Simple SSH key management for shell servers
Keyholer is a web application that will allow your users to add an SSH key to their authorized_keys file so they can gain access to a system they don’t otherwise have an SSH key for. It attempts to do so in as secure a fashion as possible.
There are two pieces that need to be running; keyholerd and the web frontend. You can use systemd, runit, screen, or any other daemon management strategy you’d like. Despite the name keyholerd does not currently support running in the background as a daemon.
To run the web component you can use your favorite WSGI stack. My personal setup uses nginx to proxy the requests back to a gunicorn app server.
As this software interacts with a number of security sensitive subsystems, you should take great care when installing it.
The keyholerd program must run as root so that it can write to users’ authorized_keys files. You should run the web component as a dedicated non-priviledged user.
The user’s .phonenumber files must be owned by that user and chmod’d 600 or keyholerd will not consider that a valid user.
The user’s authorized_keys file must already exist or keyholerd will not consider that a valid user.
All submitted keys are verified using “ssh-keygen -l” before being added to an authorized_keys file.
Keyholer requires a configuration file. You can find a sample config in etc/keyholer.conf.example. You should install your configuration as /etc/keyholer.conf and it must be valid JSON.
Sign up for an account, register a phone number, and get your auth_token and sid at their website:
This is required to send the code via SMS.
If you are on a system which uses systemd as the init system, you will find files that can be used to start keyholer at boot time in etc/systemd. Simply copy those files to /usr/lib/systemd/system and enable the service:
# systemctl enable keyholer.service # systemctl enable keyholer-web.service # /bin/systemctl start keyholer.service # /bin/systemctl start keyholer-web.service
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
|File Name & Checksum SHA256 Checksum Help||Version||File Type||Upload Date|
|keyholer-0.7.2-py2.py3-none-any.whl (15.0 kB) Copy SHA256 Checksum SHA256||2.7||Wheel||Sep 8, 2014|
|keyholer-0.7.2.tar.gz (11.5 kB) Copy SHA256 Checksum SHA256||–||Source||Sep 8, 2014|