ssh-pubkey-server

ssh-pubkey-server

Getting started

Run CLI

The following will request server ssh pubkey through a proxy, and separately run ssh-keyscan and will return the matching server keys that you can then append to your known_hosts.

./cmd/cli/add_to_known_hosts.sh <attested http proxy> <host ip> >> ~/.ssh/known_hosts

Build HTTP server

make build-httpserver

Run pubkey server

go run ./cmd/httpserver/main.go [--listen-addr=127.0.0.1:8080] [--ssh-pubkey-file=/etc/ssh/ssh_host_ed25519_key.pub] [--ssh-pubkey-file=/path/to/container_key.pub]

You can specify multiple --ssh-pubkey-file flags to serve multiple public keys. The server serves all currently-available pubkeys at the /pubkey endpoint, separated by newlines.

Pubkey files are read lazily on each request, so a key that only becomes available after the server starts (for example a key generated once an encrypted disk is unlocked) is served as soon as it appears, with no restart. A file that is missing or not yet readable is simply skipped. If no key is available yet, /pubkey responds with 503 Service Unavailable.

Install dev dependencies

go install mvdan.cc/gofumpt@latest
go install honnef.co/go/tools/cmd/staticcheck@latest
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
go install github.com/daixiang0/gci@latest

Lint, test, format

make lint
make test
make fmt