holo-ssh-keys - Holo plugin to provision .ssh/authorized_keys


This plugin provisions SSH keys into the $HOME/.ssh/authorized_keys of a user. Key files are found at /usr/share/holo/ssh-keys/$user/$, where $user is the name of the user whose authorized_keys will be edited. Each key file is an entity within Holo, with the entity name ssh-keyset:$user/$ident. For example:

$ holo scan ssh-keyset:john-doe/login

    found in /usr/share/holo/ssh-keys/john-doe/
      key is 2048 SHA256:vogJG+8rxIB80hEp8OCJLUQgtfOajXHudPp6YvDvY8W (RSA)

The last information line contains the output of ssh-keygen -l. If the file contains multiple public keys, there will appear one such line per key.

The format of SSH public key files is documented in sshd(8) in the section authorized_keys file format.

Apply operation

When a key file is applied, all keys in it will be added to .ssh/authorized_keys (unless already present). To track which keys were provisioned by Holo, the comment field of the key is replaced by holo=$entity_name.

Applying a key file entity will also remove all keys from .ssh/authorized_keys which are tagged with this entity name, but are not present in the resource file for this entity. Keys can thus be replaced in or removed from the key file, and all changes will be propagated into .ssh/authorized_keys automatically (without requiring --force).


holo(8) provides the user interface for using this plugin.


Stefan Majewsky

Further documentation is available at the project homepage:

Please report any issues and feature requests at GitHub: