Sshifu: Give SSH access with single command and OpenSSH certificates

Sshifu tackles one of the most persistent headaches in infrastructure management: the `authorized_keys` sprawl. For small to mid-sized teams, managing SSH keys manually is a security risk, but deploying a full-scale identity-aware proxy often feels like overkill. Sshifu hits a practical middle ground by acting as an OAuth gateway and SSH Certificate Authority (CA). By issuing short-lived certificates, it shifts the trust anchor from individual user keys to a centralized identity provider like GitHub or Okta.

Technically, the implementation is lean. The system relies on standard OpenSSH certificate support (v6.7+), meaning the target servers don't need proprietary agents—just a one-time configuration to trust the Sshifu CA. The workflow is streamlined into three distinct binaries: the server, the trust-configurator, and the client. This separation of concerns is a smart move, particularly the inclusion of a bash-script version of `sshifu-trust` to avoid forcing Node.js onto production target servers.

However, the 'minimalist' label is a double-edged sword. The current version lacks essential enterprise guardrails, specifically Role-Based Access Control (RBAC), session recording, and an administrative dashboard. It essentially provides the 'plumbing' for authentication but leaves the 'governance' (who can access which specific box) to the underlying OS permissions. For a developer who just wants SSO without a three-week deployment cycle, this is a feature; for a compliance officer, it's a gap.

Sshifu is ideal for lean DevOps teams and early-stage startups that have outgrown manual key rotation but aren't ready for the operational overhead of a heavy security suite. It's a pragmatic tool that respects the builder's time by prioritizing speed of setup over an exhaustive feature set.