{"id":13509699,"url":"https://github.com/mikesmitty/curse","last_synced_at":"2026-04-04T22:53:27.266Z","repository":{"id":144202275,"uuid":"81672425","full_name":"mikesmitty/curse","owner":"mikesmitty","description":"CURSE is an SSH certificate signing server, built as an alternative to Netflix's BLESS tool, but without a dependency on AWS.","archived":false,"fork":false,"pushed_at":"2024-03-02T11:42:09.000Z","size":162,"stargazers_count":223,"open_issues_count":1,"forks_count":13,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-08-14T12:20:37.523Z","etag":null,"topics":["bastion","go","openssh","ssh","ssh-certificates"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mikesmitty.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-02-11T18:19:03.000Z","updated_at":"2025-07-07T21:13:45.000Z","dependencies_parsed_at":"2024-11-01T09:32:22.020Z","dependency_job_id":"372a9345-d6e3-416d-9b02-a28cac2589ca","html_url":"https://github.com/mikesmitty/curse","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/mikesmitty/curse","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mikesmitty%2Fcurse","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mikesmitty%2Fcurse/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mikesmitty%2Fcurse/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mikesmitty%2Fcurse/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mikesmitty","download_url":"https://codeload.github.com/mikesmitty/curse/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mikesmitty%2Fcurse/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31418270,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T20:09:54.854Z","status":"ssl_error","status_checked_at":"2026-04-04T20:09:44.350Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bastion","go","openssh","ssh","ssh-certificates"],"created_at":"2024-08-01T02:01:11.696Z","updated_at":"2026-04-04T22:53:27.241Z","avatar_url":"https://github.com/mikesmitty.png","language":"Go","funding_links":[],"categories":["Go","go"],"sub_categories":[],"readme":"# CURSE\n\nCURSE is an SSH certificate signing server, built as an alternative to Netflix's BLESS tool, but without a dependency on AWS.\n\n## Demo\n\n![gif](http://i.imgur.com/UtDkYNo.gif)\n\nThis software is currently in a beta state, feel free to submit issues on GitHub with any suggestions for improvement/feature requests or issues encountered.\n\nTable of Contents\n-----------------\n\n* [Requirements](#requirements)\n* [Install](#install)\n  * [Ubuntu/Debian](#ubuntudebian)\n  * [CentOS](#centos)\n* [TODO List](#todo)\n\nRequirements\n------------\n* OpenSSH 5.6+  \n* CentOS 7\n* Ubuntu 14.04+ (Destination servers)\n* Ubuntu 15.10+ (Server running CURSE daemon)\n* Debian 7+ (Destination servers)\n* Debian 8+ (Server running CURSE daemon)\n\nBecause SSH certificates are a relatively recent feature in OpenSSH, older versions of CentOS unfortunately do not support their use.\n\nInstall\n-------\nThese instructions assume the bastion host is hosting the curse daemon. Adjust instructions as necessary if hosting cursed on another server.\n\n### Ubuntu/Debian\n\n**Ubuntu 15.10+/Debian 8+**\n\nFirst, install the debian repo and GPG key:\n\n    $ sudo sh -c 'echo \"deb http://mirror.go-repo.io/curse/deb/ curse main\" \u003e/etc/apt/sources.list.d/curse.list'\n    $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 0732065B92735F2F\n\nUpdate and install pwauth, curse and jinx:\n\n    $ sudo apt-get update \u0026\u0026 sudo apt-get install curse jinx pwauth\n\nRun the curse post-install setup script\n\n    $ sudo bash /opt/curse/sbin/setup.sh\n\nThis will output your CA public key to be added to destination servers, and setup the curse daemon for running.\n\nIf all went well you should now be able to request certificates:\n\n    $ jinx echo test\n    $ ssh-keygen -Lf ~/.ssh/id_jinx-cert.pub\n\nNow, all that is left is to add the CA public key on the servers you want to connect to:\n\nAdd `TrustedUserCAKeys /etc/ssh/cas.pub` to `/etc/ssh/sshd_config` on your destination servers and\nPut the contents of `/opt/curse/etc/user_ca.pub` into your /etc/ssh/cas.pub on the destination server.\n\nNetflix recommends generating several CA keypairs and storing the private keys of all but one offline, in order to simplify CA key rotation. If you choose to do this you will want to also add the pubkeys of all of your CA keypairs to the `/etc/ssh/cas.pub` file at this time as well.\n\n### CentOS\n\n**CentOS 7**\n\nFirst, install pwauth, curse, and jinx:\n\n    $ sudo rpm --import https://mirror.go-repo.io/curse/centos/RPM-GPG-KEY-GO-REPO\n    $ sudo curl -s https://mirror.go-repo.io/curse/centos/curse-repo.repo | tee /etc/yum.repos.d/curse-repo.repo\n    $ sudo yum install curse jinx pwauth\n\nUnless you're using httpd on this server for any other reason you should mask the httpd service:\n\n    $ sudo systemctl mask httpd\n\nRun the curse post-install setup script\n\n    $ sudo bash /opt/curse/sbin/setup.sh\n\nThis will output your CA public key to be added to destination servers, and setup the curse daemon for running.\n\nIf all went well you should now be able to request certificates:\n\n    $ jinx echo test\n    $ ssh-keygen -Lf ~/.ssh/id_jinx-cert.pub\n\nNow, all that is left is to add the CA public key on the servers you want to connect to:\n\nAdd `TrustedUserCAKeys /etc/ssh/cas.pub` to `/etc/ssh/sshd_config` and\nPut the contents of `/opt/curse/etc/user_ca.pub` into your /etc/ssh/cas.pub on the destination server.\n\nNetflix recommends generating several CA keypairs and storing the private keys of all but one offline, in order to simplify CA key rotation. If you choose to do this you will want to also add the pubkeys of all of your CA keypairs to the `/etc/ssh/cas.pub` file at this time as well.\n\nTODO\n----\n* ~~Authentication~~\n* ~~Document Authentication Setup~~\n* ~~SSL support~~\n* ~~Add support for maximum pubkey ages in daemon~~\n* ~~Client app~~\n* ~~More configuration options~~\n* ~~Add support for maximum pubkey ages in client and automatic key regeneration~~\n* ~~Add support for key algorithm enforcement/auto-key-generation~~\n* ~~RPM/DEB packages for easier installation~~\n* Per-user access ACLs\n\nMaybe Someday\n-------------\n* Interactive ssh client for command logging\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmikesmitty%2Fcurse","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmikesmitty%2Fcurse","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmikesmitty%2Fcurse/lists"}