SPoK - Sans Password or Key

An easier way for remote server authentication. Powered by OpenPubkey.

Features

• Extensibility: No more RSA key copying and pasting to add people to your server, you can simply add them using their gmails.
• Scalability: You can add as many people to your server, via their emails.
• Security: This project uses OpenPubkey which uses OpenID Connect(OIDC) Protocol that makes SSH authentication even more secure.
• Single Command: All it takes is one command to fully configure your server for SPoK.
• Runs everywhere: spin up your development environment on any machine — whether it's local, remote, cloud-based, physical server, or a VM & any architecture x86 or ARM.

Installation

Linux:

Arch-based Distros (Arch Linux, EndeavourOS, Manjaro, etc.):

• Download the AUR package for SPoK: (You can install it with your favourite AUR helper)

yay -S spok-bin

Debian-based Distros (Debian, Ubuntu, Linux Mint, etc.):

• You can install by running the following commands

curl -s https://packagecloud.io/install/repositories/SaahilNotSahil/spok/script.deb.sh?any=true | sudo bash
sudo apt update
sudo apt install spok

Mac:

Homebrew

• You can install by running the following commands

brew tap devlup-labs/spok
brew install spok

• To upgrade the package:

brew upgrade spok

Windows:

Scoop:

• First, you need to install Scoop.
• Next, run the following commands in PowerShell

scoop bucket add org https://github.com/devlup-labs/scoop-spok.git
scoop install spok

From archive:

• Download the latest release (spok_<version>_windows_amd64.zip) from here.
• Extract the zip file.
• Open Powershell as administrator and run the following commands

cd <path-to-extracted-folder>
.\install.ps1

• SPoK is now installed on your system in the C:\Program Files\SPoK directory, and is added to the PATH.

Usage

SPoK consists of two parts: the spok client CLI tool, and the verifier server-side tool, which is downloaded automatically while configuring your server to use SPoK.
You must have access to the root user on the server, or any other user with sudo privileges, to configure the server to use SPoK.

Client side:

• Configure your server by running the following command

spok configure -s <user>@<server-ip-or-hostname> -e <email-id>

(Optional in case of key-pair authentication)

spok configure -i <pvt_key_path> -s <user>@<server-ip> -e <email-id>

• Login to your email account (the one you provided while configuring the server)

spok login

Note: Currently works only with Google (Gmail + Google Workspace) accounts.

• Now you can SSH into your server, and it won't ask for a password or key

ssh <user>@<server-ip>

Note 2: The server must have an active internet connection for configuring SPoK, as well as every time you SSH into the server. If it ever loses internet connectivity, you can always fall back to using a password or key.

Note 3: Currently the validity of the token is 1 hour. After that, you will have to re-login to your email account. Just use the spok login command again.

Server side:

Once the server is successfully configured to use with SPoK, you'll find a new directory /etc/spok on the server, which contains two files - a policy.yml file and the the verifier program. If any of these files are missing or empty, make sure the server has an active internet connection, the user is root or has sudo privileges, and run the configure command again.

Policy.yml:

The policy.yml file contains the information regarding which email addresses can access which users, or principals, on the server, using SPoK.
This file can be edited directly using a text editor, or preferably using the verifier tool.

Verifier:

The verifier tool primarily serves two purposes:-

1. Once configured, the verifier becomes the default authentication provider for sshd on the server. When you ssh into the server using a certificate that is generated by spok login, the verifier verifies the certificate for authenticity, and also checks it against the policy stored in the policy.yml file. Once verified, you are automatically logged into the server. If it fails to verify, it'll fall back on other configured modes of authentication.
2. It can also be used to add/remove principals for different email addresses in the policy.yml file.

• To add a new principal called user for the email address [email protected], run the following command:

/etc/spok/verifier add [email protected] user

• Similarly, to remove the principal, use the remove command:

/etc/spok/verifier remove [email protected] user

License

This repository contains SPoK, covered under the MIT License, except where noted.

It is distributed under the terms of the MIT License.

Third parties are permitted to distribute the software independently, but they are restricted from utilizing any SPoK trademarks, proprietary cloud services, etc.

We expressly authorize you to incorporate our trademarks while developing SPoK itself. However, you are prohibited from publishing or sharing the resulting build, and you may not employ that build to operate SPoK for any other purpose.