{"id":24012866,"url":"https://github.com/glassechidna/kms-host-key","last_synced_at":"2025-04-15T08:38:05.822Z","repository":{"id":57569717,"uuid":"236446640","full_name":"glassechidna/kms-host-key","owner":"glassechidna","description":"An easy way to give all your EC2 instances SSH host certificates","archived":false,"fork":false,"pushed_at":"2023-02-25T01:12:44.000Z","size":14,"stargazers_count":16,"open_issues_count":2,"forks_count":2,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-28T18:11:31.715Z","etag":null,"topics":["aws","aws-sdk-go","certificates","ec2","go","kms","ssh"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/glassechidna.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-27T08:25:42.000Z","updated_at":"2024-11-16T14:28:41.000Z","dependencies_parsed_at":"2024-06-20T09:29:21.595Z","dependency_job_id":"3d02efca-9338-4de8-8256-07b1811da568","html_url":"https://github.com/glassechidna/kms-host-key","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/glassechidna%2Fkms-host-key","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/glassechidna%2Fkms-host-key/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/glassechidna%2Fkms-host-key/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/glassechidna%2Fkms-host-key/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/glassechidna","download_url":"https://codeload.github.com/glassechidna/kms-host-key/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249038499,"owners_count":21202720,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-sdk-go","certificates","ec2","go","kms","ssh"],"created_at":"2025-01-08T06:22:38.073Z","updated_at":"2025-04-15T08:38:05.802Z","avatar_url":"https://github.com/glassechidna.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kms-host-key\n\n[EC2 Instance Connect][eic] filled a much-needed gap for AWS users who wanted a \nwant to log into EC2 instances over SSH without the hassle of managing SSH keys.\n\nThe missing piece of the puzzle is authenticating the host you are logging into.\nEven if you don't care about the possibility of a [MITM][mitm] attack, this message is\na pain. Especially if you are automating your SSH and don't have a TTY present\nto type \"yes\":\n\n\u003e The authenticity of host '1.2.3.4 (1.2.3.4)' can't be established.\n\u003e RSA key fingerprint is SHA256:PMxq13AoZOG2KZ5qPaZCgMpzJx8gyKLxaE/e5Q//4GE.\n\u003e Are you sure you want to continue connecting (yes/no)? \n\nThat's where `kms-host-key` comes in. Include it in your EC2 userdata script\nand it requests that [AWS KMS][kms] sign the instance's host key. This means that you\nand your colleagues can add a single line to your `~/.ssh/known_hosts` and never\nseen that pesky warning again. That line would look something like:\n\n    echo '@cert-authority * ssh-rsa AAAAB3NzaC1yc...' \u003e\u003e ~/.ssh/known_hosts \n\n## Usage\n\nFirst, create an **RSA** KMS key with the following key policy:\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Id\": \"key-default-1\",\n  \"Statement\": [\n    {\n      \"Sid\": \"Enable IAM User Permissions\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws:iam::YOUR_ACCOUNT_ID:root\"\n      },\n      \"Action\": \"kms:*\",\n      \"Resource\": \"*\"\n    },\n    {\n      \"Sid\": \"AllowAnyoneToPrintPubKey\",\n      \"Effect\": \"Allow\",\n      \"Principal\": \"*\",\n      \"Action\": \"kms:GetPublicKey\",\n      \"Resource\": \"*\",\n      \"Condition\": {\n        \"StringEquals\": {\n          \"aws:PrincipalOrgID\": \"o-YOUR_ORG_ID\"\n        }\n      }\n    },\n    {\n      \"Sid\": \"AllowEC2ToSignPartOne\",\n      \"Effect\": \"Allow\",\n      \"Principal\": \"*\",\n      \"Action\": \"kms:Sign\",\n      \"Resource\": \"*\",\n      \"Condition\": {\n        \"StringEquals\": {\n          \"aws:PrincipalOrgID\": \"o-YOUR_ORG_ID\"\n        }\n      }\n    },\n    {\n      \"Sid\": \"AllowEC2ToSignPartTwo\",\n      \"Effect\": \"Deny\",\n      \"Principal\": \"*\",\n      \"Action\": \"kms:Sign\",\n      \"Resource\": \"*\",\n      \"Condition\": {\n        \"Null\": {\n          \"ec2:SourceInstanceARN\": \"true\"\n        }\n      }\n    }\n  ]\n}\n```\n\nIt is also recommended to give it an alias of `alias/hostkeysigner` - this is \nthe default used by `kms-host-key` and will require less configuration on your\nbehalf.\n\nNext, add the following to your userdata:\n\n```shell script\n# download\ncurl -o kms-host-key.tgz -L https://github.com/glassechidna/kms-host-key/releases/download/0.1.0/kms-host-key_0.1.0_linux_amd64.tar.gz\ntar -xvf kms-host-key.tgz\n\n# run\n./kms-host-key -g \u003e\u003e /etc/ssh/ssh_host_rsa_key-cert.pub\necho 'HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub' \u003e\u003e /etc/ssh/sshd_config\nservice sshd restart\n\n# cleanup\nrm kms-host-key kms-host-key.tgz\n```\n\nFinally, download `kms-host-key` on your laptop and run this:\n\n    kms-host-key -c \u003e\u003e ~/.ssh/known_hosts\n    \nYou're ready to get started!\n\n## Cross-account/region considerations\n\nBy default, the above KMS key policy is sufficient to grant instances in the same\n*account* permission to create signed host keys. If you wish for instances in\nother accounts (but still within the same AWS organization) to be able to sign\ntheir host keys, they will need to have `kms:Sign` permissions in their instance\nprofiles' IAM roles.\n\nLikewise, by default `kms-host-key` assumes that an unqualified key ID or alias\nrefers to a key in the same region as the instance. This behaviour can be changed\nby specifying a full key ARN, e.g. `arn:aws:kms:us-east-1:0123456789012:alias/hostkeysigner`\nwhich will work across regions.\n\n[eic]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html\n[mitm]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack\n[kms]: https://aws.amazon.com/kms/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fglassechidna%2Fkms-host-key","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fglassechidna%2Fkms-host-key","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fglassechidna%2Fkms-host-key/lists"}