An open API service indexing awesome lists of open source software.

https://github.com/vouch-sh/vouch

Vouch Monorepo
https://github.com/vouch-sh/vouch

2fa aws hardware kubernetes mfa security ssh yubikey

Last synced: 4 months ago
JSON representation

Vouch Monorepo

Awesome Lists containing this project

README

          

# Vouch

**Prove you're here.**

Hardware-backed authentication that issues short-lived credentials only after a human touches a YubiKey. One touch, one PIN, one 8-hour session β€” then SSH and AWS just work.

```bash
$ vouch login
πŸ”‘ Touch your YubiKey...
Enter PIN: ****
βœ“ Authenticated as you@company.com
βœ“ Session valid for 8 hours

$ ssh prod.example.com # Just works
$ aws s3 ls # Just works
$ git push origin main # Just works
```

## The Problem

Modern authentication is broken in three ways:

1. **Push notification fatigue** β€” Duo pings you 47 times a day. Users approve reflexively. MFA fatigue attacks succeed because humans are tired.

2. **Credential sprawl** β€” Long-lived API keys in `~/.aws/credentials`. GitHub PATs that never expire. SSH keys from 2019 still floating around.

3. **No presence verification** β€” Existing tools verify *devices* or *sessions*, but not that a *human* is actually there. A compromised laptop with cached credentials is indistinguishable from its owner.

## The Solution

Vouch requires **physical presence** for every credential issuance:

| Traditional Auth | Vouch |
|------------------|-------|
| Password + SMS/Push | YubiKey touch + PIN |
| Long-lived API keys | 8-hour certificates |
| "Remember this device" | Per-session attestation |
| Optional hardware MFA | **Mandatory** hardware MFA |
| Device trust | Human presence proof |

### How It Works

```
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Your Machine β”‚
β”‚ β”‚
β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚
β”‚ β”‚ YubiKey │────▢│ vouch │────▢│ Short-lived credentials β”‚ β”‚
β”‚ β”‚ (touch) β”‚ β”‚ login β”‚ β”‚ managed by vouch agent β”‚ β”‚
β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚
β”‚ β”‚ β”‚ β”‚
β”‚ β–Ό β–Ό β”‚
β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚
β”‚ β”‚ vouch β”‚ β”‚ Native tools β”‚ β”‚
β”‚ β”‚ server β”‚ β”‚ (ssh, aws) β”‚ β”‚
β”‚ β”‚ (OIDC) β”‚ β”‚ β”‚ β”‚
β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

1. **`vouch login`** β€” Touch YubiKey, enter PIN, get 8-hour session
2. **Vouch issues credentials** β€” SSH certificates, AWS STS tokens
3. **Tools just work** β€” Standard credential helpers, no wrappers needed

## Key Features

### Mandatory Hardware Presence
Unlike optional MFA that can be bypassed, Vouch only issues credentials after FIDO2 verification. The credential itself carries proof of presence.

### Short-Lived Everything
- SSH certificates: 8 hours
- AWS credentials: 1 hour (auto-refresh within session)

No more rotating keys. No more revoking access. Credentials simply expire.

### Zero-Friction Integration
Vouch configures standard credential providers:
- SSH: `IdentityAgent` pointing to vouch's signing agent
- AWS: `credential_process` in `~/.aws/config`

After `vouch login`, existing workflows are unchanged.

## Quick Start

### Install
```bash
# macOS
brew install vouch-sh/tap/vouch

# Linux (Debian/Ubuntu)
# See https://packages.vouch.sh for repository setup
sudo apt install vouch

# Linux (RPM-based)
# See https://packages.vouch.sh for repository setup
sudo dnf install vouch

# From source
cargo install --git https://github.com/vouch-sh/vouch vouch-cli
```

### Setup
```bash
# Enroll with your YubiKey (one-time, opens browser)
vouch enroll

# Configure integrations
vouch setup ssh # Configures SSH to use vouch certificates
vouch setup aws --role arn:aws:iam::ID:role/name # Configures AWS credential_process
vouch setup eks --cluster my-cluster # Configures kubectl for EKS via IAM
vouch setup github --configure # Configures git credential helper for GitHub
```

### Daily Use
```bash
# Start your day
vouch login

# Everything just works for 8 hours
ssh prod-server
aws s3 ls
git clone https://github.com/your-org/private-repo.git

# Check session status
vouch status
```

## Requirements

- **YubiKey 5 series** (firmware 5.2+) with FIDO2/WebAuthn support
- **macOS** 12+ or **Linux** (glibc 2.31+) β€” Windows support is planned
- For AWS: IAM role with OIDC federation configured
- For EKS: Cluster with Access Entries configured for IAM role
- For SSH: CA public key distributed to target hosts
- For GitHub: Organization admin connects the Vouch GitHub App

## Architecture

Vouch consists of:

| Component | Description | Source |
|-----------|-------------|--------|
| `vouch` CLI | User-facing commands, credential helpers | Open source ([Apache-2.0 OR MIT](LICENSE-APACHE)) |
| `vouch-agent` | Background daemon, session management | Open source ([Apache-2.0 OR MIT](LICENSE-APACHE)) |
| Vouch Server | OIDC provider, certificate authority | [BSL 1.1](crates/vouch-server/LICENSE) (converts to Apache-2.0) |

The CLI is fully open source for security auditing. The server source is available under the Business Source License 1.1, which converts to Apache-2.0 after two years.

## Security

Vouch is designed for high-security environments:

- **Memory-safe implementation** β€” Written in Rust
- **No credential storage** β€” Vouch never sees your private keys
- **Cryptographic presence attestation** β€” FIDO2 with user verification
- **Short-lived credentials** β€” Minimize blast radius of compromise
- **Audit trail** β€” Every credential issuance logged with attestation

See [SECURITY.md](docs/SECURITY.md) for our threat model and responsible disclosure policy.

## Documentation

- [Architecture](docs/ARCHITECTURE.md) β€” System design and data flows
- [Security Model](docs/SECURITY.md) β€” Threat model and controls
- [Air-Gap Deployment](docs/AIRGAP.md) β€” On-premises installation guide
- [Agent Delegation](docs/DELEGATION.md) β€” AI assistant credential management

## Contributing

We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.

The CLI is open source under Apache-2.0 OR MIT. We believe security tools should be auditable.

## License

- CLI, agent, and shared libraries: [Apache-2.0](LICENSE-APACHE) OR [MIT](LICENSE-MIT)
- Server: [BSL 1.1](crates/vouch-server/LICENSE) (converts to Apache-2.0 after 2 years)
- Documentation: [CC-BY-4.0](https://creativecommons.org/licenses/by/4.0/)

---

**Vouch** β€” Prove you're here.

[Website](https://vouch.sh) Β· [Documentation](https://vouch.sh/docs) Β· [GitHub](https://github.com/vouch-sh/vouch)