{"id":22268828,"url":"https://github.com/rorycl/sshagentca","last_synced_at":"2025-09-04T12:37:36.003Z","repository":{"id":57522348,"uuid":"253597777","full_name":"rorycl/sshagentca","owner":"rorycl","description":"An ssh server forwarding agent certificate authority","archived":false,"fork":false,"pushed_at":"2025-03-05T20:34:50.000Z","size":86,"stargazers_count":18,"open_issues_count":0,"forks_count":2,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-04-04T20:51:20.774Z","etag":null,"topics":["certificate-authority","go","golang","ssh-agent","ssh-agent-forwarding","ssh-server"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rorycl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-06T19:36:53.000Z","updated_at":"2025-03-05T20:34:53.000Z","dependencies_parsed_at":"2025-02-12T17:23:02.017Z","dependency_job_id":"3fe50d6e-a56e-432f-ac95-68ae1084f5dd","html_url":"https://github.com/rorycl/sshagentca","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/rorycl/sshagentca","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rorycl%2Fsshagentca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rorycl%2Fsshagentca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rorycl%2Fsshagentca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rorycl%2Fsshagentca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rorycl","download_url":"https://codeload.github.com/rorycl/sshagentca/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rorycl%2Fsshagentca/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265253304,"owners_count":23735091,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate-authority","go","golang","ssh-agent","ssh-agent-forwarding","ssh-server"],"created_at":"2024-12-03T11:14:01.900Z","updated_at":"2025-07-14T06:34:20.100Z","avatar_url":"https://github.com/rorycl.png","language":"Go","readme":"# sshagentca\n\nversion 0.0.9 : 23 August 2023\n\nA server to add ssh user certificates to ssh forwarded agents.\n\nRunning the server:\n\n    sshagentca -h\n    sshagentca -t \u003cprivatekey\u003e -c \u003ccaprivatekey\u003e -i \u003cipaddress\u003e -p \u003cport\u003e\n               \u003csettings.yaml\u003e\n\nExample client usage using the `briony` key in the docker example at\n[`sshagentca-docker`](https://github.com/rorycl/sshagentca-docker),\nwhich has the public key registered in the server settings.yaml:\n\n    $ eval $(ssh-agent)\n      Agent pid 2490112\n\n    $ ssh-add briony\n      Identity added: briony (briony@test.com)\n\n    $ ssh-add -l\n      256 SHA256:Ye3VV0z4vDvAuiZYqw4ji2Ht/JlDTMNlpTZoeZR+bDs briony@test.com (ED25519)\n\n    $ ssh -A -p 2222 127.0.0.1\n      acmeinc ssh user certificate service\n      \n      welcome, briony\n      certificate generation complete\n      run 'ssh-add -l' to view\n      goodbye\n\n    $ ssh-add -l\n      256 SHA256:Ye3VV0z4vDvAuiZYqw4ji2Ht/JlDTMNlpTZoeZR+bDs briony@test.com (ED25519)\n      256 SHA256:wfFD6xj3qGNCli3WkRda8SMbRP6WwleZWU9dt9oJDZw acmeinc_briony_from:2022-05-24T06:06_to:2022-05-24T09:06UTC (ED25519-CERT)\n\n    $ ssh -p 48084 root@127.0.0.1\n      Welcome to Alpine!\n      ...\n      fd54c3009dc2:~# exit\n\nNote that the login username that the client provides when connecting to\n`sshagentca` is ignored - it does not have to match the `name:` in\n`settings.yaml`.\n\nCertificates from `sshagentca` can be conveniently used with\n[pam-ussh](https://github.com/uber/pam-ussh) to control sudo privileges\non suitably configured servers.\n\nPlease refer to the specification at PROTOCOL.certkeys at\nhttps://www.openssh.com/specs.html and the related go documentation at\nhttps://godoc.org/golang.org/x/crypto/ssh.\n\n## Building\n\n```\ngo get github.com/rorycl/sshagentca\n```\n\nThe binary will be installed in `~/go/bin/sshagentca` by default.\n\n## Details\n\nThe server requires an ssh private key and ssh certificate authority\n(CA) private key, with a password required for the CA key at least.\nThe server will prompt for passwords on startup, or the environmental\nvariables `SSHAGENTCA_PVT_KEY` and `SSHAGENTCA_CA_KEY` can be set.\n\nConfiguration is done in the settings.yaml file and include\ncertificate settings such as the validity period and organisation name,\nthe prompt received by the client. Users are configured in the\n`user_principals` section, where each user is required to have a name,\nssh public key and list of principals to be set out.\n\nThe server will run on the specified IP address and port, by default\n0.0.0.0:2222.\n\nIf the server runs successfully, it will respond to ssh connections that\nhave a public key listed in `user_principals` section and which have a\nforwarded agent. This response will be to insert an ssh user certificate\ninto the forwarded agent which is signed by `caprivatekey` with the\nparameters set out in `settings.yaml` and restrictions as noted below.\n\nsshagentca generates a new key and corresponding certificate to insert\ninto the client's ssh-agent, signed using ed25519 keys. The CA key you\nprovide to sign the certificate may be a different key.\n\nClients can authenticate to sshagentca using any key type supported by\ngo's `x/crypto/ssh` package, including ed25519 keys introduced in go\n1.13. Key types supported include the ecdsa-sk key used with U2F\nsecurity keys, introduced in OpenSSH 8.2. As a result, you should be\nable to use a physical U2F token with an OpenSSH 8.2 client to\nauthenticate to sshagentca, whilst the keys and certificates it issues\ncan be used to login to older versions of sshd.\n\n## Certificate Restrictions\n\nThe project currently has no support for host certificates, although\nthese could be easily added.\n\nWith reference to\nhttps://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD\nthere is no support presently for customising *critical options*, and\nonly the standard *extensions*, such as `permit-agent-forwarding`,\n`permit-port-forwarding` and `permit-pty` are permitted.\n\nEach certificate's principals settings are taken from the principals set\nout for the specific connecting client public key from the\n`user_principals` settings.\n\nThe `valid after` timestamp in the generated certificates is set\naccording to the `validity` settings parameter, specified in minutes.\nA `validity` duration of 24 hours or more is not permitted.\n\n## Key generation\n\nTo generate new server keys, refer to man ssh-keygen. For example:\n\n    ssh-keygen -t rsa -b 4096 -f id_server\n\nand specify a password. The id_server file is the private key. Certificate\nauthority keys are generated in the same way, although adding a comment is often\nconsidered sensible for CA key management, e.g.:\n\n    ssh-keygen -t rsa -b 4096 -f ca -C \"CA for example.com\"\n\nand choose a password. The ca file is the private key. The ca.pub key in\nthis example should be used in the sshd_config file on any server for\nwhich you wish to grant certificate-authenticated access. For example:\n\n    TrustedUserCAKeys /etc/ssh/ca.pub\n\nThe use of principals to provide \"zone\" based access to servers is set out at\nhttps://engineering.fb.com/security/scalable-and-secure-access-with-ssh/\n\n## Thanks\n\nThanks to Peter Moody for his pam-ussh announcement at\nhttps://medium.com/uber-security-privacy/introducing-the-uber-ssh-certificate-authority-4f840839c5cc\nwhich was the inspiration for this project, and the comments and help\nfrom him and others on the ssh mailing list.\n\n## License\n\nThis project is licensed under the [MIT Licence](LICENCE).\n\nRory Campbell-Lange\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frorycl%2Fsshagentca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frorycl%2Fsshagentca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frorycl%2Fsshagentca/lists"}