Keybot downloads your
authorized_keys file from a known location on the internet and only updates the local version after validating an accompanying PGP signature.
In case it is unable to download a fresh copy or can’t validate the PGP signature, the local file is left alone.
In order to make using
keybot as easy as possible, configuration is done at compile time.
This allows you to build it once and distribute it to any server you like, with no need to worry about configuring download locations and your PGP key.
config.go and update the three variables:
authorized: Download location of the authorized keys file
signature: Download location of an ascii armored PGP signature
keyring: Public key used to verify the authorized keys signature
Then compile your personalized version of
keybot with the location of the
authorized_keys file you want to update:
This will replace given file with your online version, only if the PGP signature can be verified.
Use the merge feature if you want to add the keys listed in your online files, but keep the existing ones in the local file too.
keybot --merge ~/.ssh/authorized_keys
In case you can’t use cronjobs to periodically run
keybot, it’s possible to start it as a daemon:
nohup keybot --daemon ~/.ssh/authorized_keys &
keybot sleep in the background and update the
authorized_keys file now and then.
keybot in your webserver logs by looking for the
Keybot/1.0 user agent.