ssh-key-sync

command module
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 22, 2018 License: MIT Imports: 6 Imported by: 0

README

ssh-key-sync

ssh-key-sync is a tool written in Go for managing authorized_key files, by synchronizing the contents with public keys managed by accounts on github or gitlab instances.

Go Report Card Build Status GoDoc License

Install

Currently, ssh-key-sync must be compiled and installed manually. With a typical Go workspace, run go get github.com/shoenig/ssh-key-sync to produce a binary. Copy that binary to the destination server somewhere on $PATH.

Run

There is only one argument, --configfile which specifies the location of the config file that ssh-key-sync will read on startup.

Configuration

In the configuration file, specify a list of system user accounts and associated SSH authorized_keys files to manage. Also specify a set of github accounts, each with an associated github username and local system user. The public SSH keys will be pulled from that github or gitlab account and unionized with the keys in the specified authorized_keys file for that user. Keys which have been removed from github or gitlab are automatically removed from the authorized_keys file. Keys which were added independent of github or gitlab are left untouched.

Github SSH public keys are made available to the public. Gitlab SSH keys are accessible only from an administrative account, so a service user with an API token will be required.

Use the following example as a template for creating a configuration file.

{
    "system": [
        {"user": "clarkk", "authorized_keys_file": "/home/clarkk/.ssh/authorized_keys"},
        {"user": "bob", "authorized_keys_file": "/home/bob/.ssh/authorized_keys"}
    ],

    "github": {
        "url": "api.github.com",
        "accounts": [
            {"username": "superman", "system_user": "clarkk"}
        ]
    },

    "gitlab": {
        "url": "internal.gitlab.net",
        "token": "_jMr-KrDoy8GChTm998a",
        "accounts": [
            {"username":"billy", "system_user":"bob"}
        ]
    }
}
Systemd Timer

A great way to keep authorized_key files updated is to run ssh-key-sync periodically via a systemd timer. To set this up, we will need two files - one service file which represents execution of ssh-key-sync, and a timer file which represents the schedule on which the service should be executed. Use the example below, modifying paths to suite your needs. More examples can be found in this blog post.

The service file /etc/systemd/system/ssh-key-sync.service
[Unit]
Description=Synchronize ssh authorized keys with public keys from github.

[Service]
ExecStart=/opt/keys/ssh-key-sync --configfile /opt/keys/config.json
The timer file /etc/systemd/system/ssh-key-sync.timer
[Unit]
Description=Run ssk-key-sync every hour

[Timer]
OnBootSec=5min
OnUnitActiveSec=1h
Unit=ssh-key-sync.service

[Install]
WantedBy=timers.target
Enable the timer
$ systemctl enable ssh-key-sync.timer
License

MIT

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
internal
command
config
config/configtest
Package configtest contains autogenerated mocks.
 Package configtest contains autogenerated mocks.
meta
netapi
netapi/netapitest
Package netapitest contains autogenerated mocks.
 Package netapitest contains autogenerated mocks.
ssh
ssh/sshtest
Package sshtest contains autogenerated mocks.
 Package sshtest contains autogenerated mocks.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.