Keeping your authorized SSH keys up to date and secure.

Keybot downloads your authorized_keys file from a known location on the internet and only updates the local version after validating an accompanying PGP signature. In case it is unable to download a fresh copy or can’t validate the PGP signature, the local file is left alone.

Configuring keybot

In order to make using keybot as easy as possible, configuration is done at compile time. This allows you to build it once and distribute it to any server you like, with no need to worry about configuring download locations and your PGP key.

Open config.go and update the three variables:

Then compile your personalized version of keybot using make build.

Using keybot

Simply call keybot with the location of the authorized_keys file you want to update:

keybot ~/.ssh/authorized_keys

This will replace given file with your online version, only if the PGP signature can be verified.

Merge mode

Use the merge feature if you want to add the keys listed in your online files, but keep the existing ones in the local file too.

keybot --merge ~/.ssh/authorized_keys

Daemon mode

In case you can’t use cronjobs to periodically run keybot, it’s possible to start it as a daemon:

nohup keybot --daemon ~/.ssh/authorized_keys &

This makes keybot sleep in the background and update the authorized_keys file now and then.

Identifying keybot

You’ll recognize keybot in your webserver logs by looking for the Keybot/1.0 user agent.