{"id":18155319,"url":"https://github.com/mizuchilabs/ssh-nexus","last_synced_at":"2025-10-25T00:03:17.758Z","repository":{"id":259014262,"uuid":"874199818","full_name":"MizuchiLabs/ssh-nexus","owner":"MizuchiLabs","description":"SSH Certificate Manager","archived":false,"fork":false,"pushed_at":"2024-11-25T16:13:47.000Z","size":627,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-13T06:47:48.791Z","etag":null,"topics":["go","ssh","ssh-agent","svelte","webapp"],"latest_commit_sha":null,"homepage":"","language":"Svelte","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MizuchiLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-17T12:22:56.000Z","updated_at":"2024-10-21T13:32:55.000Z","dependencies_parsed_at":"2024-10-22T14:19:39.741Z","dependency_job_id":null,"html_url":"https://github.com/MizuchiLabs/ssh-nexus","commit_stats":null,"previous_names":["mizuchilabs/ssh-nexus"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MizuchiLabs%2Fssh-nexus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MizuchiLabs%2Fssh-nexus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MizuchiLabs%2Fssh-nexus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MizuchiLabs%2Fssh-nexus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MizuchiLabs","download_url":"https://codeload.github.com/MizuchiLabs/ssh-nexus/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247576624,"owners_count":20961005,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","ssh","ssh-agent","svelte","webapp"],"created_at":"2024-11-02T04:10:32.744Z","updated_at":"2025-10-25T00:03:17.749Z","avatar_url":"https://github.com/MizuchiLabs.png","language":"Svelte","readme":"\u003cp align=\"center\"\u003e\n\u003cimg src=\"./web/src/lib/assets/logo.png\" width=\"80\"\u003e\n\u003cbr\u003e\u003cbr\u003e\n\u003cimg alt=\"GitHub Tag\" src=\"https://img.shields.io/github/v/tag/MizuchiLabs/ssh-nexus?label=Version\"\u003e\n\u003cimg alt=\"GitHub License\" src=\"https://img.shields.io/github/license/MizuchiLabs/ssh-nexus\"\u003e\n\u003cimg alt=\"GitHub Issues or Pull Requests\" src=\"https://img.shields.io/github/issues/MizuchiLabs/ssh-nexus\"\u003e\n\u003c/p\u003e\n\n# SSH Nexus\n\nYour one-stop solution for managing SSH access with ease and security. This application combines a powerful backend using Pocketbase \u0026 Go with a sleek and responsive frontend built with Sveltekit, delivering a user-friendly experience for both administrators and users.\n\n## Features\n\n- **User Authentication**\n\n - **OAuth**: Seamless sign-up and login using popular OAuth providers.\n - **Email**: Traditional email-based sign-up and login.\n\n- **Admin Capabilities**\n\n - **User Management**: Easily manage user accounts and permissions.\n - **Machine Management**: Add, edit, and remove machines from the network.\n - **Group Management**: Organize machines and users into groups for streamlined access control.\n\n- **User Access Control**\n\n - **Machine Assignment**: Assign users to machines directly or through groups.\n - **Group Assignment**: Add users to groups to inherit access to all machines within the group.\n\n- **SSH Certificate Management**\n\n - **Automated User CA**: Automatically add a user Certificate Authority to each machine.\n - **Principal IDs**: Manage principal IDs for users seamlessly.\n - **Key Signing**: Users can sign their own SSH keys with customizable expiry settings via the UI.\n\n- **Automatic Updates and Clean-up**\n\n - **Agents**: Updates and configurations are handled via small agents that are installed on the machines automatically.\n - **Self-Destructing Agents**: When a machine is removed from the server, the agent destroys itself and all associated files, ensuring the machine remains clean.\n\n## Installation\n\n### Prerequisites\n\n- Ensure your server has SSH access to the target machines for initial agent installation. SSH Nexus will generate a random ssh key on startup, which you can change afterwards. This single key serves as a way to install agents on new machines and will be used as the user certificate authority.\n\n### Backend Setup\n\n#### Method 1: Direct Installation\n\n1. **Download the latest server binary** for your OS from the [releases page](https://github.com/MizuchiLabs/ssh-nexus/releases).\n Or use the install script:\n ```bash\n # For the latest server release\n curl -sSL https://raw.githubusercontent.com/MizuchiLabs/ssh-nexus/refs/heads/main/install.sh | bash\n\n # For the agent\n curl -sSL https://raw.githubusercontent.com/MizuchiLabs/ssh-nexus/refs/heads/main/install.sh | bash -s agent\n ```\n To uninstall:\n ```bash\n curl -sSL https://raw.githubusercontent.com/MizuchiLabs/ssh-nexus/refs/heads/main/uninstall.sh | bash -s uninstall\n ```\n1. **Environment variables**: Before starting you will need to set at least the following 2 environment variables:\n - **PB_ADMIN_PASSWORD**: The password for the admin user.\n - **PB_ENCRYPTION_KEY**: The encryption key for the sqlite3 database.\n1. **Running the server**:\n ```bash\n nexus serve\n # or \n PB_ADMIN_PASSWORD=\"password\" PB_ENCRYPTION_KEY=\"some-random-key\" nexus serve\n ```\n1. **Running the agent** on a machine:\n ```bash\n nexus-agent --server \u003cyour-server-address\u003e\n ```\n\n#### Method 2: Docker\n\n1. **Use the docker compose file or manually below**\n\n1. **Pull the Docker image**:\n\n ```bash\n docker pull ghcr.io/mizuchilabs/ssh-nexus:latest\n ```\n\n1. **Run the Docker container**:\n\n ```bash\n docker run --name ssh-nexus -d -p 8090:8090 -p 8091:8091 \\\n --env PB_ADMIN_PASSWORD=\"password\" --env PB_ENCRYPTION_KEY=\"some-random-key\" \\\n ghcr.io/mizuchilabs/ssh-nexus:latest\n ```\n\n## Usage\n\n### Admin Panel\n\nThe admin panel will be available at [http://localhost:8090/\\_/](http://localhost:8090/_/) which uses pocketbase as the backend. You will rarely need to interact with it since everything can be done via the frontend. Be careful though when interacting with the generated collections!\n\n### User Access\n\nThe web ui will be available at [http://localhost:8090](http://localhost:8090)\n\n1. **Login** If you set up an OAuth provider it will show up and users can sign in immediately. Admins can create new users manually for plain username/email and password authentication.\n1. **Machines**: See a list of machines you have access to.\n1. **Users**: See a list of users and their permissions.\n1. **Sign**: Generate and sign your own SSH keys with an optional expiry time.\n1. **System**: View various settings, tokens used by agents, keys and certificates.\n\n## Contributing\n\nWe welcome contributions to improve SSH Nexus. To get started, fork the repository and create a new branch for your feature or bug fix.\n\n1. **Fork the repository**\n1. **Create a new branch**:\n ```bash\n git checkout -b feature-name\n ```\n1. **Commit your changes**:\n ```bash\n git commit -m 'Add some feature'\n ```\n1. **Push to the branch**:\n ```bash\n git push origin feature-name\n ```\n1. **Open a pull request**\n\n# Default Project Environment Variables\n\n```env\n# General settings\nexport PB_APP_URL=\"\" \nexport PB_LOG_MAX_DAYS=\"30\" \nexport PB_ADMIN_EMAIL=\"root@nexus.local\" \nexport PB_ADMIN_PASSWORD=\"required!\" \nexport PB_SENDER_NAME=\"SSH Nexus\" \nexport PB_SENDER_EMAIL=\"no-reply@nexus.local\" \nexport PB_SMTP_ENABLED=\"false\" \nexport PB_SMTP_HOST=\"\" \nexport PB_SMTP_PORT=\"587\" \nexport PB_SMTP_USER=\"\" \nexport PB_SMTP_PASSWORD=\"\" \nexport PB_SMTP_TLS=\"true\" \nexport PB_S3_ENABLED=\"false\" \nexport PB_S3_ENDPOINT=\"\" \nexport PB_S3_REGION=\"\" \nexport PB_S3_BUCKET=\"\" \nexport PB_S3_SECRET=\"\" \nexport PB_S3_ACCESS_KEY=\"\" \nexport PB_S3_FORCE_PATH_STYLE=\"\"\nexport PB_OIDC_URL=\"\" # Custom oidc endpoint\nexport PB_OIDC_NAME=\"\" \nexport PB_OIDC_REALM=\"master\" # Only used for Keycloak\nexport PB_OIDC_CLIENT_ID=\"\" \nexport PB_OIDC_CLIENT_SECRET=\"\" \nexport PB_ENCRYPTION_KEY=\"required!\"\n\n# Custom Repo (for private repos and forks)\nexport PB_REPO_URL=\"\"\nexport PB_REPO_OWNER=\"\"\nexport PB_REPO_NAME=\"ssh-nexus\"\nexport PB_REPO_TOKEN=\"\"\n```\n\n## Roadmap:\n\n- Add bastion host mode\n- Add request system\n- Add host certificate management\n- UI overhaul (e.g. charts, status, etc)\n- Better user views\n- Better error/debug views\n- Fix realtime subscriptions\n\n## Contributing\n\nContributions are welcome! Please feel free to submit issues, fork the repository, and create pull requests.\n\n## License\n\nSSH Nexus is released under the Apache 2.0 License. See the [LICENSE](LICENSE) file for more details.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmizuchilabs%2Fssh-nexus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmizuchilabs%2Fssh-nexus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmizuchilabs%2Fssh-nexus/lists"}