{"id":23340212,"url":"https://github.com/sierrasoftworks/inki","last_synced_at":"2025-09-16T03:46:26.845Z","repository":{"id":57603675,"uuid":"76467422","full_name":"SierraSoftworks/inki","owner":"SierraSoftworks","description":"An agent which allows you to register new SSH keys on a host through a combination of PGP signing, an HTTP API and host-side checks.","archived":false,"fork":false,"pushed_at":"2020-06-14T13:03:28.000Z","size":18,"stargazers_count":5,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-09T23:43:28.910Z","etag":null,"topics":["golang","pgp-key","ssh-key"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SierraSoftworks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-12-14T14:37:18.000Z","updated_at":"2023-02-07T19:22:02.000Z","dependencies_parsed_at":"2022-09-12T21:41:05.605Z","dependency_job_id":null,"html_url":"https://github.com/SierraSoftworks/inki","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/SierraSoftworks/inki","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SierraSoftworks%2Finki","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SierraSoftworks%2Finki/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SierraSoftworks%2Finki/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SierraSoftworks%2Finki/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SierraSoftworks","download_url":"https://codeload.github.com/SierraSoftworks/inki/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SierraSoftworks%2Finki/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275358797,"owners_count":25450443,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-16T02:00:10.229Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","pgp-key","ssh-key"],"created_at":"2024-12-21T04:20:11.038Z","updated_at":"2025-09-16T03:46:26.824Z","avatar_url":"https://github.com/SierraSoftworks.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Inki\n**Secure SSH key distribution with support for custom workflow logic**\n\nInki is a tool which makes it trivially easy to manage a dynamic list of SSH keys\non a host. This is achieved through a daemon which holds an in-memory list of\nkeys and provides an HTTP API via which new keys may be added, as well as a client\nwhich consumes the API.\n\nTo prevent the possibility of bad actors registering keys against your hosts,\nit is possible to configure Inki to require SSH keys to be PGP signed before they\nare accepted.\n\n## Features\n - **Support for multiple users**, allowing you to register keys for individual user\n   accounts and potentially requiring unique PGP keys for individual users.\n - **Integrates with AuthorizedKeysCommand** to remove the need for modifications to\n   your `authorized_keys` file and also enable Inki to add keys even when the host\n   has no diskspace remaining.\n - **Straightforward HTTP API** to enable other services to quickly and easily integrate\n   with it. You can even send commands using Curl if need be!\n\n## Example\n```\n$ inki key add http://bpannell@inki.sierrasoftworks.com -f my_key.pub -p sign.key\nEnter PGP key password:\nAdded keys:\n - Username:     bpannell\n   Fingerprint:  7646dd89cbbcecbfeda2ba1d80ec9451\n   Expires:      2016-12-15 14:30:42.9195054 +0000 UTC\n  \n$ inki key list http://bpannell@inki.sierrasoftworks.com\nAuthorized keys:\n - Username:     bpannell\n   Fingerprint:  7646dd89cbbcecbfeda2ba1d80ec9451\n   Expires:      2016-12-15 14:30:42.9195054 +0000 UTC\n\n$ inki authorized-keys bpannell\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDArmZ5fyEt1V9KiGFuiZ...\n```\n\n## Use Case\nInki was originally designed to enable automated tools to request access to servers\nfor remediation purposes, allowing the servers to decide whether to allow the tool\naccess on a case-by-case basis and ensuring that credentials could be flexibly rotated\nat any time.\n\nThat being said, it offers a great way to enable access to your servers using a PGP\nkey like your Keybase one and any SSH key, potentially saving you from the loss of\nan SSH key while keeping your systems secure.\n\n## Running a Server\nThe Inki server is available as a Docker container, you will need to setup your\nserver configuration file and mount it into the container to allow keys to be\npublished.\n\n```yml\n---\nusers:\n  - name: root\n    keyring: |\n      -----BEGIN PGP PUBLIC KEY BLOCK-----\n      Version: GnuPG v2\n      ....\n      ....\n      ....\n      -----END PGP PUBLIC KEY BLOCK-----\n```\n\n```sh\ndocker run --rm -p 3000:3000 -v \"./config.yml:/etc/inki/server.yml\" sierrasoftworks/inki:latest\n```\n\nInki's server stores its configuration in memory, as its use case involves\nproviding transient key access to various servers. Stopping the container will\ntherefore remove any active keys and they will need to be added again.\n\n## Adding a Key\nInki uses an HTTP API to add keys, requiring that a request to add a key is\nsent as a signed PGP message with the JSON payload describing the key to be\nadded.\n\nDue to the design, you can add keys using `curl` and the `gpg` command line\ntools, alternatively Inki's command line can be used to submit the keys if\nyou find that easier.\n\n### Using Inki\n```sh\ninki key add http://user@inki_server:3000 \\\n  --file ssh_key.pub \\\n  --pgp-key pgp_private_key.gpg \\\n  --expire 12h\n```\n\n### Using Curl\n```sh\ncat \u003c\u003cJSON\n{\n  \"username\": \"user\",\n  \"expire\": \"2016-12-25T00:00:00Z\",\n  \"key\": \"$(cat ssh_key.pub)\"\n}\nJSON | gpg --clearsign | curl -X POST http://inki_server:3000/api/v1/keys\n```\n\n## Using the Keys\nInki is designed to work with `sshd`'s AuthorizedKeysCommand to prevent situations\nwhere a lack of disk space prevents you from accessing the server, as well as\navoiding corruption of your `authorized_keys` file. This has the added benefit\nof allowing you to use Inki in conjunction with your existing set of `authorized_keys`.\n\nTo use Inki, you will need to create a script which calls the Inki agent to gather\nthe list of authorized keys.\n\n```sh\n#!/bin/bash\n# $1 :  The username of the account that someone is attempting to sign in with\n\ninki keys list http://$1@inki_server:3000 --authorized-keys\n\n# You can also use this, if you don't want to have inki installed on your server\n# curl http://inki_server:3000/api/v1/user/$1/authorized_keys\n```\n\nThen set the Inki agent as your AuthorizedKeysCommand in `/etc/ssh/sshd_config`\n\n```\nAuthorizedKeysCommand=/opt/my-inki-script\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsierrasoftworks%2Finki","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsierrasoftworks%2Finki","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsierrasoftworks%2Finki/lists"}