An app that serves an SSH key and a helper script for adding it temporarily to the ssh-agent. It authenticates the request against a Yubico auth server using a yubi OTP.

go get



A little app to serve SSH keys over an authenticated endpoint. A helper script is used to add the key to the SSH agent with an expiry

Only YubiKey One-time password auth at the moment.


1. Create configuration

$ cat config.json
  "SSHKey": "id_rsa", # path to private key
  "LoaderScript": "", # path to the loader script
  "PublicUrl": "", # public URL where the /key endpoint can be queried
  "Auth": {
    "clientId": "12345", # yubico api credentials
    "apiKey": "apikey",
    "preferHttp": false

2. Build

$ go build

3. Run

$ nohup ./keyguard &

4. Load key!

$ curl -s | bash
OTP: ccccsfrhkrucdedthkkrdkkrbjdhidjkljktflhvjgcl # this is where I pressed the YubiKey button
Identity added: /tmp/tmp.2GxYjzCLaE (/tmp/tmp.2GxYjzCLaE)
Lifetime set to 32400 seconds


You have to create an API key at YubiCo to use the authenticator.

How it works

The service exposes two endpoints:

  • /
  • /key

/ respopnds with a shell script (check for an example) that makes a second call to /keys with the right request parameters. The successful response to the second request is the SSH key. Different authentication mechanisms may need a tailored loader script as well.