An SSH agent capable of proxying requests and signing keys via HashiCorp Vault.

When working with sensitive SSH keys (e.g. keys for production infrastructure) it can be desirable to separate them from other keys. With ssh-proxy-agent, keys can be isolated to a particular environment will still allowing access to the outer environment's keys.

Signing keys via HashiCorp Vault is also supported and works well when combined with on-the-fly key generation.

As long as you have a proper Go environment set up you should be able to install using go get:

$ go get -u github.com/miquella/ssh-proxy-agent

ssh-proxy-agent can act as a standalone agent or can proxy requests to an upstream agent. To get started, the basic invocation to spawn an agent is:

$ ssh-proxy-agent --shell

This will spawn an interactive shell with the new SSH agent. If you have an existing agent configured in your SSH_AUTH_SOCK env var the new agent will proxy requests to it and any keys in your upstream agent will be available in the proxy agent. Any keys added to the proxy agent will be isolated from the upstream agent and will only remain available while the shell is active.

Take note that because ssh-proxy-agent uses the SSH_AUTH_SOCK env var to configure the new agent, you will need to ensure this variable does not get overrode when opening a new shell (e.g. through a .bashrc or similar file). If you experience problems, you may want to try running with the --doctor flag inside of a shell to verify if you are configured to talk to the proxy agent correctly:

$ ssh-proxy-agent --doctor

If you wish to run the proxy agent more securely, you can disable proxying to an upstream agent via:

$ ssh-proxy-agent --shell --no-proxy

If you have access to a HashiCorp Vault instance that is configured for SSH key signing, you can configure the proxy agent to automatically sign all keys added to the agent:

$ ssh-proxy-agent --shell --vault-signing-url https://vault.address.com/key/signing/path

If the VAULT_ADDR environment variable is set you can provide a relative path to the --vault-signing-url instead of the full address. For example: --vault-signing-url key/signing/path.

All keys added to the agent will be signed for a one hour duration and will be automatically renewed prior to expiration to ensure that the keys are always valid.

You must have a Vault token configured for this work, either via the VAULT_TOKEN environment variable or a .vault-token file located in your home directory.

This is particularly useful when combined with --generate-key which will generate an in-memory key to seed the agent that can be signed on creation.

$ ssh-proxy-agent --shell --vault-signing-url https://vault.address.com/key/signing/path --generate-key

To explore the other flag options and see usage rules you can access the help menu with:

$ ssh-proxy-agent --help