{"id":19378940,"url":"https://github.com/linbit/lbkeyper","last_synced_at":"2026-06-08T20:32:28.250Z","repository":{"id":82827804,"uuid":"567747466","full_name":"LINBIT/lbkeyper","owner":"LINBIT","description":"simple AuthorizedKeys management","archived":false,"fork":false,"pushed_at":"2026-03-04T13:17:44.000Z","size":26,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":6,"default_branch":"master","last_synced_at":"2026-03-04T20:53:52.775Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/LINBIT.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-11-18T13:36:53.000Z","updated_at":"2026-03-04T13:17:48.000Z","dependencies_parsed_at":null,"dependency_job_id":"f1ca1280-b216-407e-b859-923650684627","html_url":"https://github.com/LINBIT/lbkeyper","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/LINBIT/lbkeyper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LINBIT%2Flbkeyper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LINBIT%2Flbkeyper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LINBIT%2Flbkeyper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LINBIT%2Flbkeyper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/LINBIT","download_url":"https://codeload.github.com/LINBIT/lbkeyper/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LINBIT%2Flbkeyper/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34080027,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-08T02:00:07.615Z","response_time":111,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T09:08:02.085Z","updated_at":"2026-06-08T20:32:28.244Z","avatar_url":"https://github.com/LINBIT.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# lbkeyper\n\n`lbkeyper` allows you to centrally manage `AuthorizedKeys` for your users and servers. User keys can be\nspecified in a configuration or fetched from Github/Gitlab. The client part implements a key cache, so that\nyou are not locked out if the daemon is currently not accessible.\n\n`lbkeyper` consists of a server and a client part. The server is started with a `toml` configuration that\nallows specifying users with their keys, user groups, servers and server groups.\n\nThe server exposes a http(s) API hat can be used to query the keys for a user on a particular host. Usually\nthe daemon is not queried directly but from `sshd` via a shell script. One can get this shell script via the\n`/auth.sh` endpoint. The end of the generated shell script contains commented configuration information for\nthe local `sshd` daemon.\n\n# Example configuration\nHere we assume a small company (acme.com) with 3 users and a handful of servers including www servers and a\npackage build server. The admin would probably allocate a lbkeyper.acme.com server (or use an existing one) and\nwrite a configuration file similar to the following:\n\n```\n[users]\n[users.alice]\nkeys = [\n  \"https://gitlab.acme.com/alice.keys\",\n  \"ssh-ed25519 AAAAC3NzaC... alice@laptop\"\n]\n\n[users.bob]\nkeys = [ \"https://github.com/bob.keys\" ]\n\n[users.charlie]\nkeys = [ \"https://github.com/charlie.keys\" ]\n\n\n[usergroups.admins]\nmembers = [ \"alice\", \"charlie\" ]\n\n[usergroups.pkgmaintainers]\nmembers = [ \"alice\", \"bob\" ]\n\n[servers.builder]\nmapusers = true  # this allows non specified users to log in as well (e.g., alice@builder)\n[servers.builder.users]\nbuild = [ \"@pkgmaintainers\", \"charlie\" ]\n\n[servergroups.www]\nmembers = [ \"www\", \"www2\", \"www3\" ]\n[servergroups.www.users]\nroot = [ \"@admins\" ]\nuploader = [ \"@pkgmaintainers\" ]\n```\n\nLet's discuss the example top down. First we have the `[users]` section that defines individual users and\ntheir public ssh keys. Here we see that Alice has one typical ssh public key starting with \"ssh-ed25519\", and\nother keys that are automatically fetched via https. Github and Gitlab for example allow retrieving keys like\nthat. In genral every http(s) server that returns public keys on http-GET should work.\n\nTo ease configuration, users can be grouped. In our example we see that Alice and Charlie are in the user\ngroup \"admins\".\n\nThe main sections are `[servers]` and `[servergroups]`. This basically defines a mapping between\nssh usernames and users defined in the config. As you can see, user groups are referenced via `@groupname`. In\nthe example above the server \"builder\" can be accessed by the ssh user \"build\", and all users in the\n\"pkgmaintainers\" user group and \"charlie\" are allowed. Sometimes there are servers where all your users have\naccounts and where all of these users should be able to log in. This would require mappings like `user1 =\nuser1`. To avoid that, one can set `mapusers = true`, and all users defined in the `[users]` section are\nmapped automatically.\n\nSometimes there are servers that need the same permissions, or they are part of a larger cluster. One can group\nthese via server groups as shown for the www servers. Here we define a `servergroup` named \"www\", and then we\ndefine all of its members. An entry of a `servergroup` can specify all the keys an ordinary `server`\nsection can (i.e., a list of `users`, and `mapusers`). In our example Alice, as part of the user group\n\"admins\" would be allowed to access the server \"www2\" as user \"root\".\n\nAfter writing the config and starting the daemon, we assume `https://lbkeyper.acme.com`, a first test would be\n`curl https://lbkeyper.acme.com/api/v1/hello`. This should be successful and return the commit hash of the\nrunning daemon.\n\nThe next step would be a sample query like `curl -L https://lbkeyper.acme.com/api/v1/keys/builder/charlie`, which\nshould return Charlie's public keys.\n\nFinally one would integrate it on a host like \"builder\":\n\n```\nroot@builder$ curl -fsSL https://lbkeyper.acme.com/setup.sh | bash -s\n```\n\nAlternatively, if automatic configuration fails or is undesired:\n\n```\nroot@builder$ cd /etc/ssh\nroot@builder$ curl https://lbkeyper.acme.com/auth.sh \u003e auth.sh\nroot@builder$ cat auth.sh to see the commented configuration options\nroot@builder$ chown root:root auth.sh\nroot@builder$ chmod 700 auth.sh\nroot@builder$ ./auth.sh root # final test to see allowed keys for root\nroot@builder$ vim sshd_config # set at least AuthorizedKeyCommand and AuthorizedKeyCommandUser\nroot@builder$ systemctl restart sshd\n```\n\n# Containers\n\n```\ndocker run -it --rm \\\n  -p 80:80 \\\n  -v $PWD/config.toml:/config.toml:ro \\\n  lbkeyper -url http://lbkeyper.your.domain -config /config.toml\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flinbit%2Flbkeyper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flinbit%2Flbkeyper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flinbit%2Flbkeyper/lists"}