• Use X.509 certificates for OpenSSH and leverage PKI processes for managing the key material.
  • Centrally manage access to OpenSSH Servers in an LDAP aware Directory Service.
  • Automatize the distribution and installation of OpenSSH key material.


Keeto is a module for OpenSSH that enables profile-based administration of access permissions in a central LDAP aware Directory Service, adds support for X.509 certificates and handles the distribution of OpenSSH key material in an automated and secure manner.

The fundamental idea behind is to leverage existing infrastructure usually found in larger enterprises for managing access to OpenSSH servers comprising the assignment and revocation of access permissions and the management of keys. In order to gain full advantage of Keeto a PKI and associated processes have to be present. Optionally a strong protection mechanism for private keys such as a Smartcard can be used to increase the level of security.

Having all access permissions in a central repository highly simplifies its management with regards to the assignment/revocation and overview of permissions. Keeto represents access permissions through different access profile types that are assigned to OpenSSH servers centrally in an LDAP aware Directory Service such as OpenLDAP or Active Directory. Two different access profile types are supported enabling either direct access or access on behalf of another account.

Proper key management is vital to maintain the security of services. This comprises the secure generation of key material with approved tools and security parameters, the secure distribution and installation of keys and an appropriate key lifecycle management including the revocation, regeneration and removal of keys.

OpenSSH uses its own key format that solely consists of the data needed for the cryptographic operation during authentication. In comparison to X.509 certificates there is no binding to an identity, no integrity protection, no expiration and no mechanism for revocation.

This properties can either lead to manual processes or insecure handling of the key material. In a worst case scenario OpenSSH keys are

  • generated with unknown and unapproved tools using unsecure algorithms
  • distributed via non-integrity protected channels such as email or ticketing systems
  • not verified over an out of band channel before installation
  • deployed in an unsecure manner creating hard to detect backdoors
  • not regenerated in certain intervals
  • not in sync with actual access permissions
  • not revocable in a well-defined way

Those issues can be mitigated with a product solely focussing on the management of OpenSSH keys. However if a PKI is present this will result in two extensive software layers and processes that need to be maintained for the management of key material.

Instead of managing OpenSSH keys himself Keeto introduces support for X.509 certificates to OpenSSH. As X.509 certificates are already managed by a PKI no new processes e.g. key generation, periodical regeneration or revocation have to be established. Furthermore the protocol between the SSH client and the OpenSSH server remains untouched. Every SSH aware client can be used transparently without any modification. The distribution and proper installation of OpenSSH keys is handled by Keeto on each connection attempt after access permissions and the X.509 certificates have been successfully verified.

Keeto hooks into the standard PAM interface making it relatively independent from changes to OpenSSH itself. This implies that no modification of the OpenSSH source code is needed in order to run Keeto.

Profile Usage

Once Keeto is setup access to OpenSSH servers is exclusively managed in an LDAP aware Directory Service. Access permissions are granted through access profiles which come in two flavors. A direct access profile grants access directly to the users account whereas an access on behalf profile grants access to a different account. The latter one is meaningful e.g. to allow specific users to access technical accounts. Optionally keystore options can be assigned to an access profile restricting the usage of the key to certain commands or IP addresses.
  • An SSH server entry is the starting point for the determination of access permissions and consists of various references to access profiles. It is identified by a unique identifier.

  • A direct acess profile specifies key providers that shall have direct access to the OpenSSH server. In this example a group of key providers is referenced.

  • The key provider group consists of references to people entries that provide the key material.

  • All key providers need an entity with a uid and certificate set. This is supposed to be already part of the DIT and managed by the PKI.

  • Keystore options can be specified to restrict access to the OpenSSH server.

  • Access is only allowed from an IP address of the '' network.

  • The user 'birgit' is now able to login from the specified network. The keystore is installed in a way preventing it from non-privileged modifications.

  • Every protocol that relies on SSH for authentication can be used. Here SFTP is used for secure file transfer.

  • In this example we will have a look on how access on behalf profiles are specified. Again we start with an SSH server entry.

  • Access on behalf profiles have target keystores. A target keystore determines the destination keystore that receives the key providers keys.

  • A target keystore entry only needs to have a uid set. This uid is compared against the uid of the user about to login during authentication.

  • The key provider group ultimately specifies the keys that are synced into the target keystore.

  • In this example there are two key providers 'sebastian' and 'bjoern'.

  • Key provider entry from 'sebastian'...

  • ... and from 'bjoern'.

  • The user 'sebastian' is now able to login on behalf of the account 'keeto'.

  • So is 'bjoern'...

Get it!

Keeto is released under the terms of the GPLv3 license and actively developed by Sebastian Roland. The source code is hosted at and freely available for everyone. Information on how to install and configure Keeto can be obtained from the Docs.

You just wanna have a quick look without going through all the installation efforts? Check the Keeto image! See the Docs for all relevant information.





.tgz keeto-0.4.1-beta.tar.gz MD5: b0a141f20e0ae8f5893475f7b2887b9a
SHA1: ab0930d42f932aa5845acb8c8ebc42742547a3b4
SHA256: 0195962ac76d142a5fdbcd6cbfbf9140a5e2ca59513cdd9fa58bfebc6944bbd4
.rpm keeto-0.4.1-0.1.beta.el7.centos.x86_64.rpm MD5: abb70e533080712a52758d2f0b0fb438
SHA1: dd3f3bd28ce0a11c3be43bd61a134fb321623657
SHA256: 37123003bdd360ab93fd45455ea8f6938158bd5f0212bfba6bedb20f2e4e2adf
.srpm keeto-0.4.1-0.1.beta.el7.centos.src.rpm MD5: 07118854b4fcc53bdefe8c412b6ea7af
SHA1: b0e5d17b377bd8bc567cdcffc3d11738efa11827
SHA256: 80dd0dc3241661679577e0b2c2723b02509c8d1f49d5438e0bdf13f1b27a6671





.tgz keeto-0.3.0-beta.tar.gz MD5: becfb9a82110cfe516e73695b6ba3536
SHA1: 29f71ef3b65a30607ab487dce194ce4f5aeb5c58
SHA256: 5b4b28a3a350b8728d824210efe06179d9892ceb09ab6bf9116e8684c17fd98f
.rpm keeto-0.3.0-0.1.beta.el7.centos.x86_64.rpm MD5: 82d5e3e4ad70d5b517bf7f098e60aabe
SHA1: 15abc5b94b9bf30e939f48af92c49f358b84d853
SHA256: 28726665a4f435e247366463b53e762dfad1fc91ada18421e56624216efbecbb
.srpm keeto-0.3.0-0.1.beta.el7.centos.src.rpm MD5: bbd57875a6e90a8d2a42dcbfeafd334e
SHA1: 6b77a2b5941db92268633509598c7632055b7003
SHA256: a9c08e4fd7212f03d83b46b55ac2818d495eeb794a2904acae29f3e2ebada42a





.tgz keeto-0.2.0-beta.tar.gz MD5: 3a5c016e044b53ceb6f75c6bf77decd0
SHA1: 9f68819339789dc19d0d2eeb65e60786cbf5a1db
SHA256: d4ec4f2b2a68e0639ec42e03da9af42fc0910ee6fcaface3980e942142d67c0b
.rpm keeto-0.2.0-0.2.beta.el7.centos.x86_64.rpm MD5: 52bf8828107340a5b0418975a730eede
SHA1: d420e9cef14d1bc3d349a95faf1db5dfb431a2d1
SHA256: 2f905b2cf7e7ed6af6fc523c5ac740ba2a72c6e33536d9ccff3d271323b9e054
.srpm keeto-0.2.0-0.2.beta.el7.centos.src.rpm MD5: 2c6900bc7ba8c8e91d23accbe919b2b2
SHA1: 8e7ab5d8ac1ac1fbac3ec30a5a8ec4eeef23339a
SHA256: 3663d4f28e7e2d0edca755c38bbf0b90c02a8d8d5f923d35874a627e8532f8e4


You have a question, suggestion or just wanna say 'Hi'? Feel free to reach out!


You like the project and want to join? Your help is highly appreciated! Currently searching for:

  • Package maintainers
  • Code reviewers
  • Testers
  • Feedback

No time for active participation but still would like to contribute?!
Keep my mind focused and a coffee \o/