boris/keywarden
1
1
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Implement ssh_keys model and attach to users #4

New Issue
Closed
opened 2025-09-23 14:35:16 +00:00 by boris · 2 comments
boris commented 2025-09-23 14:35:16 +00:00
Owner
Copy Link

As an end user, I want to register my SSH public keys so that I can request access to servers using those keys.

Acceptance Criteria (G/W/T)

  • Given a valid JWT, when I POST /api/v1/keys with name, public_key (ed25519 or ecdsa-p256), optional expires_at, then the key is stored and returned with id, algo, is_active=true.
  • Given I have keys, when I GET /api/v1/keys, then I see only my keys.
  • Given an invalid key format/algorithm, when I attempt to add it, then I get 422 with a clear error.
  • Given a key I own, when I DELETE /api/v1/keys/{id} or PATCH to deactivate, then the key is no longer active and won’t be deployed by agents.

Notes / Non-functional

  • Enforce allowed algos (default: ssh-ed25519, ecdsa-sha2-nistp256).
  • Store original key string; parse/validate on write.
  • Add index (user_id, is_active) for quick lookups.
As an end user, I want to register my SSH public keys so that I can request access to servers using those keys. Acceptance Criteria (G/W/T) - [x] Given a valid JWT, when I POST /api/v1/keys with name, public_key (ed25519 or ecdsa-p256), optional expires_at, then the key is stored and returned with id, algo, is_active=true. - [x] Given I have keys, when I GET /api/v1/keys, then I see only my keys. - [x] Given an invalid key format/algorithm, when I attempt to add it, then I get 422 with a clear error. - [x] Given a key I own, when I DELETE /api/v1/keys/{id} or PATCH to deactivate, then the key is no longer active and won’t be deployed by agents. Notes / Non-functional - [x] Enforce allowed algos (default: ssh-ed25519, ecdsa-sha2-nistp256). - [x] Store original key string; parse/validate on write. - [x] Add index (user_id, is_active) for quick lookups.
boris added this to the Minimum Viable Product milestone 2025-09-23 14:35:16 +00:00
boris added the Kind/Feature
Priority
Critical
1
 labels 2025-09-23 14:35:16 +00:00
boris self-assigned this 2025-09-23 14:35:16 +00:00
boris added this to the Keywarden project 2025-09-23 14:35:16 +00:00
boris added the
Status
Blocked
1
 label 2025-09-23 14:35:26 +00:00
boris commented 2026-01-27 09:31:45 +00:00
Author
Owner
Copy Link

Pivoted to SSH CA and Certificates.

New Flow:

  • Authenticated user adds public key from device to profile
  • User gains access to target server on Keywarden
  • User object now has object permissions to view target server object
  • Signed SSH certificate derived from pubkey grants access to server
Pivoted to SSH CA and Certificates. New Flow: - Authenticated user adds public key from device to profile - User gains access to target server on Keywarden - User object now has object permissions to view target server object - Signed SSH certificate derived from pubkey grants access to server
boris commented 2026-01-27 09:34:24 +00:00
Author
Owner
Copy Link

Implemented in keywarden/dev. Closing for now, will merge to main later.

Implemented in keywarden/dev. Closing for now, will merge to main later.
boris closed this issue 2026-01-27 09:34:24 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label Kind/Feature
Priority
Critical
1
Status
Blocked
1
Milestone
No items
No Milestone Minimum Viable Product
Projects
Clear projects
No project Keywarden
Assignees
Clear assignees
boris
No Assignees boris
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: boris/keywarden#4
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?