https://github.com/vouch-sh/vouch
Vouch Monorepo
https://github.com/vouch-sh/vouch
2fa aws hardware kubernetes mfa security ssh yubikey
Last synced: 4 months ago
JSON representation
Vouch Monorepo
- Host: GitHub
- URL: https://github.com/vouch-sh/vouch
- Owner: vouch-sh
- License: apache-2.0
- Created: 2026-01-22T02:05:20.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2026-02-10T03:58:13.000Z (5 months ago)
- Last Synced: 2026-02-10T09:42:36.556Z (5 months ago)
- Topics: 2fa, aws, hardware, kubernetes, mfa, security, ssh, yubikey
- Language: Rust
- Homepage: https://vouch.sh
- Size: 1.5 MB
- Stars: 3
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE-APACHE
- Security: docs/SECURITY.md
Awesome Lists containing this project
README
# Vouch
**Prove you're here.**
Hardware-backed authentication that issues short-lived credentials only after a human touches a YubiKey. One touch, one PIN, one 8-hour session β then SSH and AWS just work.
```bash
$ vouch login
π Touch your YubiKey...
Enter PIN: ****
β Authenticated as you@company.com
β Session valid for 8 hours
$ ssh prod.example.com # Just works
$ aws s3 ls # Just works
$ git push origin main # Just works
```
## The Problem
Modern authentication is broken in three ways:
1. **Push notification fatigue** β Duo pings you 47 times a day. Users approve reflexively. MFA fatigue attacks succeed because humans are tired.
2. **Credential sprawl** β Long-lived API keys in `~/.aws/credentials`. GitHub PATs that never expire. SSH keys from 2019 still floating around.
3. **No presence verification** β Existing tools verify *devices* or *sessions*, but not that a *human* is actually there. A compromised laptop with cached credentials is indistinguishable from its owner.
## The Solution
Vouch requires **physical presence** for every credential issuance:
| Traditional Auth | Vouch |
|------------------|-------|
| Password + SMS/Push | YubiKey touch + PIN |
| Long-lived API keys | 8-hour certificates |
| "Remember this device" | Per-session attestation |
| Optional hardware MFA | **Mandatory** hardware MFA |
| Device trust | Human presence proof |
### How It Works
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Your Machine β
β β
β ββββββββββββ ββββββββββββ ββββββββββββββββββββββββββββ β
β β YubiKey ββββββΆβ vouch ββββββΆβ Short-lived credentials β β
β β (touch) β β login β β managed by vouch agent β β
β ββββββββββββ ββββββββββββ ββββββββββββββββββββββββββββ β
β β β β
β βΌ βΌ β
β ββββββββββββ ββββββββββββββββ β
β β vouch β β Native tools β β
β β server β β (ssh, aws) β β
β β (OIDC) β β β β
β ββββββββββββ ββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
1. **`vouch login`** β Touch YubiKey, enter PIN, get 8-hour session
2. **Vouch issues credentials** β SSH certificates, AWS STS tokens
3. **Tools just work** β Standard credential helpers, no wrappers needed
## Key Features
### Mandatory Hardware Presence
Unlike optional MFA that can be bypassed, Vouch only issues credentials after FIDO2 verification. The credential itself carries proof of presence.
### Short-Lived Everything
- SSH certificates: 8 hours
- AWS credentials: 1 hour (auto-refresh within session)
No more rotating keys. No more revoking access. Credentials simply expire.
### Zero-Friction Integration
Vouch configures standard credential providers:
- SSH: `IdentityAgent` pointing to vouch's signing agent
- AWS: `credential_process` in `~/.aws/config`
After `vouch login`, existing workflows are unchanged.
## Quick Start
### Install
```bash
# macOS
brew install vouch-sh/tap/vouch
# Linux (Debian/Ubuntu)
# See https://packages.vouch.sh for repository setup
sudo apt install vouch
# Linux (RPM-based)
# See https://packages.vouch.sh for repository setup
sudo dnf install vouch
# From source
cargo install --git https://github.com/vouch-sh/vouch vouch-cli
```
### Setup
```bash
# Enroll with your YubiKey (one-time, opens browser)
vouch enroll
# Configure integrations
vouch setup ssh # Configures SSH to use vouch certificates
vouch setup aws --role arn:aws:iam::ID:role/name # Configures AWS credential_process
vouch setup eks --cluster my-cluster # Configures kubectl for EKS via IAM
vouch setup github --configure # Configures git credential helper for GitHub
```
### Daily Use
```bash
# Start your day
vouch login
# Everything just works for 8 hours
ssh prod-server
aws s3 ls
git clone https://github.com/your-org/private-repo.git
# Check session status
vouch status
```
## Requirements
- **YubiKey 5 series** (firmware 5.2+) with FIDO2/WebAuthn support
- **macOS** 12+ or **Linux** (glibc 2.31+) β Windows support is planned
- For AWS: IAM role with OIDC federation configured
- For EKS: Cluster with Access Entries configured for IAM role
- For SSH: CA public key distributed to target hosts
- For GitHub: Organization admin connects the Vouch GitHub App
## Architecture
Vouch consists of:
| Component | Description | Source |
|-----------|-------------|--------|
| `vouch` CLI | User-facing commands, credential helpers | Open source ([Apache-2.0 OR MIT](LICENSE-APACHE)) |
| `vouch-agent` | Background daemon, session management | Open source ([Apache-2.0 OR MIT](LICENSE-APACHE)) |
| Vouch Server | OIDC provider, certificate authority | [BSL 1.1](crates/vouch-server/LICENSE) (converts to Apache-2.0) |
The CLI is fully open source for security auditing. The server source is available under the Business Source License 1.1, which converts to Apache-2.0 after two years.
## Security
Vouch is designed for high-security environments:
- **Memory-safe implementation** β Written in Rust
- **No credential storage** β Vouch never sees your private keys
- **Cryptographic presence attestation** β FIDO2 with user verification
- **Short-lived credentials** β Minimize blast radius of compromise
- **Audit trail** β Every credential issuance logged with attestation
See [SECURITY.md](docs/SECURITY.md) for our threat model and responsible disclosure policy.
## Documentation
- [Architecture](docs/ARCHITECTURE.md) β System design and data flows
- [Security Model](docs/SECURITY.md) β Threat model and controls
- [Air-Gap Deployment](docs/AIRGAP.md) β On-premises installation guide
- [Agent Delegation](docs/DELEGATION.md) β AI assistant credential management
## Contributing
We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
The CLI is open source under Apache-2.0 OR MIT. We believe security tools should be auditable.
## License
- CLI, agent, and shared libraries: [Apache-2.0](LICENSE-APACHE) OR [MIT](LICENSE-MIT)
- Server: [BSL 1.1](crates/vouch-server/LICENSE) (converts to Apache-2.0 after 2 years)
- Documentation: [CC-BY-4.0](https://creativecommons.org/licenses/by/4.0/)
---
**Vouch** β Prove you're here.
[Website](https://vouch.sh) Β· [Documentation](https://vouch.sh/docs) Β· [GitHub](https://github.com/vouch-sh/vouch)