sync-ssh-keys

command module
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 12, 2020 License: MIT Imports: 6 Imported by: 0

README

Sync ssh keys

Sync public ssh keys to ~/.ssh/authorized_keys, based on Github/Gitlab organization membership.

diagram

Install

$ export GO111MODULE=on
$ go get github.com/samber/sync-ssh-keys

or

$ curl -L -o /usr/local/bin/sync-ssh-keys \
      https://github.com/samber/sync-ssh-keys/releases/download/v0.5.0/sync-ssh-keys_0.5.0_linux-amd64
$ chmod +x /usr/local/bin/sync-ssh-keys

or

$ docker pull samber/sync-ssh-keys:0.5.0
$ docker run --rm samber/sync-ssh-keys:0.5.0 --github-username samber
Sync using a crontask
$ crontab -e

Then:

# sync once per hour
0 * * * * sync-ssh-keys --github-token XXXXXXXXXXXXXXX --github-org epitech --github-team sysadmin --output /root/.ssh/authorized_keys

Usage

$ sync-ssh-keys --help
usage: sync-ssh-keys [<flags>]

Flags:
      --help                   Show context-sensitive help (also try --help-long and --help-man).


  -o, --output=OUTPUT          Write output to <file>. Default to stdout
      --Werror=WERROR          Treat warning as errors. Fatal error if organization, team or user does not exist.


      --local-path=LOCAL-PATH  Path to a local authorized_keys file. It can be useful in case of network failure ;)


      --github-endpoint=GITHUB-ENDPOINT
                               Github Enterprise endpoint.
      --github-token=GITHUB-TOKEN
                               Github personal token.
      --github-org=GITHUB-ORG  Github organization name.
      --github-team=GITHUB-TEAM ...
                               Team(s) allowed to access server.
      --github-username=GITHUB-USERNAME ...
                               Username(s) allowed to access server.
      --exclude-github-username=EXCLUDE-GITHUB-USERNAME ...
                               Username(s) to explicitly exclude.


      --gitlab-endpoint=GITLAB-ENDPOINT
                               Gitlab endpoint.
      --gitlab-token=GITLAB-TOKEN
                               Gitlab personal token.
      --gitlab-group=GITLAB-GROUP ...
                               Group allowed to access server.
      --gitlab-username=GITLAB-USERNAME ...
                               Username(s) allowed to access server.
      --exclude-gitlab-username=EXCLUDE-GITLAB-USERNAME ...
                               Username(s) to explicitly exclude.


      --version                Show application version.
Simple user
$ sync-ssh-keys --github-username samber

#
# Github
#

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhDlAK8ewcwC............. samber@github

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCuLVeU6zqRrQ............. samber@github
On Gitlab
$ sync-ssh-keys --gitlab-token XXXXXXXXXXXXXXXXXX \
                --gitlab-username samuelberthe
More users
$ sync-ssh-keys --github-username samber \
                --github-username john \
                --github-username doe
All members of an organizations
$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \
                --github-org epitech \
                        > /root/.ssh/authorized_keys
All members of teams "root" and "sre", of a Github organizations
$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \
                --github-org epitech \
                --github-team root \
                --github-team sre \
                        > /root/.ssh/authorized_keys
All members of an organizations excluding myself ;)
$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \
                --github-org epitech \
                --exclude-github-username samber \
                        > /root/.ssh/authorized_keys
In case of network failure, lets fallback to an hard-coded ssh key
$ sync-ssh-keys --github-username samber \
                --local-path /root/.ssh/instance_keys \
                        > /root/.ssh/authorized_keys
Pass destination file as parameter
$ sync-ssh-keys --github-username samber \
                -o /root/.ssh/authorized_keys
Gitlab + Github + Local providers
$ sync-ssh-keys --github-username samber \
                --gitlab-username john-doe \
                --local-path /root/.ssh/instance_keys \
                -o /root/.ssh/authorized_keys
Gitlab Subgroup
$ sync-ssh-keys --gitlab-token XXXXXXXXXXXXXXX \
                --gitlab-group "gitlab-org/cluster-integration" \
                --gitlab-group "gitlab-org/monitor" \
                -o /root/.ssh/authorized_keys

About rate limiting

⚠️ Request volume can grow very fast on large infrastructures. It will be multiplied by the number of servers.

This is highly recommanded to use a dedicated access token linked to dedicated Gitub/Gitlab account.

Github rate limits:

  • 5000 req/h authenticated
  • 60 req/h/IP unauthenticated

Gitlab rate limits:

  • 10 req/s/IP
  • 600 req/min

We send approximataly 1 request per organisation + 1 per group + 1 per user.

Example
$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \
                --github-org epitech \
                --github-team root \
                --github-team sre \
                --exclude-github-username samber \
  • "Root" team having 3 members.
  • "SRE" team having 10 members.
  • Executed at the same time on 50 servers

50 servers * (1 org + 2 teams + 3 users + 10 users) = 800 requests

Trade-off

If you have too many servers and/or too many users:

  • Sync only twice a day.
  • At different time on each server.
  • Fetch once and scp everywhere.
  • Execute binary with -Werror and redirect to .ssh/authorized_keys using -o instead of >. It will write ssh keys in a lazy way, if no error happened.

Contribute

$ make run

$ make release
$ make docker-release

License

MIT license

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.