{"id":24941842,"url":"https://github.com/cynic-net/ckssh","last_synced_at":"2026-02-18T17:02:48.956Z","repository":{"id":100390467,"uuid":"56139302","full_name":"cynic-net/ckssh","owner":"cynic-net","description":"ckssh: SSH Agents with Compartmentalized Keys","archived":false,"fork":false,"pushed_at":"2025-12-02T08:04:52.000Z","size":154,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-12-05T03:19:56.359Z","etag":null,"topics":["ssh-agent","ssh-key-manager"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cynic-net.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-04-13T09:36:20.000Z","updated_at":"2025-12-02T08:04:57.000Z","dependencies_parsed_at":"2025-04-15T09:48:41.214Z","dependency_job_id":null,"html_url":"https://github.com/cynic-net/ckssh","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cynic-net/ckssh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cynic-net%2Fckssh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cynic-net%2Fckssh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cynic-net%2Fckssh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cynic-net%2Fckssh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cynic-net","download_url":"https://codeload.github.com/cynic-net/ckssh/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cynic-net%2Fckssh/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29587066,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-18T16:55:40.614Z","status":"ssl_error","status_checked_at":"2026-02-18T16:55:37.558Z","response_time":162,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ssh-agent","ssh-key-manager"],"created_at":"2025-02-02T18:56:47.507Z","updated_at":"2026-02-18T17:02:48.936Z","avatar_url":"https://github.com/cynic-net.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"ckssh - SSH Agents with Compartmentalized Keys\n==============================================\n\nForwarding of authentication agent connections over ssh is very\nconvenient, but also dangerous when forwarding to hosts where others\ndo or may have root access. Anybody who can gain access to the Unix\ndomain socket on which the local sshd is listening can send\nauthentication requests to your agent and thus effectively has use of\nall the keys in your agent.\n\nAsking the agent to confirm all requests for signatures (e.g., with\nthe `-c` option to `ssh-add`), if the agent supports this feature, can\nhelp prevent unauthorized use of keys. But even so this is both\ninconvenient and prone to error.\n\nCkssh helps mitigate the problem by allowing you easily to use\nseparate keys stored in separate agents for connections to different\nhosts. A typical use case would be to set up a separate key and agent\nfor a company so that if one of their servers is compromised (or has a\nmalicious actor) the only key that's compromised is the one you use\nfor that company, keeping keys for other companies and personal keys\nsafe.\n\n#### SSH Agent Restriction\n\nAnother method of doing this, as of OpenSSH 8.9, is to use [SSH agent\nrestriction], which differs in that:\n- It offers more fine-grained access when forwarding, including the ability\n  to drop ability to use keys depending on the hops through which the agent\n  is forwarded.\n- It doesn't allow use of separate keys in local partitions (such as Docker\n  containers).\n- Its configuration can be more complex and harder to analyse.\n- It must be configured on a host-by-host basis; `ckssh` works for all\n  hosts you log into when forwarding that agent (including via multiple\n  hops). This can be an advantage or disadvantage, depending.\n- It requires both that all hops understand the new protocol.\n\n[SSH agent restriction]: https://www.openssh.com/agent-restrict.html\n\n\nUsage\n-----\n\nIf this is your first time using this, see the [SETUP](SETUP.md) file\nto set up your initial configuration.\n\n`ckset` without an argument prints the current container name and\nensures that it is started and has all keys loaded. `ckset` with a\ncontainer name argument switches to that container and does the same.\nThe `-n`/`--no-load` option will disable loading of keys (though not\naffect any keys that are already loaded) and the `-f`/`--force` option\nwill take a container name to be valid even if it's not named in the\nconfiguration file.\n\nIn your desktop environment startup script you will probably want just\nto set the container without adding keys (`-n`/`--no-load`) since at\nthat point you might not yet have a way to prompt for the passphrase(s).\n\n### Command Details\n\n* `ckset [-f] [-n] [-v]`\n\n  Show the current compartment, starting an agent if necessary and\n  optionally adding configured keys that are not already added to the\n  agent.\n\n  If `SSH_AUTH_SOCK` is unset, `No compartment.` is printed to stderr\n  and the exit code is 1.\n\n  If `SSH_AUTH_SOCK` is set to a known compartment (i.e., one named in\n  the configuration file):\n  - The compartment name will be printed to stdout.\n  - An agent will be started for the compartment if one is not already\n    running. If an agent cannot be started ckset will exit with code `2`.\n  - Unless `-n` or `--no-load` is given, any configured keys that are\n    not currently loaded will be loaded. All unloaded keys will always\n    be attempted; if any attempt fails the exit code will be `3`, even\n    if other attempts are successful.\n\n  If `SSH_AUTH_SOCK` is set to a compartment not named in the\n  configuration file:\n  - The compartment name will always be printed to stdout.\n  - When an agent is not running for the compartment and neither the\n    `-f` nor the `--force` flag is given, a message will be printed to\n    stderr and the exit code will be `1`.\n  - If an agent is running for the compartment or the `-f` or\n    `--force` flag is given, the unconfigured compartment name will\n    not be treated as an error:\n    - No warning will be printed.\n    - An agent will be started for that compartment if one isn't\n      already running. If an agent cannot be started ckset will exit\n      with code `2`.\n\n  Adding `-v`/`--verbose` will print all the compartment's configured\n  keyfiles, noting which ones are present and absent in the agent.\n\n* `ckset [-f] [-n] COMPARTMENT-NAME`\n\n  Switch to the given compartment. Command-line completion should be\n  provide for the compartment name.\n\n  If the compartment is not named in the config file and no agent is\n  running for it ckset will exit with code `1`. The `-f` or `--force`\n  option will override the behaviour, treating the compartment as\n  known (though obviously without any keyfiles configured).\n\n  If no agent is running for the compartment one will be started.\n  ckset will exit with code `2` if an agent can't be started.\n\n  If `-n` or `--no-load` is given, the command is guaranteed never to\n  be interactive and is suitable for use in startup scripts that do\n  not have a tty such as `.xsession`. Otherwise an attempt will be\n  made to load all configured keyfiles that are not already loaded.\n  All unloaded keyfiles will be attempted; if any attempt fails the\n  exit code will be `3`.\n\n* `ckset -l [-v]`\n\n  List all compartments (configured with `CK_Compartment` directives)\n  and their code (running or not). With `-v`/`--verbose`, also show\n  the keyfiles configured for each compartment and whether or not they\n  are loaded.\n\n* `ckset -d [COMPARTMENT-NAME]`  \n  `ckset -D`\n\n  `-d` removes the keys from the named compartment or the current\n  compartment if no name is given. `-D` deletes the keys from all\n  running compartments (even those not named in the config file).\n\n### Exit Codes\n\nThe following exit codes are common to all commands.\n\n- 0: The command was entirely successful.\n- 1: The requested compartment does not exist (i.e., it's not named in\n     the configuration file) and the `-f`/`--force` option was not\n     supplied.\n- 2: The compartment could not be started (`ssh-agent` failed to start).\n- 3: The compartment was started, but at least one configured key\n     could not be added.\n\nCopyright and License\n---------------------\n\nckssh is copyright 2016, 2018 by Curt J. Sampson \u003ccjs@cynic.net\u003e\n\nThis program is free software: you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation, either version 3 of the License, or\n(at your option) any later version.\n\nThis program is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with this program.  If not, see \u003chttp://www.gnu.org/licenses/\u003e.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcynic-net%2Fckssh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcynic-net%2Fckssh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcynic-net%2Fckssh/lists"}