Use GitHub teams to manage system user accounts and authorized_keys
.
Administrators
- Automatically provision new users to production servers simply by adding them to a designated GitHub team (e.g.
ssh
). - No need to keep
authorized_keys
up to date because keys are pulled directly from github.com API and optionally cached in etcd - Immediately revoke SSH access to servers by evicting users from the GitHub team
- Easy to deploy
End Users
- Self-administer public SSH keys via the GitHub account settings.
- No need to manage multiple SSH keys
This tool consists of three parts:
- User Account / Authorized Keys provisioner which polls GitHub API for users that correspond to a given GitHub Organization & Team using a personal access token. It's responsible for adding or removing users from the system. All commands are templatized to allow it to run on multiple distributions.
- Simple read-only REST API that provides public keys for users, which is used by the
AuthorizedKeysCommand
in thesshd_config
; this allows you to expose the service internally without compromising your Github Token. The public SSH access keys are optionally cached in Etcd for performance and reliability. - An
AuthorizedKeysCommand
script that willcurl
the REST API for a user's public keys.
If you are running a derivative of RHEL9 (Fedora 36+, CentOS 9*, Rocky 9*, etc) or modern Debian derivatives (Ubuntu etc) the install script should install and configure the service for you.
$ sudo /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/terjekv/github-authorized-keys/main/contrib/install.sh)"
After the install is finished, you will be prompted to edit the configuration file /root/.github-authorized-keys.yaml
and
add your GitHub API token, organization name, and team name.
For older versions of RHEL/CentOS, you will need to adapt the SELinux policies. Work is being done to make this easier.
Note: On other distributions, you will also need to validate the templates for adding users LINUX_USER_ADD_TPL
, adding users with a
GID available LINUX_USER_ADD_WITH_GID_TPL
and adding users to groups LINUX_USER_ADD_TO_GROUP_TPL
are correct for your
distribution.
An easy way to get up and running is by using the ready-made docker container. The only dependency is Docker itself. If you wish to run CoreOS or use systemd
, there's a sample unit file.
A prebuilt public docker image that is built using upon tagging a release (via releases.yml) or you can build your own from source.
docker build -t terjekv/github-authorized-keys .
All arguments can be passed both as environment variables or command-line arguments, or even mix-and-match them to suit your tastes.
Available configuration options:
Environment Variable | Argument | Description | Default |
---|---|---|---|
GITHUB_API_TOKEN |
--github-api-token |
GitHub API Token (read-only) | |
GITHUB_ORGANIZATION |
--github-organization |
GitHub Organization Containing Team | |
GITHUB_ADMIN_TEAM_NAME |
--github-admin-team-name |
Name of GitHub Team that grants admin SSH access | |
GITHUB_USER_TEAM_NAME |
--github-user-team-name |
Name of GitHub Team that grants user SSH access | |
GITHUB_ADMIN_TEAM_ID |
--github-admin-team-id |
ID of GitHub Team that grants admin SSH access | |
GITHUB_USER_TEAM_ID |
--github-user-team-id |
ID of Github Team that grants user SSH access | |
SYNC_USERS_ADMIN_GROUPS |
--sync-users-admin-groups |
Default groups for admins | wheel |
SYNC_USERS_USERS_GROUPS |
--sync-users-users-groups |
Default groups for users | users |
SYNC_USERS_SHELL |
--sync-users-shell |
Default Login Shell | /bin/bash |
SYNC_USERS_ROOT |
--sync-users-root |
chroot path for user commands |
/ |
SYNC_USERS_INTERVAL |
--sync-users-interval |
Interval used to update user accounts | 300 |
ETCD_ENDPOINT |
--etcd-endpoint |
Etcd endpoint used for caching public keys | |
ETCD_TTL |
--etcd-ttl |
Duration (in seconds) to cache public keys | 86400 |
ETCD_PREFIX |
--etcd-prefix |
Prefix for public keys stored in etcd | github-authorized-keys |
LISTEN |
--listen |
Bind address used for REST API | :301 |
INTEGRATE_SSH |
--integrate-ssh |
Flag to automatically configure SSH | false |
LOG_LEVEL |
--log-level |
Ccontrol the logging verbosity. | info |
We recommend that you specify all parameters as environment variables. If using docker
, pass the environment file to the container using the --env-file
argument.
Obtain the GitHub API Token (aka Personal Access Token) here. Click "Generate new token" and select read:org
. That's it!
For example, /etc/github-authorized-keys
, might look like this:
GITHUB_API_TOKEN={token}
GITHUB_ORGANIZATION={organization}
GITHUB_ADMIN_TEAM_NAME=ssh
GITHUB_USER_TEAM_NAME=users
SYNC_USERS_ADMIN_GID=500
SYNC_USERS_ADMIN_GROUPS=sudo
SYNC_USERS_SHELL=/bin/bash
SYNC_USERS_ROOT=/host
SYNC_USERS_INTERVAL=300
ETCD_ENDPOINT=http://localhost:2739
ETCD_TTL=86400
ETCD_PREFIX=github-authorized-keys
LISTEN=:301
INTEGRATE_SSH=true
Then you could start it like this:
docker run \
--volume /:/host \
--expose "127.0.0.1:301:301" \
--env-file /etc/github-authorized-keys \
terjekv/github-authorized-keys:latest
IMPORTANT Remember to expose the REST API so you can retrieve user's public keys. Only public keys belonging to users found in the GitHub team will be returned.
Note: depending on your OS distribution, you might need to tweak the command templates. Keep reading for details.
On platforms running SELinux, you will need to add a policy to allow SSH on port 301 (if using the default port).
You can use the policy file contrib/ssh_on_socket_301.pp
by adding it thusly: semodule -i ssh_on_socket_301.pp
.
To leverage the github-authorized-keys
API, we need to make a small tweak to the sshd_config
.
This can be done automatically by passing the --integrate-ssh
flag (or setting INTEGRATE_SSH=true
)
After modifying the sshd_config
, it's necessary to restart the SSH daemon. This happens automatically by calling the SSH_RESTART_TPL
command. Since this differs depending on the OS distribution, you can change the default behavior by setting the SSH_RESTART_TPL
environment variable (default: /usr/sbin/service ssh force-reload
). Similarly, you might need to tweak the AUTHORIZED_KEYS_COMMAND_TPL
environment variable to something compatible with your OS.
If you wish to manually configure your sshd_config
, here's all you need to do:
AuthorizedKeysCommand /usr/local/sbin/authorized-keys
AuthorizedKeysCommandUser root
Then install a wrapper script to /usr/local/sbin/authorized-keys
.
Note: this command requires curl
to access the REST API in order to fetch authorized keys
The REST API supports Etcd as cache for public keys. This mitigates any connectivity problems with GitHub's API. By default, the caching is disabled.
Due to the vast differences between OS commands, the defaults provided might not work for you flavor of Linux.
Below are some of the settings which can be tweaked.
Environment Variable | Description | Default |
---|---|---|
LINUX_USER_ADD_TPL |
Command used to add a user to the system when no default group supplied. | adduser {username} --disabled-password --force-badname --shell {shell} |
LINUX_USER_ADD_WITH_GID_TPL |
Command used to add a user to the system when a default primary gid supplied . | `adduser {username} --disabled-password --force-badname --shell {shell} --gid {gid |
LINUX_USER_ADD_TO_GROUP_TPL |
Command used to add the user to secondary groups | adduser {username} {group} |
LINUX_USER_DEL_TPL |
Command used to delete a user from the system when removed the the team | deluser {username} |
SSH_RESTART_TPL |
Command used to restart SSH when INTEGRATE_SSH=true |
/usr/sbin/service ssh force-reload |
AUTHORIZED_KEYS_COMMAND_TPL |
Command used to fetch a user's authorized_keys from REST API |
/usr/bin/github-authorized-keys |
The values in {braces}
are macros that will be automatically substituted at run-time.
Macro | Description |
---|---|
{username} |
User's login name |
{shell} |
User's login shell |
{group} |
User's primary group name |
{gid} |
User's primary group id |
Got a question?
File a GitHub issue. :)
Please use the issue tracker to report any bugs or file feature requests.
The original use case from CloudPosse has for them been replaced by Teleport (cloudposse#34). This repository is maintained for personal use for time being.
In general, PRs are welcome.
- Fork the repo on GitHub
- Clone the project to your own machine
- Commit changes to your own branch
- Push your work back up to your fork
- Submit a Pull request so that changes can be reviewed.
NOTE: Be sure to merge the latest from "upstream" before making a pull request!
Here's how to get started...
git clone https://github.com/terjekv/github-authorized-keys.git
to pull down the repository- Review the documentation on compiling.
APACHE 2.0 © 2016-2017 Cloud Posse, LLC
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
GitHub Authorized Keys was originally maintained and funded by Cloud Posse, LLC. Like it? Please let them know at [email protected]
We love Open Source Software!
See our other projects or hire us to help build your next cloud-platform.
Erik Osterman |
Igor Rodionov |
---|