{"id":13668467,"url":"https://github.com/spotify/crtauth","last_synced_at":"2026-01-11T12:55:03.325Z","repository":{"id":6732432,"uuid":"7978449","full_name":"spotify/crtauth","owner":"spotify","description":"a public key backed client/server authentication system","archived":true,"fork":false,"pushed_at":"2020-02-04T09:33:19.000Z","size":137,"stargazers_count":118,"open_issues_count":5,"forks_count":18,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-04-24T03:48:17.683Z","etag":null,"topics":["authentication","python","ssh"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spotify.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-02-02T16:38:44.000Z","updated_at":"2024-01-20T17:38:59.000Z","dependencies_parsed_at":"2022-09-22T09:11:01.968Z","dependency_job_id":null,"html_url":"https://github.com/spotify/crtauth","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spotify%2Fcrtauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spotify%2Fcrtauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spotify%2Fcrtauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spotify%2Fcrtauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spotify","download_url":"https://codeload.github.com/spotify/crtauth/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251063389,"owners_count":21530833,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","python","ssh"],"created_at":"2024-08-02T08:00:35.654Z","updated_at":"2025-04-26T22:31:16.256Z","avatar_url":"https://github.com/spotify.png","language":"Python","funding_links":[],"categories":["Packages","Capabilities"],"sub_categories":["Unsorted","Security"],"readme":"# crtauth - a public key backed client/server authentication system\n\nThe latest version of this software can be fetched from\n[GitHub](https://github.com/spotify/crtauth).\n\ncrtauth is a system for authenticating a user to a centralized server. The\ninitial use case is to create a convenient authentication for command line\ntools that interacts with a central server without resorting to authentication\nusing a shared secret, such as a password.\n\nThe code available in this project is written in Python. There is also a\nJava version, implementing the same protocol available at\n[https://github.com/spotify/crtauth-java](https://github.com/spotify/crtauth-java)\n\ncrtauth leverages the public key cryptography mechanisms that is commonly\nused by ssh(1) to authenticate users to remote systems. The goal of the\nsystem is to make the user experience as seamless as possible using the\nssh-agent program to manage access to encrypted private keys without asking\nfor a password each time the command is run\n\nThe name of the project is derived from the central concepts challenge,\nresponse, token and authentication, while at the same time reminding us old\ntimers of the soon to be forgotten cathode ray tube screen technology.\n\n## Using the library\n\nFor the server side functionality there is a high level API available in the\n[wsgi](crtauth/wsgi.py) module. It provides wsgi middleware functionality\nthat can be used to protect a  service using the crtauth\nauthentication mechanism. [hello_world_server](example/hello_world_server) gives\na minimal example on how this API is used. If crtauth is to be used in a\nnon-WSGI environment, there is a lower level API available in the\n[server](crtauth/server.py) module.\n\nFor clients an [authentication plugin for Python Requests](https://github.com/spotify/requests-crtauth)\nis available. An example use of the [client](crtauth/client.py) module can be\nseen in the [hello_world_client](example/hello_world_client) example.\n\n\n## Technical details\n\nThis section gives big picture overview of how crtauth operates. For the\nspecifics of the protocol and it's messages, please see\n[the specification](PROTOCOL.md).\n\nCommand line tools that connect to a central server to perform some action or\nfetch some information can be a very useful thing. crtauth is currently specified\nto work with HTTP as transport, but it is entirely possible to re-use \nthat exposes information about servers using an HTTP-based API.\n\nThe basic operation of the protocol follows the following pattern\n\n* The client requests a challenge from the server, providing a username.\n* The server creates a challenge that gets sent back to the client.\n* The client signs the challenge and returns the response to the server.\n* The server verifies that the response is valid and if so it issues an access\n  token to the client.\n* The access token is provided to when calling protected services.\n* The server validates that the token is valid and if so, provides access\n  to the client.\n\nThe that implement this mechanism has two parts, one for the server and one\nfor the client. A server that wants to authenticate clients instantiates an\nAuthServer instance (defined in the crtauth.server module) with a secret and\na KeyProvider instance as constructor arguments. The very simple FileKeyProvider\nreads public keys from a filesystem directory using a filename pattern derived\nfrom the username of the connecting user.\n\nOnce there is an AuthServer instance, it can generate a challenge string for\na specific user using the `create_challenge()` method.\n\nThe client part of the mechanism is also contained in the crtauth.server module,\nin the `create_response()` function. It takes a challenge string provided by the\nserver and returns a response string suitable for sending back to the server.\n\nThe server in turn validates the response from the client and if it checks out\nit returns an access token that can be used by the client to make authenticated\nrequests. This validation is done in the `create_token()` method of the AuthServer\nclass.\n\nFor subsequent calls to protected services, the provided access token can be\nverified using the `validate_token()` method of the AuthServer instance.\n\n## SSH keys from LDAP\n\nThis library also provides functionality to extract public ssh keys for\nconnecting users using an LDAP directory. To use this functionality, which\nis available in the ldap_key_provider.py module, the python-ldap module needs\nto be installed.\n\n## License\n\ncrtauth is free software, this code is released under the Apache\nSoftware License, version 2. The original code is written by Noa Resare with\ncontributions from John-John Tedro, Erwan Lemmonier, Martin Parm and Gunnar\nKreitz\n\nAll code is Copyright (c) 2011-2017 Spotify AB\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspotify%2Fcrtauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspotify%2Fcrtauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspotify%2Fcrtauth/lists"}