emcssh −- PKI interface between Emercoin and OpenSSH


emcssh username


emcssh returns a public key list for OpenSSH daemon sshd.

When a user logs in to a host using an SSH key, the sshd server searches for an appropriate public key for the user in the predefined keyfile, usually $HOME/.ssh/authorized_keys. If emcssh is specified as the AuthorizedKeysCommand parameter in the ssh config file sshd_config, then sshd runs emcssh with a single argument - login username.

emcssh reads lines from another file - emcssh_keys, located by default in $HOME/.ssh. If emcssh_keys contains just public keys, then the lines are returned without changes. In this case emcssh would just return a primary keylist for the specified user (with a secondary keylist provided by the default authorized_keys file).

However, the emcssh_keys file can include special lines containing lists which emcssh will process in its own special way (see below). Each list element is separated by a pipe (|). and can be one of:


regular ssh key.


reference to another list, in format @key_name.

The following example demonstrates a list containing two references and a public key:

@[email protected]|ssh-rsa AAA...fIec=

When emcssh finds a list, it splits it into elements and processes each. If an element is a regular ssh key, emcssh just prints it. If an element is a reference, emcssh searches for an appropriate key with service prefix ssh: in the distributed Emercoin Name-Value Storage (NVS), and processes the extracted value.

The extracted value can contain another list, in the same format as described above.

Imagine the following scenario:

1. Jack deposits his own public ssh-key into Emercoin NVS. His list contains a single element - an ssh key only - and he uses his name as the search key. Thus, he deposits the pair:

ssh:jack -> ssh-rsa AAA...xyzQ=

2. Jill does the same, and deposits her own public key:

ssh:jill -> ssh-rsa AAA...eklmn=

3. A sysadmin decides to create a workgroup for access to company servers and deposits into Emercoin NVS the following pair:

ssh:workgroup -> @[email protected]

In $HOME/.ssh/emcssh_keys on any workgroup server, he writes a reference to the group:


When emcssh finds this reference, it extracts the appropriate value from Emercoin NVS. That value contains another list [3]. emcssh processes this list too, and retrieves the public key for each group member [1,2]. As a result, emcssh returns public keys for both group members, Jack and Jill. Subsequently, either one of them can log into the server with their key.

If Jack generates a new public/private keypair, he can update the value for his record [1] in the Emercoin NVS. Changes will be automatically propagated through the Emercoin network, and next time Jack can log into any server with his new key.

The sysadmin can create another list, containing references to workgroup [3], other groups, individuals, and so on. References are recursive, and thus the sysadmin can create and maintain account trees.

If the sysadmin decides to revoke Jack’s access to the workgroup, he simply removes Jack’s reference from the list [3], and updates the record in the Emercoin NVS.

In this way, the combination of Emercoin with emcssh creates a decentralized world-wide Public Key Infrastructure (PKI).



Default per user list storage. Can contain many lists, or regular public keys.


emcssh config file. Allows the following parameters:


The Emercoin wallet’s RPC URL, to be used as the "domain controller". This URL is mandatory and used to resolve all references to Emercoin NVS. e.g:

http://rpc_USERNAME:[email protected]:8775


Verbosity level [0-4]. Messages are printed to stdout as comments, useful for testing/debugging. Level 3 prints reference resolving paths. Default is 0 (quiet).


Maximum keys to cache in the hashtable. Each key or reference returned is stored in the hashtable, to preserve double return or lookup of the same value. Thus, with "diamond-shape inheritance", each subtree will be processed only once. Default is 4096.


Path to the file authorized_keys. Can contain metasymbols $H (home directory for specified user), and $U (username). Default is $H/.ssh/emcssh_keys


Contains list of elements to be ignored. Items in this list will be iterated and resolved, keys and references will be cached, but they will not be returned. Default is empty.


Maximum depth of recursion. Default is 30.


Emercoin Team <team at emercoin dot com>