apple.com/us/app/freeotp/id872559395)              |\n    | Google Authenticator | [Google Play](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) | [iTunes](https://itunes.apple.com/us/app/google-authenticator/id388497605) |\n\n\nTo Run Bundled with Jetty\n------\nIf you're not big on the idea of building from source...\n\nDownload keybox-jetty-vXX.XX.tar.gz\n\nhttps://github.com/skavanagh/KeyBox/releases\n\nExport environment variables\n\nfor Linux/Unix/OSX\n\n     export JAVA_HOME=/path/to/jdk\n     export PATH=$JAVA_HOME/bin:$PATH\n\nfor Windows\n\n     set JAVA_HOME=C:\\path\\to\\jdk\n     set PATH=%JAVA_HOME%\\bin;%PATH%\n\nStart KeyBox\n\nfor Linux/Unix/OSX\n\n        ./startKeyBox.sh\n\nfor Windows\n\n        startKeyBox.bat\n\nHow to [Configure SSL in Jetty](http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html)\n(it is a good idea to add or generate your own unique certificate)\n\nhttp://www.eclipse.org/jetty/documentation/current/configuring-ssl.html\n\nTo Build from Source\n------\nExport environment variables\n\n    export JAVA_HOME=/path/to/jdk\n    export M2_HOME=/path/to/maven\n    export PATH=$JAVA_HOME/bin:$M2_HOME/bin:$PATH\n\nIn the directory that contains the pom.xml run\n\n\tmvn package jetty:run\n\n**Note: Doing a mvn clean will delete the H2 DB and wipe out all the data.\n\nManaging SSH Keys\n------\nBy default KeyBox will overwrite all values in the specified authorized_keys file for a system.  You can disable key management by editing KeyBoxConfig.properties file and use KeyBox only as a bastion host.  This file is located in the jetty/keybox/WEB-INF/classes directory. (or the src/main/resources directory if building from source)\n\n\t#set to false to disable key management. If false, the KeyBox public key will be appended to the authorized_keys file (instead of it being overwritten completely).\n\tkeyManagementEnabled=false\n\nAlso, the authorized_keys file is updated/refreshed periodically based on the relationships defined in the application.  If key management is enabled the refresh interval can be specified in the KeyBoxConfig.properties file.\n\n\t#authorized_keys refresh interval in minutes (no refresh for \u003c=0)\n\tauthKeysRefreshInterval=120\n\nBy default KeyBox will generated and distribute the SSH keys managed by administrators while having them download the generated private. This forces admins to use strong passphrases for keys that are set on systems.  The private key is only available for download once and is not stored on the application side.  To disable and allow administrators to set any public key edit the KeyBoxConfig.properties.\n\n\t#set to true to generate keys when added/managed by users and enforce strong passphrases set to false to allow users to set their own public key\n\tforceUserKeyGeneration=false\n\nSupplying a Custom SSH Key Pair\n------\nKeyBox generates its own public/private SSH key upon initial startup for use when registering systems.  You can specify a custom SSH key pair in the KeyBoxConfig.properties file.\n\nFor example:\n\n\t#set to true to regenerate and import SSH keys  --set to true\n\tresetApplicationSSHKey=true\n\n\t#SSH Key Type 'dsa' or 'rsa'\n\tsshKeyType=rsa\n\n\t#private key  --set pvt key\n\tprivateKey=/Users/kavanagh/.ssh/id_rsa\n\n\t#public key  --set pub key\n\tpublicKey=/Users/kavanagh/.ssh/id_rsa.pub\n\t\n\t#default passphrase  --leave blank if passphrase is empty\n\tdefaultSSHPassphrase=myPa$$w0rd\n\t\nAfter startup and once the key has been registered it can then be removed from the system. The passphrase and the key paths will be removed from the configuration file.\n\nAdjusting Database Settings\n------\nDatabase settings can be adjusted in the configuration properties.\n\n    #Database user\n    dbUser=keybox\n    #Database password\n    dbPassword=p@$$w0rd!!\n    #Database JDBC driver\n    dbDriver=org.h2.Driver\n    #Connection URL to the DB\n    dbConnectionURL=jdbc:h2:keydb/keybox;CIPHER=AES;\n\nBy default the datastore is set as embedded, but a remote H2 database can supported through adjusting the connection URL.\n\n    #Connection URL to the DB\n\tdbConnectionURL=jdbc:h2:tcp://\u003chost\u003e:\u003cport\u003e/~/keybox;CIPHER=AES;\n\nExternal Authentication\n------\nExternal Authentication can be enabled through the KeyBoxConfig.properties.\n\nFor example:\n\n\t#specify a external authentication module (ex: ldap-ol, ldap-ad).  Edit the jaas.conf to set connection details\n\tjaasModule=ldap-ol\n    \nConnection details need to be set in the jaas.conf file\n\n    ldap-ol {\n    \tcom.sun.security.auth.module.LdapLoginModule SUFFICIENT\n    \tuserProvider=\"ldap://hostname:389/ou=example,dc=keybox,dc=com\"\n    \tuserFilter=\"(\u0026(uid={USERNAME})(objectClass=inetOrgPerson))\"\n    \tauthzIdentity=\"{cn}\"\n    \tuseSSL=false\n    \tdebug=false;\n    };\n    \n\nAdministrators will be added as they are authenticated and profiles of systems may be assigned by full-privileged users.\n\nUser LDAP roles can be mapped to profiles defined in KeyBox through the use of the org.eclipse.jetty.jaas.spi.LdapLoginModule.\n\n    ldap-ol-with-roles {\n        //openldap auth with roles that can map to profiles\n        org.eclipse.jetty.jaas.spi.LdapLoginModule required\n        debug=\"false\"\n        useLdaps=\"false\"\n        contextFactory=\"com.sun.jndi.ldap.LdapCtxFactory\"\n        hostname=\"\u003cSERVER\u003e\"\n        port=\"389\"\n        bindDn=\"\u003cBIND-DN\u003e\"\n        bindPassword=\"\u003cBIND-DN PASSWORD\u003e\"\n        authenticationMethod=\"simple\"\n        forceBindingLogin=\"true\"\n        userBaseDn=\"ou=users,dc=keybox,dc=com\"\n        userRdnAttribute=\"uid\"\n        userIdAttribute=\"uid\"\n        userPasswordAttribute=\"userPassword\"\n        userObjectClass=\"inetOrgPerson\"\n        roleBaseDn=\"ou=groups,dc=keybox,dc=com\"\n        roleNameAttribute=\"cn\"\n        roleMemberAttribute=\"member\"\n        roleObjectClass=\"groupOfNames\";\n    };\n\nUsers will be added/removed from defined profiles as they login and when the role name matches the profile name.\n\nAuditing\n------\nAuditing is disabled by default and is only a proof of concept.  Can be enabled in the KeyBoxConfig.properties.\n\n\t#enable audit  --set to true to enable\n\tenableInternalAudit=true\n\nUsing KeyBox\n------\nOpen browser to https://\\\u003cwhatever ip\\\u003e:8443\n\nLogin with\n\n\tusername:admin\n\tpassword:changeme\n\nSteps:\n\n1. Create systems\n2. Create profiles\n3. Assign systems to profile\n4. Assign profiles to users\n5. Users can login to create sessions on assigned systems\n6. Start a composite SSH session or create and execute a script across multiple sessions\n7. Add additional public keys to systems\n8. Disable any administrative public key forcing key rotation.\n9. Audit session history\n\nScreenshots\n-----------\n![Login](http://sshkeybox.com/img/screenshots/medium/login.png)\n\n![Two-Factor](http://sshkeybox.com/img/screenshots/medium/two-factor.png)\n\n![More Terminals](http://sshkeybox.com/img/screenshots/medium/more_terms.png)\n\n![Manage Systems](http://sshkeybox.com/img/screenshots/medium/manage_systems.png)\n\n![Manage Users](http://sshkeybox.com/img/screenshots/medium/manage_users.png)\n\n![Define SSH Keys](http://sshkeybox.com/img/screenshots/medium/manage_keys.png)\n\n![Disable SSH Keys](http://sshkeybox.com/img/screenshots/medium/disable_keys.png)\n\nAcknowledgments\n------\nSpecial thanks goes to these amazing projects which makes this (and other great projects) possible.\n\n+ [JSch](http://www.jcraft.com/jsch) Java Secure Channel - by [ymnk](https://github.com/ymnk)\n+ [term.js](https://github.com/chjj/term.js) A terminal written in javascript - by [chjj](https://github.com/chjj)\n\nThird-party dependencies are mentioned in the [_3rdPartyLicenses.md_](3rdPartyLicenses.md)\n\nAuthor\n------\n**Sean Kavanagh**\n\n+ sean.p.kavanagh6@gmail.com\n+ https://twitter.com/spkavanagh6\n\n(Follow me on twitter for release updates, but mostly nonsense)\n\nDonate\n------\nDontations are always welcome!\n\n\u003cspan class=\"badge-paypal\"\u003e\u003ca href=\"https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick\u0026hosted_button_id=KKRTX5GB9GDF8\" title=\"Donate to this project using Paypal\"\u003e\u003cimg src=\"https://img.shields.io/badge/paypal-donate-yellow.svg\" alt=\"PayPal donate button\" /\u003e\u003c/a\u003e\u003c/span\u003e\n \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanmolnagpal%2Fdocker-keybox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanmolnagpal%2Fdocker-keybox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanmolnagpal%2Fdocker-keybox/lists"}