keyholder - Securely share ssh agents among groups of users

  •        8

Securely share ssh agents among groups of users

https://phabricator.wikimedia.org/source/keyholder
https://github.com/wikimedia/keyholder

Tags
Implementation
License
Platform

   




Related Projects

GoSSHa - Go SSH agent: can execute commands at thousands of servers and upload files to them

  •    Go

Ssh client that supports command execution and file upload on multiple servers (designed to handle thousands of parallel SSH connections). GoSSHa supports SSH authentication using private keys (encrypted keys are supported using external call to ssh-keygen) and ssh-agent, implemented using go.crypto/ssh. GoSSHa is not designed to be used directly by end users, but rather serve as a lightweight proxy between your application (GUI or CLI) and thousands of SSH connections to remote servers.

YubiKey-Guide - Guide to using YubiKey as a SmartCard for GPG and SSH

  •    

This is a guide to using YubiKey as a SmartCard for storing GPG encryption and signing keys. An authentication key can also be created for SSH and used with gpg-agent.

sshmuxd - sshmux frontend

  •    Go

A SSH "jump host" style proxy, based off the https://github.com/joushou/sshmux library. So, why not just a jump host? Well, if it's just you and no one else needing access, go ahead. If you, however, want to give more than one person SSH access through your public IP on port N (N often being 22), then you might want something with a bit more access control. Sure, you can make really complicated SSH configs that limit a lot of things for the other users, but they'll always be able to poke around more than you want them to, and it'll be a pain in the butt to maintain.

OpenSSH - Keep your communication secret

  •    C

OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.


SSH.NET - SSH.NET is a Secure Shell (SSH) library for .NET, optimized for parallelism.

  •    CSharp

SSH.NET is a Secure Shell (SSH-2) library for .NET, optimized for parallelism.This project was inspired by Sharp.SSH library which was ported from java and it seems like was not supported for quite some time. This library is a complete rewrite, without any third party dependencies, using parallelism to achieve the best performance possible.

keychain - keychain ssh-agent front-end

  •    Shell

Official documentation for Keychain can be found on the official Keychain wiki page. Keychain helps you to manage ssh and GPG keys in a convenient and secure manner. It acts as a frontend to ssh-agent and ssh-add, but allows you to easily have one long running ssh-agent process per system, rather than the norm of one ssh-agent per login session.

privacyIDEA - Modular Authentication System

  •    Python

privacyIDEA is a Two Factor Authentication System which is multi-tenency- and multi-instance-capable. Using privacyIDEA you can enhance your existing applications like local login, VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication.

PuSSH

  •    Python

PuSSH is Pythonic, Ubiquitous SSH, a Python wrapper/script that runs commands in parallel on clusters/ranges of linux/unix machines via SSH, ideally where SSH is configured to use Kerberos, RSA/DSA keys, or ssh-agent as to avoid password authentication.

ssh-badkeys - A collection of static SSH keys (public and private) that have made their way into software and hardware products

  •    

This is a collection of static SSH keys (host and authentication) that have made their way into software and hardware products. This was inspired by the Little Black Box project, but focused primarily on SSH (as opposed to TLS) keys. Keys are split into two categories; authorized keys and host keys. The authorized keys can be used to gain access to a device with this public key. The host keys can be used to conduct a MITM attack against the device, but do not provide direct access.

SSH Access Manager

  •    PHP

SSH Key Management solution

docker_auth - Authentication server for Docker Registry 2

  •    Go

The original Docker Registry server (v1) did not provide any support for authentication or authorization. Access control had to be performed externally, typically by deploying Nginx in the reverse proxy mode with Basic or other type of authentication. While performing simple user authentication is pretty straightforward, performing more fine-grained access control was cumbersome. Docker Registry 2.0 introduced a new, token-based authentication and authorization protocol, but the server to generate them was not released. Thus, most guides found on the internet still describe a set up with a reverse proxy performing access control.

kr - A dev tool for SSH auth + Git commit/tag signing using a key stored in Krypton.

  •    Go

kr enables SSH to authenticate with a key stored in a Krypton (iOS or Android) mobile app. kr runs as an SSH agent, called krd. When a Krypton private key operation is needed for authentication, krd routes this request to the paired mobile phone, where the user decides whether to allow the operation or not. The private key never leaves the phone. kr currently supports MacOS (10.10+) and Linux (Debian, RHEL, CentOS, Fedora with systemd).

ssh-cert-authority - An implementation of an SSH certificate authority.

  •    Go

A democratic SSH certificate authority. Operators of ssh-cert-authority want to use SSH certificates to provide fine-grained access control to servers they operate, keep their certificate signing key a secret and not need to be required to get involved to actually sign certificates. A tall order.

ansible-ssh-hardening - This Ansible role provides numerous security-related ssh configurations, providing all-round base protection

  •    Ruby

This role provides secure ssh-client and ssh-server configurations. It is intended to be compliant with the DevSec SSH Baseline. Warning: This role disables root-login on the target server! Please make sure you have another user with su or sudo permissions that can login into the server.

Apache Guacamole - Remote Desktop Gateway

  •    C

Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH. Guacamole client is an HTML5 web application, use of your computers is not tied to any one device or location. As long as you have access to a web browser, you have access to your machines.

KeyBox - Web-based SSH console that centrally manages administrative access to systems

  •    Java

KeyBox is an open-source web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users. KeyBox layers TLS/SSL on top of SSH and acts as a bastion host for administration. Protocols are stacked (TLS/SSL + SSH) so infrastructure cannot be exposed through tunneling / port forwarding.

meterssh - MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection

  •    Python

MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpeter in this case) by the shellcode over SSH back to the attackers machine. Then connecting with meterpreter's listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network. There are two files, monitor.py and meterssh.py.

trezor-agent - Hardware-based SSH/PGP agent

  •    Python

This project allows you to use various hardware security devices to operate GPG and SSH. Instead of keeping your key on your computer and decrypting it with a passphrase when you want to use it, the key is generated and stored on the device and never reaches your computer. Read more about the design here. You can do things like sign your emails, git commits, and software packages, manage your passwords (with pass and gopass, among others), authenticate web tunnels and file transfers, and more.

Mandriva - Identity and Network Management

  •    C

Mandriva Directory Server is an enterprise directory platform based on LDAP designed to manage identities, access control informations, policies, application settings and user profiles. If you already use Samba, Postfix, Squid or CUPS, you can benefit from MDS today to manage your infrastructure.