GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → smlx → piv-agent

smlx / piv-agent

Licence: Apache-2.0 License
An SSH and GPG agent which you can use with your PIV hardware security device (e.g. a Yubikey).

Programming Languages

go
31211 projects - #10 most used programming language

Labels

sshpgpyubikeygpgssh-agentpivgpg-agent

Projects that are alternatives of or similar to piv-agent

Yubikey Guide
Guide to using YubiKey for GPG and SSH
Stars: ✭ 6,709 (+21541.94%)
Mutual labels:  ssh, yubikey, gpg, gpg-agent
Yubikey Agent
yubikey-agent is a seamless ssh-agent for YubiKeys.
Stars: ✭ 1,744 (+5525.81%)
Mutual labels:  ssh, yubikey, ssh-agent, piv
win-gpg-agent
[DEPRECATED] Windows helpers for GnuPG tools suite
Stars: ✭ 214 (+590.32%)
Mutual labels:  yubikey, gpg, ssh-agent, gpg-agent
Yubikey Touch Detector
A tool to detect when your YubiKey is waiting for a touch (to send notification or display a visual indicator on the screen)
Stars: ✭ 167 (+438.71%)
Mutual labels:  ssh, yubikey, gpg
secretman
Managing secrets with Yubikey
Stars: ✭ 17 (-45.16%)
Mutual labels:  pgp, yubikey, gpg
Yubikey
YubiKey at Datadog
Stars: ✭ 393 (+1167.74%)
Mutual labels:  ssh, yubikey, gpg
Trezor Agent
Hardware-based SSH/PGP agent
Stars: ✭ 400 (+1190.32%)
Mutual labels:  ssh, pgp, gpg
Wsl2 Ssh Pageant
bridge between windows pageant and wsl2
Stars: ✭ 155 (+400%)
Mutual labels:  ssh, gpg
pgpverify-maven-plugin
Verify Open PGP / GPG signatures plugin
Stars: ✭ 42 (+35.48%)
Mutual labels:  pgp, gpg
SplitShare
Shamir's Secret Sharing Algorithm implementation in golang combined with PGP and a mail delivery system
Stars: ✭ 31 (+0%)
Mutual labels:  pgp, gpg
keygaen
Sign, verify, encrypt and decrypt data with PGP in your browser.
Stars: ✭ 78 (+151.61%)
Mutual labels:  pgp, gpg
wp-pgp-encrypted-emails
🔐 📧 Encrypts WordPress emails using OpenPGP or S/MIME with a familiar API.
Stars: ✭ 35 (+12.9%)
Mutual labels:  pgp, gpg
paper-store
Cold store small files on paper as QR codes -- PGP keys, Bitcoin keys, Tox keys or any other small files in general.
Stars: ✭ 28 (-9.68%)
Mutual labels:  pgp, gpg
Awesome Ssh
💻 A curated list of SSH resources.
Stars: ✭ 1,742 (+5519.35%)
Mutual labels:  ssh, ssh-agent
openpgpkey-control
OpenPGP keys published on your website (WKD)
Stars: ✭ 36 (+16.13%)
Mutual labels:  pgp, gpg
Yubikey Ssh
How to use a Yubikey with OpenSSH without GPG
Stars: ✭ 108 (+248.39%)
Mutual labels:  ssh, yubikey
aws-profile-gpg
🔐 ☁️ Run aws-cli commands using IAM Access Keys stored in a GPG-encrypted credentials file
Stars: ✭ 35 (+12.9%)
Mutual labels:  yubikey, gpg
rune
tool to query for tokens and passwords for use as environment variables
Stars: ✭ 13 (-58.06%)
Mutual labels:  pgp, gpg
pgpainless
Simple to use OpenPGP API based on Bouncy Castle
Stars: ✭ 73 (+135.48%)
Mutual labels:  pgp, gpg
sshecret
I can keep a SSHecret
Stars: ✭ 56 (+80.65%)
Mutual labels:  ssh, ssh-agent
View All Similar Projects ➔

PIV Agent

Release Coverage Go Report Card User Documentation

About

  • piv-agent is an SSH and GPG agent providing simple integration of PIV hardware (e.g. a Yubikey) with ssh, and gpg workflows such as git signing, pass encryption, or keybase chat.
  • piv-agent originated as a reimplementation of yubikey-agent because I needed some extra features, and also to gain a better understanding of the PIV applet on security key hardware.
  • piv-agent makes heavy use of the Go standard library and supplementary crypto packages, as well as piv-go and pcsclite. Thanks for the great software!

DISCLAIMER

I make no assertion about the security or otherwise of this software and I am not a cryptographer. If you are, please take a look at the code and send PRs or issues. 💚

Features

  • implements (a subset of) both ssh-agent and gpg-agent functionality
  • support for multiple hardware security keys
  • support for multiple slots in those keys
  • support for multiple touch policies
  • all cryptographic keys are generated on the hardware security key, rather than on your laptop
    • secret keys never touch your hard drive
  • socket activation (systemd-compatible)
    • as a result, automatically drop the transaction on the security key and cached passphrases after some period of disuse
  • provides "fall-back" to traditional SSH and OpenPGP keyfiles

Design philosophy

This agent should require no interaction and in general do the right thing when security keys are plugged/unplugged, laptop is power cycled, etc.

It is highly opinionated:

  • Only supports 256-bit EC keys on hardware tokens
  • Only supports ed25519 SSH keys on disk (~/.ssh/id_ed25519)
  • Requires socket activation

It makes some concession to practicality with OpenPGP:

  • Supports RSA signing and decryption for OpenPGP keyfiles. RSA OpenPGP keys are widespread and Debian in particular only documents RSA keys.

It tries to strike a balance between security and usability:

  • Takes a persistent transaction on the hardware token, effectively caching the PIN.
  • Caches passphrases for on-disk keys (i.e. ~/.ssh/id_ed25519) in memory, so these only need to be provided once after the agent starts.
  • After a period of inactivity (32 minutes by default) it exits, dropping both of these. Socket activation restarts it automatically as required.

Hardware support

Tested with:

Will be tested with (once it ships!):

Any device implementing the SCard API (PC/SC), and supported by piv-go / pcsclite may work. If you have tested another device with piv-agent successfully, please send a PR adding it to this list.

Platform support

Currently tested on Linux with systemd and macOS with launchd.

Protocol / Encryption Algorithm support

Supported Not Supported Support Planned (maybe)

ssh-agent

Security Key Keyfile
ecdsa-sha2-nistp256
ssh-ed25519

gpg-agent

Security Key Keyfile
ECDSA Sign (NIST P-256)
EDDSA Sign (Curve25519)
ECDH Decrypt
RSA Sign
RSA Decrypt

Install and Use

Please see the documentation.

Develop

Prerequisites

Install build dependencies:

# debian/ubuntu
sudo apt install libpcsclite-dev

Build and test

make

Build and test manually

This D-Bus variable is required for pinentry to use a graphical prompt:

go build ./cmd/piv-agent && systemd-socket-activate -l /tmp/piv-agent.sock -E DBUS_SESSION_BUS_ADDRESS ./piv-agent serve --debug

Then in another terminal:

export SSH_AUTH_SOCK=/tmp/piv-agent.sock
ssh ...

Build and test the documentation

cd docs && make serve
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].