Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sierrasoftworks/inki

An agent which allows you to register new SSH keys on a host through a combination of PGP signing, an HTTP API and host-side checks.
https://github.com/sierrasoftworks/inki

golang pgp-key ssh-key

Last synced: 13 days ago
JSON representation

An agent which allows you to register new SSH keys on a host through a combination of PGP signing, an HTTP API and host-side checks.

Awesome Lists containing this project

README 

        
# Inki

**Secure SSH key distribution with support for custom workflow logic**



Inki is a tool which makes it trivially easy to manage a dynamic list of SSH keys

on a host. This is achieved through a daemon which holds an in-memory list of

keys and provides an HTTP API via which new keys may be added, as well as a client

which consumes the API.



To prevent the possibility of bad actors registering keys against your hosts,

it is possible to configure Inki to require SSH keys to be PGP signed before they

are accepted.



## Features

 - **Support for multiple users**, allowing you to register keys for individual user

   accounts and potentially requiring unique PGP keys for individual users.

 - **Integrates with AuthorizedKeysCommand** to remove the need for modifications to

   your `authorized_keys` file and also enable Inki to add keys even when the host

   has no diskspace remaining.

 - **Straightforward HTTP API** to enable other services to quickly and easily integrate

   with it. You can even send commands using Curl if need be!



## Example

```

$ inki key add http://[email protected] -f my_key.pub -p sign.key

Enter PGP key password:

Added keys:

 - Username:     bpannell

   Fingerprint:  7646dd89cbbcecbfeda2ba1d80ec9451

   Expires:      2016-12-15 14:30:42.9195054 +0000 UTC

  

$ inki key list http://[email protected]

Authorized keys:

 - Username:     bpannell

   Fingerprint:  7646dd89cbbcecbfeda2ba1d80ec9451

   Expires:      2016-12-15 14:30:42.9195054 +0000 UTC



$ inki authorized-keys bpannell

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDArmZ5fyEt1V9KiGFuiZ...

```



## Use Case

Inki was originally designed to enable automated tools to request access to servers

for remediation purposes, allowing the servers to decide whether to allow the tool

access on a case-by-case basis and ensuring that credentials could be flexibly rotated

at any time.



That being said, it offers a great way to enable access to your servers using a PGP

key like your Keybase one and any SSH key, potentially saving you from the loss of

an SSH key while keeping your systems secure.



## Running a Server

The Inki server is available as a Docker container, you will need to setup your

server configuration file and mount it into the container to allow keys to be

published.



```yml

---

users:

  - name: root

    keyring: |

      -----BEGIN PGP PUBLIC KEY BLOCK-----

      Version: GnuPG v2

      ....

      ....

      ....

      -----END PGP PUBLIC KEY BLOCK-----

```



```sh

docker run --rm -p 3000:3000 -v "./config.yml:/etc/inki/server.yml" sierrasoftworks/inki:latest

```



Inki's server stores its configuration in memory, as its use case involves

providing transient key access to various servers. Stopping the container will

therefore remove any active keys and they will need to be added again.



## Adding a Key

Inki uses an HTTP API to add keys, requiring that a request to add a key is

sent as a signed PGP message with the JSON payload describing the key to be

added.



Due to the design, you can add keys using `curl` and the `gpg` command line

tools, alternatively Inki's command line can be used to submit the keys if

you find that easier.



### Using Inki

```sh

inki key add http://user@inki_server:3000 \

  --file ssh_key.pub \

  --pgp-key pgp_private_key.gpg \

  --expire 12h

```



### Using Curl

```sh

cat <