Stars: 427
Forks: 77
Pull Requests: 19
Issues: 52
Watchers: 22
Last Updated: 2023-08-16 14:55:19
A tool for managing SSH key access to any number of servers.
License: Apache License 2.0
Languages: PHP, JavaScript, CSS, Shell
Please see the Security Advisories section below for a recently addressed security issue
A tool for managing user and server SSH access to any number of servers.
command=
, nopty
etc on your access rules.You can view the SSH Key Authority in action on the demonstration server.
Use one of the following sets of username / password credentials to log in:
All data on this demonstration server is reset nightly at 00:00 UTC.
Clone the repo somewhere outside of your default Apache document root.
Add the following directives to your Apache configuration (eg. virtual host config):
DocumentRoot /path/to/ska/public_html
DirectoryIndex init.php
FallbackResource /init.php
Create a MySQL user and database (run in MySQL shell):
CREATE USER 'ska-user'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE `ska-db` DEFAULT CHARACTER SET utf8mb4;
GRANT ALL ON `ska-db`.* to 'ska-user'@'localhost';
Copy the file config/config-sample.ini
to config/config.ini
and edit the settings as required.
Set up authnz_ldap for your virtual host (or any other authentication module that will pass on an Auth-user variable to the application).
Set scripts/ldap_update.php
to run on a regular cron job.
Generate an SSH key pair to synchronize with. SSH Key Authority will expect to find the files as config/keys-sync
and config/keys-sync.pub
for the private and public keys respectively. The key must be in pem
format. The following command will generate the key in the required format:
ssh-keygen -t rsa -b 4096 -m PEM -C 'comment' -f config/keys-sync
Install the SSH key synchronization daemon. For systemd:
services/systemd/keys-sync.service
to /etc/systemd/system/
ExecStart
path and User
as necessary. If SSH Key Authority is installed under /home
, disable ProtectHome
.systemctl daemon-reload
systemctl enable keys-sync.service
for sysv-init:
services/init.d/keys-sync
to /etc/init.d/
SCRIPT
path and USER
as necessary.update-rc.d keys-sync defaults
Anyone in the LDAP group defined under admin_group_cn
in config/config.ini
will be able to manage accounts and servers.
SSH Key Authority distributes authorized keys to your servers via SSH. It does this by:
keys-sync
user./var/local/keys-sync/
(eg. all authorized keys for the root user will be written to /var/local/keys-sync/root
).This means that your SSH installation will need to be reconfigured to read authorized keys from /var/local/keys-sync/
.
Please note that doing so will deny access to any existing SSH public key authorized in the default ~/.ssh
directories.
Under OpenSSH, the configuration changes needed are:
AuthorizedKeysFile /var/local/keys-sync/%u
StrictModes no
StrictModes must be disabled because the files will all be owned by the keys-sync user.
The file /var/local/keys-sync/keys-sync
must exist, with the same contents as the config/keys-sync.pub
file in order for the synchronization daemon to authenticate.
Copyright 2013-2017 Opera Software
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.