{"id":22475469,"url":"https://github.com/philips/shortbread","last_synced_at":"2025-08-02T11:32:37.233Z","repository":{"id":18510192,"uuid":"21706857","full_name":"philips/shortbread","owner":"philips","description":"OpenSSH CA Signing and Publishing Daemon","archived":false,"fork":false,"pushed_at":"2014-12-10T23:41:28.000Z","size":13079,"stargazers_count":26,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-08T18:54:34.720Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/philips.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-07-10T19:13:48.000Z","updated_at":"2023-10-23T01:07:32.000Z","dependencies_parsed_at":"2022-07-30T14:19:50.983Z","dependency_job_id":null,"html_url":"https://github.com/philips/shortbread","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/philips/shortbread","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips%2Fshortbread","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips%2Fshortbread/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips%2Fshortbread/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips%2Fshortbread/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/philips","download_url":"https://codeload.github.com/philips/shortbread/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips%2Fshortbread/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268378965,"owners_count":24240907,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-02T02:00:12.353Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-06T13:17:24.958Z","updated_at":"2025-08-02T11:32:37.223Z","avatar_url":"https://github.com/philips.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# shortbread\n\nOpenSSH CA signing and publishing Daemon.\n\n## Problem\n\nManaging SSH keys has two problems:\n\n1. Onboarding new users to login to a box usually requires scp'ing keys to the\n   target. Revoking requires removing the key (and remembering to do so).\n\n2. Users generally just blindly trust hosts the first time they connect. This\n   opens users up to MitM attacks.\n\nTo fix these two problems OpenSSH has implemented an SSH CA system. However, it\nis a command line tool that is rather hard to use. See https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu\n\n## Solution\n\nPut Go and HTTP on it! All of these features should work from the go.ssh\nlibrary: https://godoc.org/code.google.com/p/go.crypto/ssh#Certificate\n\n### Onboarding New Users\n\nUser story: Alice the admin needs to give access to the prod cluster to Ian the\nintern.\n\nAlice would post to a URL to sign a public key with constraints like time, or\ncommands.\n\n```\nPOST /v1/sign\n{\n\t'certificate': 'prod-servers',\n\t'username': 'core',\n\t'validityInterval': '201506231248',\n\t'rsaPubkey': 'ssh-rsa AAUw==',\n}\n```\n\nThen a daemon living on the users laptop would pull down their certificates\nfrom the signing machine.\n\n```\nGET /v1/certificates/fingerprint\n\n$CERT_BODY\n```\n\nUnfortunatly Ian's laptop was stolen and he didn't encrypt the disk! We had\nbetter revoke his keys:\n\n```\nPOST /v1/revoke\n{\n\t'rsaPubkey': 'ssh-rsa AAUw==',\n```\n\n### Onboarding New Hosts\n\nHost verificiation would work very similarly. Lets get the user case down\nfirst.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips%2Fshortbread","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphilips%2Fshortbread","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips%2Fshortbread/lists"}