agentk implements the ssh-agent protocol and allows access to keys within a kNET-HSM. It uses the kkmip library provided by Kryptus as a backend for communication with kNET-HSM and supports a subset of the functionalities provided by OpenSSH's ssh-agent, as listed below.
- Suports all clients compatible with
ssh-agent - Key management with
ssh-add - Straight-forward operation and configuration
All dependencies are installed during setup with the exception of kkmip library, that should be acquired separately (please contact folks at Kryptus).
Checkout the repository:
git clone https://github.com/bolaum/agentk.git
cd agentkAnd install (virtualenv recommended):
virtualenv venv
source venv/bin/activate
pip install -e .Create a config file:
cp etc/config.example.yml ~/.agentk.yml
vim ~/.agentk.ymlAnd edit it with appropriate values.
Run the application (use -v for verbose output, -d for debug and -h for other options):
agentk I should output something like this:
SSH_AUTH_SOCK=/tmp/agentk.sock; export SSH_AUTH_SOCK;Now, in a new terminal, paste the string printed by the app.
ssh-add /path/to/private_keyThe private key will be added to kNET-HSM.
ssh-add -Lssh-add -d /path/to/public_or_private_keyWARNING: This will remove all RSA key pairs inside the HSM!
ssh-add -DListed keys can be added to your ~/.ssh/authorized_keys to allow ssh connection without a password.
ssh-add -L >> ~/.ssh/authorized_keysThen you should be able to connect to the local ssh server:
ssh localhost- Daemonize application
- Support for DSA and ECDSA keys
- Add key password support
- Add locking and unlocking support
- Add option to disable removal of all keys
- Windows support
- Fix tests
- Test on other unix like systems (FreeBSD, OpenBSD, etc.)
- Improve documentation A LOT!
Well, mainly for fun and profit. I suppose tens of millions of people use ssh everyday, so it's a good thing that kNET-HSM is now integrated with almost every client ever written for unix like systems =D