the simplest ssh ca
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Markus Bergholz 9281e4cccb
cli 2.0
3 months ago
cli cli 2.0 3 months ago
docs docs update and include mermaid 3 months ago
server fix pem check 3 months ago
vendors move decode to vendor class 3 months ago only ship default vendor. example for mixed vendor. docs improvments 3 months ago
revoke_orchestration.yml add revoke example playbook 3 months ago


The simplest SSH CA I can think of.


Nowadays it's wide spread to save your public ssh keys in SCM Tools like GitLab, Gitea, Github etc.
So why not use this source for your SSH CA?
Most companies self-hosted a SCM Tool already and possible also bind it to a directory. When the linux server are also bind to the same directory - awesome. That are perfect conditions, because you even don't need to orchestrate the users to all your servers.
You only need to glue things together. Here comes hausschrat to play.

A user needs to create an access token in their SCM Tool with read_user permissions only. With this access token, hausschrat can verify the user, fetch the users belonging public key, sign them and response with the certificate.


Take a look at docs/src/ folder or read it online:

CLI - request a certificate

Users just needs a ~/.config/hausschrat.yml file.

  server: http://localhost:8080 # hausschrat backend
  api_token: ... # go to your scm tool and create a `read_user` access token.
  user: m
  key: markus@dell
  expire: +5h
  cert_file: ~/.ssh/ 
$ hausschrat
start issuing certificate for default


Contributions and issues are welcome on or

host category origin pull mirror push mirror