An SSH authorized key store for use with OpenSSH AuthorizedKeysCommand
## Binary Downloads
## Example Execution
./keyster -ldap-server ldap.itd.umich.edu:389 -ldap-base-dn dc=umich,dc=edu -key-allow-options -key-duration 720h
## Configuration File
The optional configuration file is located at `/etc/keyster.yaml`
Full configuration example:
Arguments provided on the command line will override the configuration file. Keep in mind that `-ldap-ssl` and `-key-allow-options` work slightly different, in that they must be supplied to enable the functionality. Not providing them will not disable their respective functionality if explicitly enabled in the configuration file.
The `secret` option of `server` allows you to provide a string to be used in authenticating the user sessions. If not provided, each time keyster starts, a new secret will be generated, invalidating user sessions.
It is recommended that you define a secret if you are using multiple servers, otherwise the individual servers will be unable to uthenticate user sessions.
## Usage with AuthorizedKeysCommand
The `AuthorizedKeysCommand` expects an executable that takes a single argument, which is the username to retrieve the keys for. An example executable may look like:
curl -sf http://keyserver.example.org:3000/users/$1/keys
Name this file something like `/usr/local/bin/userkeys.sh` and make it executable: `chmod a+x /usr/local/bin/userkeys.sh`
Now add the following to your `/etc/sshd/sshd_config` file:
*Most operating systems have a nobody user, but you can replace that user with any non-root user that is different from the user running OpenSSH on the server. This should preferably be a user not already in use by another daemon.*
Now, when a user logs in, `userkeys.sh` will be executed and if there are keys for that user they will be returned by our simple script.
## See Also
[Better SSH Authorized Keys Management](https://gist.github.com/sivel/c68f601137ef9063efd7)