• Stars
    star
    138
  • Rank 264,508 (Top 6 %)
  • Language
    Go
  • License
    MIT License
  • Created almost 5 years ago
  • Updated 6 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🔐 Sync public ssh keys to ~/.ssh/authorized_keys, based on Github/Gitlab organization membership.

Sync ssh keys

Sync public ssh keys to ~/.ssh/authorized_keys, based on Github/Gitlab organization membership.

diagram

Install

$ export GO111MODULE=on
$ go get github.com/samber/sync-ssh-keys

or

$ curl -L -o /usr/local/bin/sync-ssh-keys \
      https://github.com/samber/sync-ssh-keys/releases/download/v0.5.0/sync-ssh-keys_0.5.0_linux-amd64
$ chmod +x /usr/local/bin/sync-ssh-keys

or

$ docker pull samber/sync-ssh-keys:0.5.0
$ docker run --rm samber/sync-ssh-keys:0.5.0 --github-username samber

Sync using a crontask

$ crontab -e

Then:

# sync once per hour
0 * * * * sync-ssh-keys --github-token XXXXXXXXXXXXXXX --github-org epitech --github-team sysadmin --output /root/.ssh/authorized_keys

Usage

$ sync-ssh-keys --help
usage: sync-ssh-keys [<flags>]

Flags:
      --help                   Show context-sensitive help (also try --help-long and --help-man).


  -o, --output=OUTPUT          Write output to <file>. Default to stdout
      --Werror=WERROR          Treat warning as errors. Fatal error if organization, team or user does not exist.


      --local-path=LOCAL-PATH  Path to a local authorized_keys file. It can be useful in case of network failure ;)


      --github-endpoint=GITHUB-ENDPOINT
                               Github Enterprise endpoint.
      --github-token=GITHUB-TOKEN
                               Github personal token.
      --github-org=GITHUB-ORG  Github organization name.
      --github-team=GITHUB-TEAM ...
                               Team(s) allowed to access server.
      --github-username=GITHUB-USERNAME ...
                               Username(s) allowed to access server.
      --exclude-github-username=EXCLUDE-GITHUB-USERNAME ...
                               Username(s) to explicitly exclude.


      --gitlab-endpoint=GITLAB-ENDPOINT
                               Gitlab endpoint.
      --gitlab-token=GITLAB-TOKEN
                               Gitlab personal token.
      --gitlab-group=GITLAB-GROUP ...
                               Group allowed to access server.
      --gitlab-username=GITLAB-USERNAME ...
                               Username(s) allowed to access server.
      --exclude-gitlab-username=EXCLUDE-GITLAB-USERNAME ...
                               Username(s) to explicitly exclude.


      --version                Show application version.

Simple user

$ sync-ssh-keys --github-username samber

#
# Github
#

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhDlAK8ewcwC............. samber@github

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCuLVeU6zqRrQ............. samber@github

On Gitlab

$ sync-ssh-keys --gitlab-token XXXXXXXXXXXXXXXXXX \
                --gitlab-username samuelberthe

More users

$ sync-ssh-keys --github-username samber \
                --github-username john \
                --github-username doe

All members of an organizations

$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \
                --github-org epitech \
                        > /root/.ssh/authorized_keys

All members of teams "root" and "sre", of a Github organizations

$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \
                --github-org epitech \
                --github-team root \
                --github-team sre \
                        > /root/.ssh/authorized_keys

All members of an organizations excluding myself ;)

$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \
                --github-org epitech \
                --exclude-github-username samber \
                        > /root/.ssh/authorized_keys

In case of network failure, lets fallback to an hard-coded ssh key

$ sync-ssh-keys --github-username samber \
                --local-path /root/.ssh/instance_keys \
                        > /root/.ssh/authorized_keys

Pass destination file as parameter

$ sync-ssh-keys --github-username samber \
                -o /root/.ssh/authorized_keys

Gitlab + Github + Local providers

$ sync-ssh-keys --github-username samber \
                --gitlab-username john-doe \
                --local-path /root/.ssh/instance_keys \
                -o /root/.ssh/authorized_keys

Gitlab Subgroup

$ sync-ssh-keys --gitlab-token XXXXXXXXXXXXXXX \
                --gitlab-group "gitlab-org/cluster-integration" \
                --gitlab-group "gitlab-org/monitor" \
                -o /root/.ssh/authorized_keys

About rate limiting

⚠️ Request volume can grow very fast on large infrastructures. It will be multiplied by the number of servers.

This is highly recommanded to use a dedicated access token linked to dedicated Gitub/Gitlab account.

Github rate limits:

  • 5000 req/h authenticated
  • 60 req/h/IP unauthenticated

Gitlab rate limits:

  • 10 req/s/IP
  • 600 req/min

We send approximataly 1 request per organisation + 1 per group + 1 per user.

Example

$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \
                --github-org epitech \
                --github-team root \
                --github-team sre \
                --exclude-github-username samber \
  • "Root" team having 3 members.
  • "SRE" team having 10 members.
  • Executed at the same time on 50 servers

50 servers * (1 org + 2 teams + 3 users + 10 users) = 800 requests

Trade-off

If you have too many servers and/or too many users:

  • Sync only twice a day.
  • At different time on each server.
  • Fetch once and scp everywhere.
  • Execute binary with -Werror and redirect to .ssh/authorized_keys using -o instead of >. It will write ssh keys in a lazy way, if no error happened.

Contribute

$ make run
$ make release
$ make docker-release

License

MIT license

More Repositories

1

lo

💥 A Lodash-style Go library based on Go 1.18+ Generics (map, filter, contains, find...)
Go
17,419
star
2

awesome-prometheus-alerts

🚨 Collection of Prometheus alerting rules
HTML
6,502
star
3

mo

🦄 Monads and popular FP abstractions, powered by Go 1.18+ Generics (Option, Result, Either...)
Go
2,587
star
4

do

⚙️ A dependency injection toolkit based on Go 1.18+ Generics.
Go
1,807
star
5

oops

🔥 Error handling library with context, assertion, stack trace and source fragments
Go
384
star
6

slog-multi

🚨 Design workflows of slog handlers: pipeline, middleware, fanout, routing, failover, load balancing...
Go
342
star
7

invoice-as-a-service

💰 Simple invoicing service (REST API): from JSON to PDF
PHP
181
star
8

slog-gin

🚨 Gin middleware for slog logger
Go
109
star
9

chartjs-plugin-datasource-prometheus

📊 Chart.js plugin for Prometheus
TypeScript
107
star
10

slog-formatter

🚨 slog: Attribute formatting
Go
107
star
11

slog-echo

🚨 Echo middleware for slog logger
Go
100
star
12

go-gpt-3-encoder

Go BPE tokenizer (Encoder+Decoder) for GPT2 and GPT3
Go
78
star
13

the-great-gpt-firewall

🤖 A curated list of websites that restrict access to AI Agents, AI crawlers and GPTs
Python
75
star
14

prometheus-query-js

📊 A Javascript client for Prometheus query API
TypeScript
58
star
15

hot

🌶️ In-memory caching library for Go
Go
58
star
16

github-actions-runner

✅ Docker images for starting self-hosted Github Actions runner(s).
Dockerfile
57
star
17

slog-fiber

🚨 Fiber middleware for slog logger
Go
52
star
18

slog-sampling

🚨 slog sampling: drop repetitive log records
Go
49
star
19

slog-chi

🚨 Chi middleware for slog logger
Go
43
star
20

slog-sentry

🚨 slog: Sentry handler
Go
43
star
21

awesome-olap

A curated list of awesome Online Analytical Processing databases, frameworks, ressources and other awesomeness.
37
star
22

grafana-flamegraph-panel

📊 Flame graph panels for Grafana
JavaScript
37
star
23

slog-loki

🚨 slog: Loki handler
Go
36
star
24

slog-http

🚨 net/http middleware for slog logger
Go
32
star
25

slog-zerolog

🚨 slog: Zerolog handler
Go
30
star
26

workshop-prometheus-grafana

📊 Prometheus and Grafana 101
JavaScript
30
star
27

slog-zap

🚨 slog: Zap handler
Go
23
star
28

go-metered-io

📐 A drop-in replacement to io.Reader and io.Writer with the total number of bytes transfered.
Go
23
star
29

go-amqp-pubsub

Fault tolerant Pub/Sub library for RabbitMQ
Go
21
star
30

go-singleflightx

🧬 x/sync/singleflight but with generics, batching, sharding and nullable result
Go
19
star
31

slog-logrus

🚨 slog: Logrus handler
Go
18
star
32

slog-slack

🚨 slog: Slack handler
Go
18
star
33

arp-spoofing

💥 Simple implementation of arp poisoning attack ;)
C
16
star
34

pg_cron

⏰ PostgreSQL extension for running periodic jobs
C
15
star
35

go-tcp-pool

✨ Drop-in replacement to net.Conn with pooling and auto-reconnect
Go
14
star
36

go-type-to-string

🕵️‍♂️ Extract a string representation of Go type
Go
14
star
37

slog-syslog

🚨 slog: Syslog handler
Go
13
star
38

refined-hn

JavaScript
11
star
39

git-contrib-graph

📊 Displays a github-like contribution graph, of every contributors of a repository
Go
10
star
40

slog-nats

🚨 slog: NATS handler
Go
10
star
41

slog-parquet

🚨 slog: Parquet handler + Object Storage
Go
10
star
42

slog-datadog

🚨 slog: Datadog handler
Go
10
star
43

free_proxy_list

Free proxy list [NOT MAINTAINED ANYMORE - please fork]
Shell
9
star
44

slog-otel

OTEL toolchain for slog
Makefile
8
star
45

slog-graylog

🚨 slog: Graylog handler
Go
7
star
46

powEUr

Python
7
star
47

slog-telegram

🚨 slog: Telegram handler
Go
7
star
48

node-promfiler

Expose a http endpoint for exporting node.js v8 profiling
JavaScript
7
star
49

slog-webhook

🚨 slog: Webhook handler
Go
7
star
50

slog-betterstack

🚨 slog: Betterstack handler
Go
7
star
51

slog-common

Common toolchain for slog
Go
6
star
52

slog-kafka

🚨 slog: Kafka handler
Go
6
star
53

slog-channel

🚨 slog: Go channel handler
Go
6
star
54

slog-logstash

🚨 slog: Logstash handler
Go
5
star
55

ansible-role-airbyte

Ansible role for Airbyte
5
star
56

slog-fluentd

🚨 slog: Fluentd handler
Go
4
star
57

remote-dev-environment

👨‍💻 My development environment is too slow, let's fix that !
4
star
58

GoogleCalendarNotifier-FitbitTracker

Google Calendar notifier for Fitbit Tracker
Gosu
4
star
59

slog-mock

🚨 slog: mock handler
Go
4
star
60

slog-quickwit

🚨 slog: Quickwit handler
Go
4
star
61

criterion-rpm-package

RPM package for Criterion (C unit testing)
Shell
3
star
62

dagobert

A simple Go client for the clip-as-service server
Go
3
star
63

rabbitmq-flooding

Cluster recovery testing. Floods RabbitMQ with random data.
Python
3
star
64

go-psi

🥵 Pressure Stall Informations (PSI) and starvation notifier
Go
3
star
65

slog-microsoft-teams

🚨 slog: Microsoft Teams handler
Go
3
star
66

llvm_dart_binding

Binding Dart/LLVM (using LLVM bytecode from Dart)
Dart
3
star
67

lab-langchain-getting-started

Python
2
star
68

BTCC_api

A basic API wrapper for the BTCC Trading and Market FIX API.
JavaScript
2
star
69

ngx-domarrow

Declarative and template-driven DOMArrow integration for Angular2+
TypeScript
2
star
70

github-stackoverflow-email-scrapping

Scrape top Github and Stack-Overflow users to find email address
Go
2
star
71

nft-http-api

🚦 NFT over HTTP API
Go
2
star
72

go-quickwit

🍱 A Go ingestion client for Quickwit
Go
2
star
73

celery_demonstration

Async worker + scheduling
Python
2
star
74

dockerfiles

Dockerfile
1
star
75

SaaS-Cookbook-List

List of Cookbook about SaaS development (ENG/FR)
1
star
76

dotfiles

@samber's dotfiles
JavaScript
1
star
77

grafana-dashboard-nomad

Grafana dashboards for Nomad (Docker orchestrator from Hashicorp)
1
star
78

go-clevercloud-api

Go library for Clever-Cloud api
Go
1
star
79

lab-langchain

Python
1
star
80

slog-mattermost

🚨 slog: Mattermost handler
Go
1
star
81

jitsi-virtual-background

JavaScript
1
star
82

raw-ip-udp-sockets-chap

Simple implementation of CHAP protocol, with raw socket layers (3+4)
C
1
star
83

lab-parquet

Go
1
star
84

canvas-to-bmp

TypeScript
1
star
85

refined-cycle-app

JavaScript
1
star
86

azure-ad-oauth2-proxy

Dockerfile
1
star
87

packer-qemu-debian

Builds Debian 8 image for Qemu
Shell
1
star
88

poc-selenium-unit-test-css

Python
1
star
89

maxscale-experiments

Demonstration step-by-step of MaxScale for master/slave query spliting/routing #mysql #docker
Shell
1
star
90

google-takeout-to-s3

🚨 Simple script to upload encrypted Google Takeout archives to S3.
1
star
91

messenger-bot-clock

Messenger bot replying with current time
JavaScript
1
star
92

fb-messenger-bot-psychologist

🤖 A Messenger bot talking like a psychologist
Emacs Lisp
1
star
93

promql-exporter

Prometheus exporter for PromQL endpoints (replacing federation and remote-write)
Go
1
star