Keyper

SSH Key Manager

Get Started View Documentation

Latest release

KEYPER

Keyper is an SSH Key Based Authentication Manager. It standardizes and centralizes the storage of SSH public keys for all Linux users in your organization saving significant time and effort it takes to manage SSH public keys on each Linux Server. Keyper is a lightweight container taking less than 100MB. It is launched either using Docker or Podman. You can be up and running within minutes instead of days.

Features include:

  • Public key storage
  • Public Key Expiration
  • Forced Key rotation
  • Streamlined provision or de-provisioning of users
  • Segmentation of Servers using groups
  • Policy definition to restrict user’s access to server(s)
  • Centralized user account lockout
  • Docker container

Quickstart

Run Keyper docker image using docker cli:

$ docker run  -p 8080:80 -p 8443:443 --hostname <hostname> --env FLASK_CONFIG=prod -it dbsentry/keyper

Run Keyper docker image using podman cli:

$ podman run  -p 8080:80 -p 8443:443 --hostname <hostname> --env FLASK_CONFIG=prod -it docker.io/dbsentry/keyper

Either command starts a new container with Keyper processes (OpenLDAP, Gunicorn, Nginx) running inside.

The above commands are for demo only and start a new container with OpenLDAP server storing data within the container. That means on re-start, data would not persist. If you want data persistence, start the container with appropriate command line parameters. Refer to the documentation.
By default, this image creates an LDAP server for the company Example Inc and the domain keyper.example.org. By default, all passwords are set to superdupersecret. All the default settings can be changed by passing parameters to the docker/podman command line or using a parameter config file.

Customary 5 min installation Demo

Pricing

Personal

Keyper is Free for personal use.

FAQ

Table of Contents

General

What is Keyper?

Keyper is an SSH Key Based Authentication Manager

Why Keyper?

We, as system administrators and developers, regularly use OpenSSH’s public key authentication (aka password-less login) on Linux servers. The mechanism works based on public-key cryptography. One adds his/her RSA/DSA key to the authorized_keys file on the server. The user with the corresponding private key can login without a password. It works great until the number of servers starts to grow. It becomes a pain to manage the authorized_keys file on all the servers. Account revocation becomes a pain as well. Keyper aims to centralize all such SSH Public Keys within an organization. With Keyper, one can force key rotation, easily revoke keys, and centrally lock accounts.

Is Keyper opensource?

Not yet. However, we are working to get it open-sourced under GPLv2 (pending permission from our corporate overlords).

Where can I get Keyper?

Keyper can be downloaded from the docker registry either using docker or podman.

I have a question/suggestion/need to report a bug, how can I contact you?

Thanks in advance. We love suggestions/bug reports. Please drop us a line at support@dbsentry.com

Where is the documentation?

All documentation is located here

Do you have a Demo/Sandbox for Keyper?

Yes we do. We have a demo system running on https://sprout.dbsentry.com. And also 4 containers running SSH that can be used for testing. Drop us a line at support@dbsentry.com and we’ll send you credentials.

I have a question which is not answered here.

Send your question to support@dbsentry.com and we’ll try to address it.

Technical

What is under the hood?

Keyper is published as a Docker container which can also be run using podman. The stack include:

  • Alpine Linux
  • OpenLDAP acting as a directory that stores all users, SSH Public Keys, and rules
  • Python Flask REST API
  • VueJS frontend app running on Nginx
  • All the above services are managed using runit

What SSH servers are supported by Keyper?

Any Linux server running OpenSSH 6.8 or newer should be fine. An SSH server that supports AuthorizedKeysCommand is needed.

How to persist OpenLDAP data on restart?

By default, Keyper creates OpenLDAP database within container under /var/lib/openldap/openldap-data and /etc/openldap/slapd.d. For data to persist after a restart, we need to present local docker volumes as a parameter. Something like this:

$ docker volume create slapd.d
$ docker volume create openldap-data
$ docker run -p 80:80 -p 443:443 -p 389:389 -p 636:636 --hostname <hostname> --mount source=slapd.d,target=/etc/openldap/slapd.d --mount source=openldap-data,target=/var/lib/openldap/openldap-data -it dbsentry/keyper

For more information about docker data volume, please refer to:

https://docs.docker.com/engine/tutorials/dockervolumes/

What is the purpose of hostname as a parameter?

Keyper uses this hostname to generate a self-signed certificate. OpenLDAP and Nginx use this certificate for secure communication. Also, this hostname gets embedded in the auth.sh script which you need to download and deploy on each Linux server.

I want to connect to Keyper on a different terminal to see its inside?

Great. First find the container id of the running container, and then use “docker exec” to connect. Something like this:

$ docker ps
CONTAINER ID        IMAGE                 COMMAND                  CREATED             STATUS              PORTS                                                                                       NAMES
25b2869f1a71        dbsentry/keyper       "/container/tools/run"   21 hours ago        Up 21 hours         0.0.0.0:8080->80/tcp, 0.0.0.0:2389->389/tcp, 0.0.0.0:8443->443/tcp, 0.0.0.0:2636->636/tcp   peaceful_lewin
66d33bbdd32c        jenkinsci/blueocean   "/sbin/tini -- /usr/…"   13 days ago         Up 13 days          0.0.0.0:50000->50000/tcp, 0.0.0.0:8000->8080/tcp                                            jenkins-blueocean
$ docker exec -it 25b2869f1a71 /bin/sh
/ # ls
bin        dev        home       media      opt        root       sbin       sys        usr
container  etc        lib        mnt        proc       run        srv        tmp        var
/ # 

What environment variables can I set?

Following environment variables can be set while starting the container:

Environment Variable Description Default
LDAP_PORT ldap bind port 389
LDAPS_PORT ldaps bind port 636
LDAP_ORGANIZATION_NAME Name of the Organization Example Inc.
LDAP_DOMAIN LDAP Domain keyper.example.org
LDAP_LDAP_ADMIN_PASSWORD Admin password on LDAP superdupersecret
LDAP_TLS_CA_CRT_FILENAME CA Cert File Name ca.crt
LDAP_TLS_CRT_FILENAME Cert File Name server.crt
LDAP_TLS_KEY_FILENAME Cert Key File Name server.key
LDAP_TLS_DH_PARAM_FILENAME DH Param File Name dhparam.pem
LDAP_TLS_CIPHER_SUITE Default Cipher Suite TLSv1.2:HIGH:!aNULL:!eNULL
FLASK_CONFIG Flask Config (dev/prod) prod
HOSTNAME Hostname {docker generated}

How can I see Debug messages for the REST API?

Running a container with FLASK_CONFIG=dev would force Flask REST API to run in debug mode.

Where is the auditlog for OpenLDAP located

/var/log/openldap/auditlog.ldif. It may be a better idea to create docker volume for /var/log and mount it in the container to persist logs

How can I backup Keyper?

As far as you have a backup for the OpenLDAP database you are good to go. For the rest, as far as you specify the same cli params things should work fine.

How do I use a real SSL certificate with Keyper?

The certificate is used by OpenLDAP and Nginx. You can set custom certificate at run time by mounting a directory containing those files to /container/service/nginx/assets/certs and adjust their name per the environment variables defined above.

Subscribe

Subscribe to receive Keyper's Announcements

* indicates required

Contact