27 repositorios
Authentication frameworks for non-human entities using role-based access control.
Distinguishing note: Focuses on machine-to-machine authentication rather than user identity.
Explore 27 awesome GitHub repositories matching security & cryptography · Machine Identity. Refine with filters or upvote what's useful.
Infisical is a centralized secrets management platform designed to store, synchronize, and control access to sensitive credentials and configuration data across distributed development, staging, and production environments. It employs client-side encryption to ensure that secrets remain unreadable to the underlying storage infrastructure, while providing a hierarchical permission model to govern both user and machine access. The platform distinguishes itself through dynamic credential provisioning, which generates short-lived access tokens that are automatically revoked after use. It supports
Automates secure access for servers and pipelines using cloud-native identity and role-based permissions.
go-cursor-help is a machine ID resetter and trial limit bypass tool designed for the Cursor AI editor. It functions as a device identifier generator that modifies configuration files and system registries to regenerate unique hardware identifiers. The utility enables the reset of trial usage restrictions and the recovery of access for accounts flagged for suspicious activity. It achieves this by replacing existing machine identifiers with new, pseudo-random strings to simulate a fresh installation environment. The tool includes a configuration backup utility that archives original system ide
Creates new machine IDs to prevent applications from tracking and blocking multiple free accounts.
NetBird is a zero-trust networking platform that builds secure, encrypted peer-to-peer overlay networks using the WireGuard protocol. It functions as a software-defined perimeter, connecting distributed infrastructure across cloud environments and physical locations while hiding network resources from the public internet. By integrating with external identity providers, the platform enforces granular access control and identity-based segmentation for every user and device. The platform distinguishes itself through extensive automation and programmatic management capabilities. It provides a ce
Automates the secure registration of new devices into the private network using unique enrollment keys.
Teleport is a zero-trust access platform designed to provide secure, identity-based connectivity to servers, databases, and Kubernetes clusters. It functions as a centralized gateway that replaces static credentials with short-lived, identity-bound cryptographic certificates, effectively eliminating the need for traditional VPNs and long-term secret exposure. The platform distinguishes itself by orchestrating access through a unified control plane that maps external identity provider claims to granular, role-based infrastructure permissions. It enforces security through mutual TLS gateways an
The platform automates the lifecycle of credentials for services and bots to enable secure, identity-based access for workloads and continuous integration pipelines.
kops is a Kubernetes cluster provisioner and lifecycle manager designed to automate the creation, maintenance, and destruction of production-grade clusters on cloud infrastructure. It functions as a declarative infrastructure manager, synchronizing the live state of a cluster with versioned manifests stored in remote object storage to ensure idempotent operations. The project distinguishes itself by offering comprehensive automation for the entire cluster lifecycle, including high-availability control plane deployment, incremental rolling updates, and automated version upgrades. It also serve
Configures identity and connectivity settings to join new machines to an existing cluster.
systemd is a comprehensive system and service manager for Linux that orchestrates the entire operating system lifecycle. It functions as the primary init system, managing the transition from firmware to a fully initialized user space while providing a unified framework for service orchestration, hardware management, and resource control. The project distinguishes itself through its declarative, unit-based configuration model and dynamic dependency resolution, which allow for efficient, on-demand service activation and socket-based process management. It integrates deep system observability th
Automatically assigns unique system identifiers to match host-provided virtual machine UUIDs.
Casdoor is a centralized identity and access management platform that functions as an OAuth 2.0 authorization server. It provides a comprehensive suite of services for managing user identities, authentication sessions, and access policies across both web and machine-to-machine applications. Built with a decoupled frontend-backend architecture in Go, the platform supports high-concurrency environments and offers a web-based management interface for administrative tasks. The platform distinguishes itself through its extensive support for federated identity management, allowing integration with
Secures programmatic service-to-service communication using automated token exchange and granular scope-based access control.
CrowdSec is a collaborative, distributed security engine designed for threat detection and infrastructure protection. It functions as an intrusion detection system that parses logs and network traffic to identify malicious patterns, utilizing a bucket-based threshold detection model to aggregate events and trigger alerts. The platform is built on a modular architecture that includes a centralized local API server for managing security signals and a relational database for persistent storage of remediation decisions. What distinguishes the project is its decoupled enforcement model, which offl
Connects local security engines to a centralized management platform for remote monitoring and fleet orchestration.
MQTT.js is a JavaScript client library and asynchronous messaging client used to connect to message brokers and exchange data via the MQTT protocol. It provides a broker interface for publishing and subscribing to topics, and includes a command-line interface for interacting with brokers without writing code. The library supports multiple network layers, including TCP, TLS, and WebSockets, and allows for custom WebSocket construction and transport injection to handle specific headers or subprotocols. It implements bandwidth reduction through topic aliasing, which replaces repetitive topic str
Implements secure machine-to-machine messaging using TLS encryption and authentication tokens.
This project is a public key infrastructure management system designed to automate the issuance, renewal, and revocation of X.509, TLS, and SSH certificates. It functions as a machine identity provider and certificate authority, enabling the establishment of private PKI to secure inter-service communication and remote access. The system distinguishes itself through hardware-bound identity attestation, which ties cryptographic keys to physical device silicon or TPMs to prevent credential exfiltration. It supports a wide array of identity verification mechanisms, including OIDC, cloud-provider
Assigns and rotates cryptographic identities for non-human workloads to secure access without static secrets.
k3sup is a command-line tool that installs and manages lightweight Kubernetes clusters entirely over SSH, without requiring any pre-installed software on the target machines. It bootstraps clusters on remote hosts using a single statically-linked binary, then provides immediate kubectl access by fetching and merging the cluster's admin credentials into the local configuration. The tool supports plan-driven cluster topology, allowing users to define node roles and configuration in a YAML file for automated multi-node deployment. The tool distinguishes itself by enabling parallel execution of i
Joins additional machines as agents to an existing Kubernetes server over SSH, expanding compute capacity.
This project is a public company employee handbook that serves as a centralized reference for internal policies, organizational standards, and corporate governance for a distributed workforce. It functions as an operational guide and culture manifesto, detailing the shared values and social norms used to align a global team. The handbook defines a remote-first operational model that emphasizes asynchronous communication and a distributed work infrastructure. It specifies unique organizational practices such as cycle-based development intervals, a customer-facing support rotation for all emplo
Provides the capability to remotely wipe data from managed devices when lost or upon employee departure.
Fleet is an open-source device management platform that provides centralized control over computing devices running macOS, Linux, Windows, Chromebooks, iOS, and Android. It enables organizations to enroll devices, collect real-time telemetry, enforce security compliance policies, and manage software remotely from a single system. The platform can be deployed as a single binary, run locally for testing, or scaled horizontally across cloud infrastructure on AWS, Kubernetes, GCP, or Render, with support for high availability through database replication and load balancing. The platform distingui
Registers computing devices into the management platform for centralized monitoring and control.
KurrentDB is an event-native database designed for event sourcing and event-driven architectures. It stores application state as an immutable, ordered sequence of events rather than updating rows in place, preserving full history for audit, replay, and distributed consistency. The database combines event storage with real-time streaming and a built-in JavaScript projection engine that transforms and aggregates event streams into materialized views. The system provides official gRPC client libraries for Python, Node.js, Java, .NET, Go, and Rust, enabling multi-language application development
Allows follower nodes to join a cluster despite data size mismatches for operational flexibility.
LXD is a unified platform for managing both system containers and virtual machines through a single REST API and command-line interface. It provides a programmatic HTTP interface for controlling the full lifecycle of instances, enabling automation and integration with external tools. The system runs unprivileged containers with per-instance UID/GID mappings, seccomp filters, and AppArmor profiles for kernel-level isolation, while supporting multiple storage backends including directory, Btrfs, LVM, ZFS, Ceph, LINSTOR, and TrueNAS through a unified driver interface. The platform distinguishes
Adds a new server to an existing cluster by authenticating with a join token and confirming data loss.
Pomerium es un reverse proxy de confianza cero (zero-trust) consciente de la identidad, diseñado para asegurar aplicaciones internas e infraestructura sin necesidad de una VPN tradicional. Al verificar cada solicitud a través de un proveedor de identidad y un motor de políticas declarativo, asegura que el acceso se otorgue basado en la identidad del usuario, el contexto del dispositivo y los atributos de la solicitud en lugar de la ubicación de red. El proyecto se distingue por su capacidad para manejar diversos protocolos y requisitos de acceso complejos. Proporciona acceso seguro y verificado por identidad a aplicaciones web, servicios TCP y UDP, y conexiones SSH, reemplazando claves estáticas con certificados efímeros de corta duración. Además, funciona como una puerta de enlace para el Model Context Protocol, permitiendo el descubrimiento seguro, auditoría y ejecución de herramientas aplicada por políticas para agentes de IA y servicios automatizados. Pomerium se integra con Kubernetes como un controlador de ingress, traduciendo recursos de ingress nativos en configuraciones de enrutamiento conscientes de la identidad. Su arquitectura soporta la sincronización centralizada del plano de control, permitiendo a los administradores distribuir políticas de seguridad, certificados TLS y configuraciones de enrutamiento a través de clústeres de proxy distribuidos. El sistema también ofrece gestión de tráfico granular, incluyendo balanceo de carga, manipulación de encabezados y filtrado basado en rutas, para asegurar una conectividad segura y eficiente a los servicios backend. El proyecto está diseñado para un despliegue flexible, soportando arquitecturas tanto unificadas como desacopladas para acomodar el escalado independiente de los componentes de datos y del plano de control. Proporciona una observabilidad integral a través de registros de auditoría de decisiones de autorización y exportación de métricas de rendimiento, facilitando el cumplimiento y el monitoreo de seguridad en diversos entornos.
Generates registration links for directory users to link specific devices to their identity for access control.
Kanidm is a centralized identity management server designed to handle authentication, authorization, and directory services across distributed infrastructure. It provides a comprehensive framework for managing human and service accounts, utilizing a schema-driven database to store identity records, group memberships, and system attributes. The platform supports a wide range of authentication methods, including passkeys, passwords, and standard protocols like OAuth2, OIDC, LDAP, and RADIUS. The system distinguishes itself through a granular access control engine that enforces security policies
Registers machines using auditable join tokens to embed security policies during enrollment.
dockertest es una biblioteca de pruebas de integración de Docker y cliente programático de Go utilizado para arrancar y gestionar contenedores efímeros. Funciona como un orquestador de pruebas contenedorizado que proporciona entornos aislados para pruebas de integración gestionando el ciclo de vida de los servicios dependientes. La biblioteca maneja la orquestación de entornos efímeros mediante el aprovisionamiento de contenedores y redes temporales. Asegura la consistencia del entorno mediante comprobaciones de disponibilidad de servicios y limpieza automatizada de recursos para evitar fugas después de que se complete la ejecución de la prueba. El proyecto cubre la validación de servicios contenedorizados, incluyendo la capacidad de recuperar detalles de conexión dinámicos y gestionar redes de contenedores. También soporta la captura de registros de contenedores y la ejecución de comandos dentro de contenedores en ejecución.
Invalidates sequences of tokens to revoke an agent's delegated access.
Sonyflake es una biblioteca de IDs únicos distribuidos que crea identificadores ordenados cronológicamente y libres de colisiones en múltiples máquinas. Funciona como un generador basado en tiempo que codifica marcas de tiempo en IDs, asegurando que los identificadores estén ordenados de forma monótona. El sistema opera sin una autoridad central de coordinación, produciendo IDs únicos en nodos distribuidos sin requerir comunicación de estado compartido o bloqueos centrales. Evita colisiones entre diferentes nodos incorporando identificadores de máquina conscientes del host, los cuales se resuelven utilizando direcciones de red privada o metadatos de instancias en la nube. La biblioteca soporta la asignación de bits personalizable, permitiendo equilibrar el conteo de máquinas y las tasas de generación. Estas capacidades permiten la generación de claves únicas ordenables para la indexación de bases de datos distribuidas y la gestión de identidades en microservicios.
Assigns unique system identifiers based on private network addresses or cloud metadata to prevent ID collisions.
This project is a command-line tool for managing public key infrastructure and digital identities. It provides a comprehensive suite for X.509 certificate lifecycle management, including the generation, signing, renewal, and revocation of certificates and signing requests. The tool distinguishes itself through specialized security capabilities such as binding cryptographic credentials to TPMs and HSMs for hardware-backed identity attestation. It also provides dedicated support for machine identity security, using short-lived SSH certificates and mTLS to secure non-human workloads. Broad capa
Secures non-human workloads using mTLS, hardware attestation, and short-lived SSH certificates.