{"id":38145808,"url":"https://github.com/nbeguier/cassh","last_synced_at":"2026-01-16T22:55:45.749Z","repository":{"id":22506125,"uuid":"95904416","full_name":"nbeguier/cassh","owner":"nbeguier","description":"SSH CA administration via CLI and GUI","archived":false,"fork":false,"pushed_at":"2022-06-02T08:43:42.000Z","size":382,"stargazers_count":70,"open_issues_count":13,"forks_count":19,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-04-17T06:13:27.582Z","etag":null,"topics":["authority-control","cli","krl","python","sign","ssh"],"latest_commit_sha":null,"homepage":"https://medium.com/leboncoin-engineering-blog/cassh-ssh-key-signing-tool-39fd3b8e4de7","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nbeguier.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-06-30T16:07:32.000Z","updated_at":"2024-01-13T11:46:52.000Z","dependencies_parsed_at":"2022-09-07T13:12:56.421Z","dependency_job_id":null,"html_url":"https://github.com/nbeguier/cassh","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/nbeguier/cassh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nbeguier%2Fcassh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nbeguier%2Fcassh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nbeguier%2Fcassh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nbeguier%2Fcassh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nbeguier","download_url":"https://codeload.github.com/nbeguier/cassh/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nbeguier%2Fcassh/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28486938,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T22:54:02.790Z","status":"ssl_error","status_checked_at":"2026-01-16T22:50:10.344Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authority-control","cli","krl","python","sign","ssh"],"created_at":"2026-01-16T22:55:45.695Z","updated_at":"2026-01-16T22:55:45.744Z","avatar_url":"https://github.com/nbeguier.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CASSH\n\nOpenSSH features reach their limit when it comes to industrialization. We don’t want an administrator to sign every user’s public key by hand every day, so we need a service for that. That is exactly the purpose of CASSH: **signing keys**!\nDevelopped for @leboncoin\n\nhttps://medium.com/leboncoin-engineering-blog/cassh-ssh-key-signing-tool-39fd3b8e4de7\n\n - [CLI version : **1.8.1** *(02/06/2022)*](src/client/CHANGELOG.md) ![leboncoin/cassh](https://img.shields.io/docker/pulls/leboncoin/cassh) + ![nbeguier/cassh-client](https://img.shields.io/docker/pulls/nbeguier/cassh-client) [![docker-build](https://img.shields.io/docker/cloud/automated/nbeguier/cassh-client)](https://hub.docker.com/r/nbeguier/cassh-client)\n - [WebUI version : **1.3.1** *(02/06/2022)*](src/server/web/CHANGELOG.md) ![nbeguier/cassh-web](https://img.shields.io/docker/pulls/nbeguier/cassh-web) [![docker-build](https://img.shields.io/docker/cloud/automated/nbeguier/cassh-web)](https://hub.docker.com/r/nbeguier/cassh-web)\n - [Server version : **2.3.1** *(06/03/2022)*](src/server/CHANGELOG.md) ![leboncoin/cassh-server](https://img.shields.io/docker/pulls/leboncoin/cassh-server) + ![nbeguier/cassh-server](https://img.shields.io/docker/pulls/nbeguier/cassh-server) [![docker-build](https://img.shields.io/docker/cloud/automated/nbeguier/cassh-server)](https://hub.docker.com/r/nbeguier/cassh-server)\n\n## Usage\n\n### Client CLI\n\nAdd new key to cassh-server :\n```\ncassh add\n```\n\nSign pub key :\n```\ncassh sign [--display-only] [--force]\n```\n\nGet public key status :\n```\ncassh status\n```\n\nGet ca public key :\n```\ncassh ca\n```\n\nGet ca krl :\n```\ncassh krl\n```\n\n### Admin CLI\n\n```\nusage: cassh admin [-h] [-s SET] [--add-principals ADD_PRINCIPALS]\n [--remove-principals REMOVE_PRINCIPALS]\n [--purge-principals]\n [--update-principals UPDATE_PRINCIPALS]\n [--principals-filter PRINCIPALS_FILTER]\n username action\n\npositional arguments:\n username Username of client's key, if username is 'all' status\n return all users\n action Choice between : active, delete, revoke, set, search,\n status keys\n\noptional arguments:\n -h, --help show this help message and exit\n -s SET, --set SET CAUTION: Set value of a user.\n --add-principals ADD_PRINCIPALS\n Add a list of principals to a user, should be\n separated by comma without spaces.\n --remove-principals REMOVE_PRINCIPALS\n Remove a list of principals to a user, should be\n separated by comma without spaces.\n --purge-principals Purge all principals to a user.\n --update-principals UPDATE_PRINCIPALS\n Update all principals to a user by the given\n principals, should be separated by comma without\n spaces.\n --principals-filter PRINCIPALS_FILTER\n Look for users by the given principals filter, should\n be separated by comma without spaces.\n```\n\nActive Client **username** key :\n```\ncassh admin \u003cusername\u003e active\n```\n\nRevoke Client **username** key :\n```\ncassh admin \u003cusername\u003e revoke\n```\n\nDelete Client **username** key :\n```\ncassh admin \u003cusername\u003e delete\n```\n\nStatus Client **username** key :\n```\ncassh admin \u003cusername\u003e status\n```\n\nSet Client **username** key :\n```\n# Set expiry to 7 days\ncassh admin \u003cusername\u003e set --set='expiry=7d'\n\n# Add principals to existing ones\ncassh admin \u003cusername\u003e set --add-principals foo,bar\n\n# Remove principals from existing ones\ncassh admin \u003cusername\u003e set --remove-principals foo,bar\n\n# Update principals and erease existsing ones\ncassh admin \u003cusername\u003e set --update-principals foo,bar\n\n# Purge principals\ncassh admin \u003cusername\u003e set --purge-principals\n```\n\nSearch **Principals** among clients :\n```\ncassh admin all search --principals-filter foo,bar\n```\n\n## Install\n\n### Server\n\n[INSTALL.md](src/server/INSTALL.md)\n\n### Client\n\n[INSTALL.md](src/client/INSTALL.md)\n\n### Cassh WebUI\n\n[INSTALL.md](src/server/web/INSTALL.md)\n\n\n## Quick test\n\n### Server side\n\nInstall docker : https://docs.docker.com/engine/installation/\n\n#### Prerequisites\n\n```bash\n# install utilities needed by tests/test.sh\nsudo apt install pwgen jq\n\n# Make a 'sudo' only if your user doesn't have docker rights, add your user into docker group\npip install -r tests/requirements.txt\n\ncp tests/cassh/cassh.conf.sample tests/cassh/cassh.conf\ncp tests/cassh/ldap_mapping.json.sample tests/cassh/ldap_mapping.json\n\n# Edit cassh.conf file to configure the hosts\n\n# Generate temporary certificates\nmkdir test-keys\nssh-keygen -C CA -t rsa -b 4096 -o -a 100 -N \"\" -f test-keys/id_rsa_ca # without passphrase\nssh-keygen -k -f test-keys/revoked-keys\n\n############################################\n# BEGIN THE ONE OR MULTIPLE INSTANCES STEP #\n############################################\n\n# Duplicate the cassh.conf\ncp tests/cassh/cassh.conf tests/cassh/cassh_2.conf\n# Generate another krl\nssh-keygen -k -f test-keys/revoked-keys-2\nsed -i \"s/revoked-keys/revoked-keys-2/g\" tests/cassh/cassh_2.conf\n```\n\n#### One instance\n\n\n```bash\n# Launch this on another terminal\nbash tests/launch_demo_server.sh --server_code_path ${PWD} --debug\n$ /opt/cassh/src/server/server.py --config /opt/cassh/tests/cassh/cassh.conf\n\n# When 'http://0.0.0.0:8080/' appears, start this script\nbash tests/test.sh\n```\n\n#### Multiple instances\n\nThe same as previsouly, but launch this to specify a second cassh-server instance\n\n```bash\n# Launch this on another terminal\nbash tests/launch_demo_server.sh --server_code_path ${PWD} --debug --port 8081\n$ /opt/cassh/src/server/server.py --config /opt/cassh/tests/cassh/cassh_2.conf\n```\n\n\n### Client side\n\nGenerate key pair then sign it !\n\n```bash\ngit clone https://github.com/nbeguier/cassh.git /opt/cassh\ncd /opt/cassh\n\n# Generate key pair\nmkdir test-keys\nssh-keygen -t rsa -b 4096 -o -a 100 -f test-keys/id_rsa\n\nrm -f ~/.cassh\ncat \u003c\u003c EOF \u003e ~/.cassh\n[user]\nname = user\nkey_path = ${PWD}/test-keys/id_rsa\nkey_signed_path = ${PWD}/test-keys/id_rsa-cert\nurl = http://localhost:8080\n\n[ldap]\nrealname = user@test.fr\nEOF\n\n# List keys\npython cassh status\n\n# Add it into server\npython cassh add\n\n# ADMIN: Active key\npython cassh admin user active\n\n# Sign it !\npython cassh sign [--display-only]\n```\n\n# License\nLicensed under the [Apache License](https://github.com/nbeguier/cassh/blob/master/LICENSE), Version 2.0 (the \"License\").\n\n# Copyright\nCopyright 2017-2025 Nicolas BEGUIER; ([nbeguier](https://beguier.eu/nicolas/) - nicolas_beguier[at]hotmail[dot]com)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnbeguier%2Fcassh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnbeguier%2Fcassh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnbeguier%2Fcassh/lists"}