Paramiko-Cloud

Paramiko-Cloud extends Paramiko with ECDSA keys whose private material stays in cloud key management services. The provider key classes behave like Paramiko ECDSAKey objects, so they can sign SSH data and issue OpenSSH certificates without exporting the private key.

The package also includes a small PKI layer for building OpenSSH certificate signing requests, serializing those requests through protobuf, and returning certificate lines that can be saved as *-cert.pub files.

Features

• AWS KMS, Google Cloud KMS, and Azure Key Vault ECDSA signing keys.

• OpenSSH user and host certificate generation.

• Certificate options, extensions, principals, serials, key IDs, and validity windows.

• Protobuf serialization for signing requests.

• A gRPC server wrapper for exposing certificate signing services.

User Guide

• Installation
  • Provider Dependencies
  • Development Setup
• Certificate Signing
  • Signing a User Certificate
  • Certificate Parameters
  • Signing a Host Certificate
  • Public CA Key
  • Serializing Signing Requests
• Cloud-Backed Keys
  • AWS KMS
  • Google Cloud KMS
  • Azure Key Vault
  • Provider Choice
• gRPC Signing Service
  • Server Skeleton
  • Operational Notes

API Reference

• API Reference
  • Keys
  • PKI
  • gRPC

Indices and Tables

• Index

• Module Index

• Search Page