{"id":28445169,"url":"https://github.com/spiffe/spiffe-step-ssh","last_synced_at":"2026-04-29T03:07:06.138Z","repository":{"id":262273790,"uuid":"886694592","full_name":"spiffe/spiffe-step-ssh","owner":"spiffe","description":"Issue SSH host certificates using SPIFFE","archived":false,"fork":false,"pushed_at":"2026-04-27T13:54:19.000Z","size":191,"stargazers_count":5,"open_issues_count":1,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-04-27T15:32:40.592Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spiffe.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-11-11T12:44:23.000Z","updated_at":"2026-03-14T11:44:45.000Z","dependencies_parsed_at":"2025-01-23T15:20:58.706Z","dependency_job_id":"38532543-c46b-457c-a3a8-608d3c220a79","html_url":"https://github.com/spiffe/spiffe-step-ssh","commit_stats":null,"previous_names":["spiffe/spiffe-step-ssh"],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/spiffe/spiffe-step-ssh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spiffe%2Fspiffe-step-ssh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spiffe%2Fspiffe-step-ssh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spiffe%2Fspiffe-step-ssh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spiffe%2Fspiffe-step-ssh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spiffe","download_url":"https://codeload.github.com/spiffe/spiffe-step-ssh/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spiffe%2Fspiffe-step-ssh/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32408465,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T02:37:21.628Z","status":"ssl_error","status_checked_at":"2026-04-29T02:36:50.947Z","response_time":110,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-06T10:11:29.998Z","updated_at":"2026-04-29T03:07:06.133Z","avatar_url":"https://github.com/spiffe.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# spiffe-step-ssh\n\n[![Apache 2.0 License](https://img.shields.io/github/license/spiffe/helm-charts)](https://opensource.org/licenses/Apache-2.0)\n[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)\n\nIssue SSH host certificates using SPIFFE\n\n## Client Dependencies\n\nA working spire-agent bound to a spire-server. See [helm-chart install instructions](https://spiffe.io/docs/latest/spire-helm-charts-hardened-about/installation/#quick-start) or [general quickstart](https://spiffe.io/docs/latest/try/)\n\nAlso, the step binary needs to be installed. [Install Instructions](https://smallstep.com/docs/step-cli/installation/)\n\n## Server\n\nThere is a helm chart available [here](https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spiffe-step-ssh)\n\n## Server Config\n\nEach node needs its own entry, under the /sshd/\u003cnodename\u003e space.\n\nExample:\n```\nspire-server entry create \\\n  -parentID spiffe://example.com/spire/agent/http_challenge/test.example.com \\\n  -spiffeID spiffe://example.com/sshd/test.example.com \\\n  -selector systemd:id:spiffe-step-ssh@main.service\n```\n\n## Install\n\n```\nmake install\n```\n\n## Diagram\n![diagram](diagram.png)\n\n## High Availability\n\nThere are configurations that can get you to various levels of High Availability, upto and including running two complete spiffe trust domains, two spiffe-step-ssh servers, and two spiffe-step-ssh clients.\n\nAdd into /etc/spiffe/step-ssh/a.conf\n```\nSPIFFE_STEP_SSH_URL=https://spiffe-step-ssh-a.example.org\nSPIFFE_STEP_SSH_FETCHCA_URL=https://spiffe-step-ssh-fetchca-a.example.org\n```\n\nAdd into /etc/spiffe/step-ssh/b.conf\n```\nSPIFFE_STEP_SSH_URL=https://spiffe-step-ssh-b.example.org\nSPIFFE_STEP_SSH_FETCHCA_URL=https://spiffe-step-ssh-fetchca-b.example.org\n```\n\nEnable and Start the clients\n```\nsystemctl enable spiffe-step-ssh@a spiffe-step-ssh@b\nsystemctl start spiffe-step-ssh@a spiffe-step-ssh@b\n```\n\nAdd both Step CA ssh signatures into `known_hosts` on your ssh clients.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspiffe%2Fspiffe-step-ssh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspiffe%2Fspiffe-step-ssh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspiffe%2Fspiffe-step-ssh/lists"}