{"id":16841130,"url":"https://github.com/fernandomiguel/sshremotekeys","last_synced_at":"2025-03-22T05:30:57.941Z","repository":{"id":154348455,"uuid":"88338814","full_name":"FernandoMiguel/sshremotekeys","owner":"FernandoMiguel","description":"Managing SSH keys remotely to control access to hosts","archived":false,"fork":false,"pushed_at":"2018-08-12T20:45:20.000Z","size":38,"stargazers_count":79,"open_issues_count":0,"forks_count":8,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-18T08:22:20.589Z","etag":null,"topics":["authorizedkeyscommand","aws","ed25519","maintenance","overhead","remote","ssh","ssh-key","sshd","sysadmin","userdata"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FernandoMiguel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-04-15T10:00:25.000Z","updated_at":"2024-12-02T13:23:35.000Z","dependencies_parsed_at":"2023-10-15T18:04:34.954Z","dependency_job_id":null,"html_url":"https://github.com/FernandoMiguel/sshremotekeys","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FernandoMiguel%2Fsshremotekeys","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FernandoMiguel%2Fsshremotekeys/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FernandoMiguel%2Fsshremotekeys/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FernandoMiguel%2Fsshremotekeys/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FernandoMiguel","download_url":"https://codeload.github.com/FernandoMiguel/sshremotekeys/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244912800,"owners_count":20530764,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorizedkeyscommand","aws","ed25519","maintenance","overhead","remote","ssh","ssh-key","sshd","sysadmin","userdata"],"created_at":"2024-10-13T12:40:27.151Z","updated_at":"2025-03-22T05:30:55.652Z","avatar_url":"https://github.com/FernandoMiguel.png","language":"Shell","readme":"# SSH with Remote Keys storage\n\nWith my sysadmin background, being as lazy as possible, I always try to have the lowest overhead maintenance possible over systems.\n\nSecurely maintain ssh keys to access servers is a tricky business. Keys have to be rotated regularly, individuals join/leave projects/companies, ssh key passwords are forgotten, etc.\n#\n\nTypically, admins add ssh keys to ~/.ssh/authorized_keys or %h/.ssh/authorized_keys, others LDAP.\n\nUpdating these is a nightmare, even with packaging tools like ansile or puppet.\n\nSome have crons to update these, but that can create a delay, and we all know what happens when you add delays.\n#\n\nInstead, I've opted to move away from managing keys in the instances, and move them to a centrally controlled location, where it is easy to update objects/permissions and have the instances check back on login attempt.\n\n## Installation\n\n[sshauth-install.sh](sshauth-install.sh) needs to be run in the instance.\n\nIt can be executed at anytime, or ideally during the creation of the instance. When deploying AWS instances, you can pass this with [UserData](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html)\n\n###\nYou will need to modify [https://s3.amazonaws.com/BUCKET/userkeys.sh] to use your server personalised version.\n\nThe script will modify ssh_config, pull your custom [userkeys.sh](userkeys.sh), and restart sshd.\n\n## Usage\n\nSSH AuthorizedKeysCommand was introduced in [2013's OpenSSH 6.1](https://www.openssh.com/txt/release-6.2), although you will only find is commonly around in OpenSSH 6.9 distro packages.\n\nFrom the manual:\n\u003e sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run under an account specified by an AuthorizedKeysCommandUser sshd_config(5) option.\n\nThis allows us to execute an arbitary command when a login attemp it made via ssh.\nIn the case of this setup, it executes userkeys.sh\n\nDepending on wether you are curling github API for keys [https://github.com/USER.keys] (for individual devs or extremelly small teams) or a s3 bucket object (one object per set of permissions), you will need to create your custom [userkeys.sh](userkeys.sh).\n\nWhen there's an attempt login via ssh, sshd will execute userkeys.sh, which will then curl a file for ssh public keys, and match that against the one provided during login.\n\nYou can use `Match User` or `Match Group` to parse public keys against logins, but while increasing security, it also increases overhead.\n\n## Gotchas\n\n\n### Ed25519\n\nssh public key historicly have been created with RSA algorithm. But like everytghing in tech, that's old by today's standards.\n\nThe new shiny algorithm is [Ed25519](https://ed25519.cr.yp.to/).\nIt uses a Diffie-Hellman elliptic-curve, allowing it to be much smaller than tradicional RSA keys.\nWhere a good RSA key starts in 2048 bits, an Ed25519 is just 256.\n\nCombine that with the easeness of reading, storing, curl them, you got a winner.\n\nTo generate one, run `$ ssh-keygen -t ed25519` with as many [rounds](https://crypto.stackexchange.com/questions/40311/how-many-kdf-rounds-for-an-ssh-key) as you see fit, and don't forget to password-protect it.\n\nCopy the contents of its public key to [GitHub key settings](https://github.com/settings/keys) or your project permission object, and you are ready to go.\n\n\n### Fail2Ban and general security\n\nPlease setup your instance with Fail2Ban, to prevent anyone from hammering your ssh port.\n\nAlso disable root `PermitRootLogin no` and disable passwords `PasswordAuthentication no`.\n\n[sshauth-install.sh] already adds `AuthenticationMethods publickey` to `/etc/ssh/sshd_config`\n\n\n### API rate limit\n\nWhen curling against Internet webservices, developers need to account with services rate limits, in place to prevent abuse.\n\n[GitHub API rate limit](https://developer.github.com/v3/#rate-limiting) is of `60 requests per hour` for unauthenticated requests, and `5000` when used with OAuth.\n\nAn AWS s3 bucket as a limit of `800 GET requests per second`.\n\n#### Cache\n\nIf you have many devs login into a server or even bot scanning (hence [Fail2Ban](https://github.com/FernandoMiguel/sshremotekeys#fail2ban-and-general-security)), your host can easily reach the limit and prevent you from legitimately accessing your server.\n\nTo minimise this, the response of the external request (either Github or AWS) is saved to the file `$HOME/.ssh/ak_cache` and cached for 5 minutes.\n\n## Future Improvements\n\nRight now, we are querying GitHub user profiles for sshkeys.\n\nAn advanced process can probably be developed using [GitHub GraphQL API](https://developer.github.com/early-access/graphql/) to queries Teams instead of users, allowing further control over Projects access\n\n## Contributing\n\n1. Fork it!\n2. Create your feature branch: `git checkout -b my-new-feature`\n3. Commit your changes: `git commit -am 'Add some feature'`\n4. Push to the branch: `git push origin my-new-feature`\n5. Submit a pull request :D\n\n## License\n\n[MIT](LICENSE)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffernandomiguel%2Fsshremotekeys","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffernandomiguel%2Fsshremotekeys","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffernandomiguel%2Fsshremotekeys/lists"}