{"id":25738315,"url":"https://github.com/reasonsoftware/ssh-manager","last_synced_at":"2025-05-08T03:57:17.386Z","repository":{"id":38822405,"uuid":"331674045","full_name":"ReasonSoftware/ssh-manager","owner":"ReasonSoftware","description":":closed_lock_with_key: Central SSH Management Service for AWS Linux EC2 :vertical_traffic_light:","archived":false,"fork":false,"pushed_at":"2024-09-16T15:09:14.000Z","size":3161,"stargazers_count":10,"open_issues_count":0,"forks_count":0,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-05-08T03:57:11.252Z","etag":null,"topics":["aws","devops","security","service","ssh"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ReasonSoftware.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-21T15:43:12.000Z","updated_at":"2024-09-16T15:09:12.000Z","dependencies_parsed_at":"2023-02-17T16:31:20.669Z","dependency_job_id":"18186c56-b40e-4296-bf38-77a6fbfb2fef","html_url":"https://github.com/ReasonSoftware/ssh-manager","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReasonSoftware%2Fssh-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReasonSoftware%2Fssh-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReasonSoftware%2Fssh-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReasonSoftware%2Fssh-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ReasonSoftware","download_url":"https://codeload.github.com/ReasonSoftware/ssh-manager/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252996333,"owners_count":21837621,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","devops","security","service","ssh"],"created_at":"2025-02-26T07:29:57.549Z","updated_at":"2025-05-08T03:57:17.367Z","avatar_url":"https://github.com/ReasonSoftware.png","language":"Go","readme":"# ssh-manager\n\n[![Release](https://img.shields.io/github/v/release/ReasonSoftware/ssh-manager)](https://github.com/ReasonSoftware/ssh-manager/releases/latest)\n[![Release](https://github.com/ReasonSoftware/ssh-manager/workflows/release/badge.svg)](https://github.com/ReasonSoftware/ssh-manager/actions)\n[![Go Report Card](https://goreportcard.com/badge/github.com/ReasonSoftware/ssh-manager)](https://goreportcard.com/report/github.com/ReasonSoftware/ssh-manager)\n[![License](https://img.shields.io/github/license/ReasonSoftware/ssh-manager)](LICENSE.md)\n\n:closed_lock_with_key: Central **SSH Management Service** for **AWS Linux EC2** :vertical_traffic_light:\n\n![PIC](docs/pics/design.png)\n\n## Features\n\n- Automatically allow/deny SSH access to servers\n- Easily manage `sudo` access\n- Centrally manage team's SHS Keys\n- Only public SSH key is used, private key never leave user's workstation\n- Leverage AWS IAM for service authentication\n- SystemD Service\n- Supports AMD64/ARM64\n\n## Manual\n\n- Prepare [Central Configuration](#central-configuration) once\n- Add new servers by:\n - Complete [Server Configuration](#server-configuration)\n - [Install](#installation) the service\n\n*It is strongly recommended updating the service once in a while*\n\n### Central Configuration\n\n1. Create configuration on **AWS Secret** which will hold a public ssh keys of your team members and server groups with a permissions mapping.\n\n\u003cdetails\u003e\u003csummary\u003e:information_source: AWS Secret Structure\u003c/summary\u003e\n\n```json\n{\n \"users\": {\n \"user.1\": \"ssh-rsa AAA...\",\n \"user.2\": \"ssh-rsa AAA...\",\n \"user.3\": \"ssh-rsa AAA...\",\n \"user.4\": \"ssh-rsa AAA...\",\n \"user.5\": \"ssh-rsa AAA...\",\n \"user.6\": \"ssh-rsa AAA...\"\n },\n \"server_groups\": {\n \"backend\": {\n \"sudoers\": [\n \"user.2\"\n ],\n \"users\": [\n \"user.1\",\n \"user.4\",\n \"user.5\"\n ]\n },\n \"poc\": {\n \"sudoers\": [\n \"user.1\",\n \"user.2\",\n \"user.4\"\n ],\n \"users\": [\n \"user.6\"\n ]\n },\n \"devops\": {\n \"sudoers\": [\n \"user.2\"\n ],\n \"users\": [\n \"user.3\",\n \"user.5\"\n ]\n }\n }\n}\n```\n\n\u003c/details\u003e\n\n2. Create IAM Policy to allow servers to fetch the secret.\n\n\u003cdetails\u003e\u003csummary\u003e:information_source: AWS IAM Policy\u003c/summary\u003e\n\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"secretsmanager:GetSecretValue\",\n \"Resource\": \"arn:aws:secretsmanager:*:*:secret:\u003csecret-name\u003e\"\n }\n ]\n}\n```\n\n\u003c/details\u003e\n\n### Server Configuration\n\n1. Create a local configuration file `/root/ssh-manager.yml`\n\n ```yaml\n secret_name: ssh-manager\n region: us-west-1\n groups:\n - devops\n - poc\n ```\n\n - `secret_name` (required) - AWS Secret name with a central configuration\n - `region` - AWS region where a Secret is stored. Default **us-east-1**\n - `groups` (required) - a list of server group names from a central configuration\n\n2. Create and attach an IAM Roles or configure an IAM User to allow EC2's to fetch the secret.\n - If using User Authentication, configure the credentials for root user.\n\n### Installation\n\n- Download installation script: `curl https://raw.githubusercontent.com/ReasonSoftware/ssh-manager/master/scripts/install.sh --output install.sh` (or `install_arm64.sh`)\n - Alternative script that relies on **crontab**: `curl https://raw.githubusercontent.com/ReasonSoftware/ssh-manager/master/scripts/install_cronjob.sh --output install.sh` (or `install_cronjob_arm64.sh`)\n- Execute with elevated privileges: `sudo bash install.sh`\n\n\u003cdetails\u003e\u003csummary\u003e:information_source: Manual Installation\u003c/summary\u003e\n\n- Create an application directory: `mkdir -p /var/lib/ssh-manager`\n- Download latest [release](https://github.com/ReasonSoftware/ssh-manager/releases/latest) unzip to `/var/lib/ssh-manager`\n- Create **systemd** service under `/etc/systemd/system/ssh-manager.service` with the following content:\n\n ```\n [Unit]\n Description=Central SSH Management Service for AWS Linux EC2\n Wants=network-online.target\n After=network-online.target\n \n [Service]\n Type=oneshot\n ExecStart=/var/lib/ssh-manager/ssh-manager\n StandardOutput=journal\n User=root\n \n [Install]\n WantedBy=multi-user.target\n ```\n\n- Create **systemd** timer under `/etc/systemd/system/ssh-manager.timer` with the following content:\n\n ```\n [Unit]\n Description=Timer for Central SSH Management Service\n Wants=network-online.target\n After=network-online.target\n\n [Timer]\n Unit=ssh-manager.service\n OnBootSec=10min\n OnUnitInactiveSec=60min\n Persistent=true\n\n [Install]\n WantedBy=multi-user.target\n ```\n\n- Reload **systemd** configuration: `systemctl daemon-reload`\n- Enable **ssh-manager** service: `systemctl enable ssh-manager.service`\n- Enable and start **ssh-manager** timer: `systemctl enable --now ssh-manager.timer`\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003e:information_source: Update\u003c/summary\u003e\n\n- Download latest [release](https://github.com/ReasonSoftware/ssh-manager/releases/latest) and replace `/var/lib/ssh-manager/ssh-manager` file\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003e:information_source: Uninstall\u003c/summary\u003e\n\nDecide what are you going to do with the users and either delete them (`userdel -r \u003cusername\u003e`) or change their primary group to some other group (`usermod -G \u003cgroupname\u003e \u003cusername\u003e`)\n\n- Delete systemd service and timer:\n\n ```shell\n systemctl stop ssh-manager.service\n systemctl stop ssh-manager.timer\n rm -f /etc/systemd/system/ssh-manager.*\n ```\n\n- Delete application groups:\n\n ```shell\n groupdel ssh-manager-users\n groupdel ssh-manager-sudoers\n ```\n\n- Remove `%ssh-manager-sudoers ALL=(ALL) NOPASSWD: ALL` entry from `/etc/sudoers` file\n- Delete app directory `rm -rf /var/lib/ssh-manager`\n- Delete local configuration file `rm -f /root/ssh-manager.yml`\n\n\u003c/details\u003e\n\n## Examples\n\n- [Logs](docs/LOGS.md)\n\n## Notes\n\n- This service strongly relies on Linux capabilities to manage users and group, and will require the following to operate: `sudo`/`useradd`/`userdel`/`usermod`/`bash`\n- Users default shell will be set to `bash`\n- Assuming sudoers file is `/etc/sudoers`\n- Application directory `/var/lib/ssh-manager` will be created automatically\n- Custom linux groups `ssh-manager-users`/`ssh-manager-sudoers` will be created with a GID's `32109`/`32108`\n\n## License\n\n[Apache-2.0](LICENSE.md) © 2021 [Reason Cybersecurity Ltd.](https://www.reasonsecurity.com/)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freasonsoftware%2Fssh-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Freasonsoftware%2Fssh-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freasonsoftware%2Fssh-manager/lists"}