This repository provides a tskagent ((T)ailscale (S)SH (K)ey Agent) library
and program that implements the SSH key agent protocol hosting keys stored in
setec.
To install the agent binary:
go install github.com/tailscale/tskagent/cmd/tskagent@latestTo run the agent, you must provide:
- The URL of a setec server instance,
- A non-empty secret name prefix to serve from, and
- A path to a local socket to serve the agent protocol.
For example:
tskagent --server https://setec.example.com \
--prefix prod/example/ssh-keys/ \
--socket $HOME/.ssh/tskagent.sockOnce this is running, you can access the agent using the standard tools, for example you can list the available secrets by running:
export SSH_AUTH_SOCK="$HOME/.ssh/tskagent.sock"
ssh-add -LThe agent loads all the secrets matching the specified name prefix once at startup. The value of each secret must be a PEM-formatted private key. The agent logs and ignores any secrets that do not have this format.
By default, keys are loaded from setec only once when the agent starts up.
Use --update to make it poll at the specified interval for new secret
versions.
The agent does not allow the client to add new secrets. It does allow the
client to "delete" the local copy of a secret from the agent (ssh-add -d),
but note that this only affects the agent's copy, it does not remove the key
from setec.