Sync ssh keys
Sync public ssh keys to ~/.ssh/authorized_keys
, based on Github/Gitlab organization membership.
Install
$ export GO111MODULE=on
$ go get github.com/samber/sync-ssh-keys
or
$ curl -L -o /usr/local/bin/sync-ssh-keys \
https://github.com/samber/sync-ssh-keys/releases/download/v0.5.0/sync-ssh-keys_0.5.0_linux-amd64
$ chmod +x /usr/local/bin/sync-ssh-keys
or
$ docker pull samber/sync-ssh-keys:0.5.0
$ docker run --rm samber/sync-ssh-keys:0.5.0 --github-username samber
Sync using a crontask
$ crontab -e
Then:
# sync once per hour
0 * * * * sync-ssh-keys --github-token XXXXXXXXXXXXXXX --github-org epitech --github-team sysadmin --output /root/.ssh/authorized_keys
Usage
$ sync-ssh-keys --help
usage: sync-ssh-keys [<flags>]
Flags:
--help Show context-sensitive help (also try --help-long and --help-man).
-o, --output=OUTPUT Write output to <file>. Default to stdout
--Werror=WERROR Treat warning as errors. Fatal error if organization, team or user does not exist.
--local-path=LOCAL-PATH Path to a local authorized_keys file. It can be useful in case of network failure ;)
--github-endpoint=GITHUB-ENDPOINT
Github Enterprise endpoint.
--github-token=GITHUB-TOKEN
Github personal token.
--github-org=GITHUB-ORG Github organization name.
--github-team=GITHUB-TEAM ...
Team(s) allowed to access server.
--github-username=GITHUB-USERNAME ...
Username(s) allowed to access server.
--exclude-github-username=EXCLUDE-GITHUB-USERNAME ...
Username(s) to explicitly exclude.
--gitlab-endpoint=GITLAB-ENDPOINT
Gitlab endpoint.
--gitlab-token=GITLAB-TOKEN
Gitlab personal token.
--gitlab-group=GITLAB-GROUP ...
Group allowed to access server.
--gitlab-username=GITLAB-USERNAME ...
Username(s) allowed to access server.
--exclude-gitlab-username=EXCLUDE-GITLAB-USERNAME ...
Username(s) to explicitly exclude.
--version Show application version.
Simple user
$ sync-ssh-keys --github-username samber
#
# Github
#
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhDlAK8ewcwC............. samber@github
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCuLVeU6zqRrQ............. samber@github
On Gitlab
$ sync-ssh-keys --gitlab-token XXXXXXXXXXXXXXXXXX \
--gitlab-username samuelberthe
More users
$ sync-ssh-keys --github-username samber \
--github-username john \
--github-username doe
All members of an organizations
$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \
--github-org epitech \
> /root/.ssh/authorized_keys
All members of teams "root" and "sre", of a Github organizations
$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \
--github-org epitech \
--github-team root \
--github-team sre \
> /root/.ssh/authorized_keys
All members of an organizations excluding myself ;)
$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \
--github-org epitech \
--exclude-github-username samber \
> /root/.ssh/authorized_keys
In case of network failure, lets fallback to an hard-coded ssh key
$ sync-ssh-keys --github-username samber \
--local-path /root/.ssh/instance_keys \
> /root/.ssh/authorized_keys
Pass destination file as parameter
$ sync-ssh-keys --github-username samber \
-o /root/.ssh/authorized_keys
Gitlab + Github + Local providers
$ sync-ssh-keys --github-username samber \
--gitlab-username john-doe \
--local-path /root/.ssh/instance_keys \
-o /root/.ssh/authorized_keys
Gitlab Subgroup
$ sync-ssh-keys --gitlab-token XXXXXXXXXXXXXXX \
--gitlab-group "gitlab-org/cluster-integration" \
--gitlab-group "gitlab-org/monitor" \
-o /root/.ssh/authorized_keys
About rate limiting
This is highly recommanded to use a dedicated access token linked to dedicated Gitub/Gitlab account.
Github rate limits:
- 5000 req/h authenticated
- 60 req/h/IP unauthenticated
Gitlab rate limits:
- 10 req/s/IP
- 600 req/min
We send approximataly 1 request per organisation + 1 per group + 1 per user.
Example
$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \
--github-org epitech \
--github-team root \
--github-team sre \
--exclude-github-username samber \
- "Root" team having 3 members.
- "SRE" team having 10 members.
- Executed at the same time on 50 servers
50 servers * (1 org + 2 teams + 3 users + 10 users) = 800 requests
Trade-off
If you have too many servers and/or too many users:
- Sync only twice a day.
- At different time on each server.
- Fetch once and scp everywhere.
- Execute binary with
-Werror
and redirect to.ssh/authorized_keys
using-o
instead of>
. It will write ssh keys in a lazy way, if no error happened.
Contribute
$ make run
$ make release
$ make docker-release