Stores and distributes public keys.
This service provides methods to to add and remove keys, and to fetch keys or key names.
Public keys are added and fetched in the openssh format:
<algorithm> <key> <name>
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNLVA3D1VpH/yVST0v\ 4Mj+eAGM5dMNTpv5i/PyvUEGc3r2I8DZNq/icyCoZJlAeR10b13OGHTn2\ ubu3OeJz5vAJSbZr6QT6V1wKoX8b2g0DR8RcShUWJ8cPeY6wI9eh9F778\ aY0gkF2YpU62YWRri4K2kQwROQznhfNsgUAj4F2hs8C1T8MElaz2Ux8eg\ o7Lc2V6sHxsLpz8a08rEjGXm5vRgaVlKY1vzBUDtkQrYvm+cPfW/dVwiB\ Ujl73T0vrbcgy7u7AlMqenMjQzoJXzY5kRnPUQOhHpZZ/9gw8YG2PutVy\ AufTXIGibGoGdBLzYltJEfQAEEPTovwZdBWNFT5 firstname.lastname@example.org
In the example, the key name is
email@example.com. This name is used
when deleting a specific key for a user.
When storing public keys, the name field from the public key data is used to uniquely identify the key among a user's keys. Thus a user may have multiple public keys stored, with different names. All of a user's public keys will be used to authenticate her in the terminal login scenario.
pubkeys add command can be used to upload public keys. It accepts the
key data in the following forms:
conjur pubkeys add username "key data string"- Use the contents of the second argument as the key.
conjur pubkeys add username @key_file_name.pub- Use the contents of the given file.
conjur pubkeys add username- Read the key from the standard input.
To show only the names of public keys for a user, use
pubkeys names. This
can be useful for selecting a keyname to delete or ensuring that all of a user's
public keys are nuked.
$ conjur pubkeys names username
To delete a public key, use the
pubkeys delete command:
$ conjur pubkeys delete username key-name
To list all of a user's public keys, one per line, use
$ conjur pubkeys show username
Note that the
pubkeys show command can be acheived using
curl as well,
which is often preferable, since you don't need to be logged in to Conjur to
show a user's public keys (they're public, after all!).
$ curl https://pubkeys.example.com/public_keys/username
In order to add, delete or update public keys, you'll need to be a member
of the group
pubkeys-1.0/key-managers. You can grant this membership using the following command:
conjur group members add pubkeys-1.0/key-managers user:yourname
or to a group that you belong to:
conjur group members add pubkeys-1.0/key-managers group:yourgroup
You can also grant the ability to manage public keys by permitting the
<account>:service:pubkeys-1.0/public-keys. The group
already has this permission.
You list everyone who is allowed to manage public keys using the following command:
$ conjur resource permitted_roles service:pubkeys-1.0/public-keys update [ "demo:user:admin", "demo:group:pubkeys-1.0/key-managers", "demo:group:pubkeys-1.0/admin", "demo:group:security_admin", ... ]