Rotate SSH keys, stored in the cloud!
Project description
key-switcheroo: SSH key rotator toolkit
Table of Contents
What is it?
key-switcheroo is a Python package that provides tools for easy :smile:, reliable :white_check_mark:, and secure :lock: SSH key management. The package contains tools to allow users to generate SSH public/private key pairs and securely store the public key either on AWS S3 or locally based on user preferences. The package also contains a tool used by the server host to retrieve and match the public keys with the corresponding private key during SSH connection attempts. Additionally, the package supports a feature for periodic rotation and swapping of public keys to enhance security.
Features
Publisher
The publisher tool offers a user-friendly interface to securely generate SSH public/private key pairs. It allows users to specify the storage location for the public key, either on AWS S3 or on their local machine. The generated private key is stored securely and can be used for SSH authentication.
Retriever
The retriever tool is designed to be used by server hosts for retrieving the public keys stored by the publisher. When an SSH connection attempt is made, the retriever fetches the corresponding public key associated with the private key used in the connection attempt. The tool compares the retrieved public key with the provided public key, ensuring a secure and authenticated connection.
Key rotation
To enhance security, key-switcheroo supports a key rotation feature. The user simply needs to call the publisher script again with the same credentials and the program will swap and rotate the stored public keys. This process helps mitigate the risks associated with long-term key exposure and strengthens the overall security posture.
Where to get it
The source code is currently hosted on GitHub at: https://github.com/SSH-key-rotation-AWS/key-switcheroo
Binary installer for the latest released version is available at the Python Package Index (PyPI).
pip install key-switcheroo
How to use
Once the package is installed, commands can be called from the user's CLI for both the publisher and retriever using different optional arguments.
For help with command-line arguments,
publisher --help
or publisher -h
retriever --help
or retriever -h
Publisher
When using the publisher for creating and publishing new SSH keys, the user has a couple of different optional arguments, in addition to the required arguments.
Required Arguments:
hostname
- host serveruser
- username of the connecting client
Optional Arguments:
--datastore local
or-ds local
- Stores the public key on the local file system
--datastore s3
or-ds s3
- Stores the public key in an S3 bucket
- If
s3
is selected, the user MUST also input--bucket
, followed by a name for their S3 bucket - If no
--datastore
is selected, the program will default tos3
--sshdir path/to/key/dir
- Input the absolute path to the directory that stores the local keys (default is the user's .ssh home directory)
--metric aws
or-m aws
- Opt to have metrics published to AWS cloudwatch (time to generate keys and key count)
--metric file
or-m file
- Opt to have metrics published to the local file system (time to generate keys and key count)
- If
file
is selected, the user CAN follow with--metricpath
and a path to the directory to store the metrics in
Example
-
publisher 127.0.0.1 johndoe -datastore s3 --bucket mybucket --metric aws
-
publisher 127.0.0.1 johndoe -ds local --sshdir home/johndoe/.ssh/keys -m file --metricpath home/switcheroo/metrics
Retriever
When using the retriever for fetching the public SSH keys, the user has a couple of different optional arguments, in addition to the required arguments.
Required Arguments:
user
- username of the client whose key is being fetched
Optional Arguments:
--datastore local
or-ds local
- Retrieves the public key from the local file system
- If
local
is selected, the user can input--sshdir
followed by the absolute path to the directory that stores the keys (defaults to local .ssh home directory)
--datastore s3
or-ds s3
- Retrieves the public key from the S3 bucket
- If
s3
is selected, the user MUST also input--bucket
, followed by their S3 bucket name - If no
--datastore
is selected, the program will default tos3
--sshdir path/to/key/dir
- The absolute path to the directory that stores the local keys (default is the user's .ssh home directory)
Example
retriever johndoe --datastore s3 --bucket mybucket
retriever johndoe -ds local --sshdir /home/johndoe/.ssh/keys
Dependencies
- boto3 - Adds support for publishing public SSH keys to S3 using the AWS SDK for Python
- pycryptodome - Provides tools for generating secure public/private SSH key pairs
Contributing to key-switcheroo
Contributions to key-switcheroo are welcome! If you encounter any issues, have suggestions, or would like to add new features, please feel free to open an issue or submit a pull request on the GitHub repository.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for key_switcheroo-0.0.14-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | ff7a7395eb877a402fb28650555dd277e0c58e6ce54d36bafff200a068b555e3 |
|
MD5 | 6fffe579d8d2b36d50fe6af68396f6f5 |
|
BLAKE2b-256 | 655eac94f0ecb086202a783122191e2c6305a6a06a063b6a3d5a49e0842938cd |