{"id":43627230,"url":"https://github.com/vouch-sh/vouch","last_synced_at":"2026-03-04T05:13:42.193Z","repository":{"id":335030990,"uuid":"1139469228","full_name":"vouch-sh/vouch","owner":"vouch-sh","description":"Vouch Monorepo","archived":false,"fork":false,"pushed_at":"2026-02-10T03:58:13.000Z","size":1577,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-10T09:42:36.556Z","etag":null,"topics":["2fa","aws","hardware","kubernetes","mfa","security","ssh","yubikey"],"latest_commit_sha":null,"homepage":"https://vouch.sh","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vouch-sh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-22T02:05:20.000Z","updated_at":"2026-02-10T06:13:07.000Z","dependencies_parsed_at":null,"dependency_job_id":"5f09363e-30ed-43e5-9460-e0cc7a669046","html_url":"https://github.com/vouch-sh/vouch","commit_stats":null,"previous_names":["vouch-sh/vouch"],"tags_count":32,"template":false,"template_full_name":null,"purl":"pkg:github/vouch-sh/vouch","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vouch-sh%2Fvouch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vouch-sh%2Fvouch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vouch-sh%2Fvouch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vouch-sh%2Fvouch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vouch-sh","download_url":"https://codeload.github.com/vouch-sh/vouch/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vouch-sh%2Fvouch/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29383113,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-12T22:07:52.078Z","status":"ssl_error","status_checked_at":"2026-02-12T22:07:49.026Z","response_time":55,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["2fa","aws","hardware","kubernetes","mfa","security","ssh","yubikey"],"created_at":"2026-02-04T16:11:28.168Z","updated_at":"2026-02-18T06:01:57.663Z","avatar_url":"https://github.com/vouch-sh.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Vouch\n\n**Prove you're here.**\n\nHardware-backed authentication that issues short-lived credentials only after a human touches a YubiKey. One touch, one PIN, one 8-hour session — then SSH and AWS just work.\n\n```bash\n$ vouch login\n🔑 Touch your YubiKey...\nEnter PIN: ****\n✓ Authenticated as you@company.com\n✓ Session valid for 8 hours\n\n$ ssh prod.example.com                        # Just works\n$ aws s3 ls                                   # Just works\n$ git push origin main                        # Just works\n```\n\n## The Problem\n\nModern authentication is broken in three ways:\n\n1. **Push notification fatigue** — Duo pings you 47 times a day. Users approve reflexively. MFA fatigue attacks succeed because humans are tired.\n\n2. **Credential sprawl** — Long-lived API keys in `~/.aws/credentials`. GitHub PATs that never expire. SSH keys from 2019 still floating around.\n\n3. **No presence verification** — Existing tools verify *devices* or *sessions*, but not that a *human* is actually there. A compromised laptop with cached credentials is indistinguishable from its owner.\n\n## The Solution\n\nVouch requires **physical presence** for every credential issuance:\n\n| Traditional Auth | Vouch |\n|------------------|-------|\n| Password + SMS/Push | YubiKey touch + PIN |\n| Long-lived API keys | 8-hour certificates |\n| \"Remember this device\" | Per-session attestation |\n| Optional hardware MFA | **Mandatory** hardware MFA |\n| Device trust | Human presence proof |\n\n### How It Works\n\n```\n┌─────────────────────────────────────────────────────────────────┐\n│                         Your Machine                             │\n│                                                                  │\n│  ┌──────────┐     ┌──────────┐     ┌──────────────────────────┐ │\n│  │ YubiKey  │────▶│  vouch   │────▶│ Short-lived credentials  │ │\n│  │ (touch)  │     │  login   │     │ managed by vouch agent   │ │\n│  └──────────┘     └──────────┘     └──────────────────────────┘ │\n│                         │                      │                 │\n│                         ▼                      ▼                 │\n│                   ┌──────────┐          ┌──────────────┐        │\n│                   │  vouch   │          │ Native tools │        │\n│                   │  server  │          │ (ssh, aws)   │        │\n│                   │  (OIDC)  │          │              │        │\n│                   └──────────┘          └──────────────┘        │\n└─────────────────────────────────────────────────────────────────┘\n```\n\n1. **`vouch login`** — Touch YubiKey, enter PIN, get 8-hour session\n2. **Vouch issues credentials** — SSH certificates, AWS STS tokens\n3. **Tools just work** — Standard credential helpers, no wrappers needed\n\n## Key Features\n\n### Mandatory Hardware Presence\nUnlike optional MFA that can be bypassed, Vouch only issues credentials after FIDO2 verification. The credential itself carries proof of presence.\n\n### Short-Lived Everything\n- SSH certificates: 8 hours\n- AWS credentials: 1 hour (auto-refresh within session)\n\nNo more rotating keys. No more revoking access. Credentials simply expire.\n\n### Zero-Friction Integration\nVouch configures standard credential providers:\n- SSH: `IdentityAgent` pointing to vouch's signing agent\n- AWS: `credential_process` in `~/.aws/config`\n\nAfter `vouch login`, existing workflows are unchanged.\n\n## Quick Start\n\n### Install\n```bash\n# macOS\nbrew install vouch-sh/tap/vouch\n\n# Linux (Debian/Ubuntu)\n# See https://packages.vouch.sh for repository setup\nsudo apt install vouch\n\n# Linux (RPM-based)\n# See https://packages.vouch.sh for repository setup\nsudo dnf install vouch\n\n# From source\ncargo install --git https://github.com/vouch-sh/vouch vouch-cli\n```\n\n### Setup\n```bash\n# Enroll with your YubiKey (one-time, opens browser)\nvouch enroll\n\n# Configure integrations\nvouch setup ssh                                    # Configures SSH to use vouch certificates\nvouch setup aws --role arn:aws:iam::ID:role/name   # Configures AWS credential_process\nvouch setup eks --cluster my-cluster                # Configures kubectl for EKS via IAM\nvouch setup github --configure                     # Configures git credential helper for GitHub\n```\n\n### Daily Use\n```bash\n# Start your day\nvouch login\n\n# Everything just works for 8 hours\nssh prod-server\naws s3 ls\ngit clone https://github.com/your-org/private-repo.git\n\n# Check session status\nvouch status\n```\n\n## Requirements\n\n- **YubiKey 5 series** (firmware 5.2+) with FIDO2/WebAuthn support\n- **macOS** 12+ or **Linux** (glibc 2.31+) — Windows support is planned\n- For AWS: IAM role with OIDC federation configured\n- For EKS: Cluster with Access Entries configured for IAM role\n- For SSH: CA public key distributed to target hosts\n- For GitHub: Organization admin connects the Vouch GitHub App\n\n## Architecture\n\nVouch consists of:\n\n| Component | Description | Source |\n|-----------|-------------|--------|\n| `vouch` CLI | User-facing commands, credential helpers | Open source ([Apache-2.0 OR MIT](LICENSE-APACHE)) |\n| `vouch-agent` | Background daemon, session management | Open source ([Apache-2.0 OR MIT](LICENSE-APACHE)) |\n| Vouch Server | OIDC provider, certificate authority | [BSL 1.1](crates/vouch-server/LICENSE) (converts to Apache-2.0) |\n\nThe CLI is fully open source for security auditing. The server source is available under the Business Source License 1.1, which converts to Apache-2.0 after two years.\n\n## Security\n\nVouch is designed for high-security environments:\n\n- **Memory-safe implementation** — Written in Rust\n- **No credential storage** — Vouch never sees your private keys\n- **Cryptographic presence attestation** — FIDO2 with user verification\n- **Short-lived credentials** — Minimize blast radius of compromise\n- **Audit trail** — Every credential issuance logged with attestation\n\nSee [SECURITY.md](docs/SECURITY.md) for our threat model and responsible disclosure policy.\n\n## Documentation\n\n- [Architecture](docs/ARCHITECTURE.md) — System design and data flows\n- [Security Model](docs/SECURITY.md) — Threat model and controls\n- [Air-Gap Deployment](docs/AIRGAP.md) — On-premises installation guide\n- [Agent Delegation](docs/DELEGATION.md) — AI assistant credential management\n\n## Contributing\n\nWe welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\nThe CLI is open source under Apache-2.0 OR MIT. We believe security tools should be auditable.\n\n## License\n\n- CLI, agent, and shared libraries: [Apache-2.0](LICENSE-APACHE) OR [MIT](LICENSE-MIT)\n- Server: [BSL 1.1](crates/vouch-server/LICENSE) (converts to Apache-2.0 after 2 years)\n- Documentation: [CC-BY-4.0](https://creativecommons.org/licenses/by/4.0/)\n\n---\n\n**Vouch** — Prove you're here.\n\n[Website](https://vouch.sh) · [Documentation](https://vouch.sh/docs) · [GitHub](https://github.com/vouch-sh/vouch)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvouch-sh%2Fvouch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvouch-sh%2Fvouch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvouch-sh%2Fvouch/lists"}