{"id":13819945,"url":"https://github.com/samber/sync-ssh-keys","last_synced_at":"2025-04-05T06:07:20.296Z","repository":{"id":52582716,"uuid":"221311663","full_name":"samber/sync-ssh-keys","owner":"samber","description":"🔐  Sync public ssh keys to ~/.ssh/authorized_keys, based on Github/Gitlab organization membership.","archived":false,"fork":false,"pushed_at":"2025-01-11T14:55:07.000Z","size":127,"stargazers_count":139,"open_issues_count":4,"forks_count":16,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-03-29T05:07:22.361Z","etag":null,"topics":["github","gitlab","organization-membership","ssh-keys","sync"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/samber.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-12T21:04:21.000Z","updated_at":"2025-01-11T14:55:05.000Z","dependencies_parsed_at":"2022-08-28T10:21:43.615Z","dependency_job_id":"2f0a1491-afd1-417b-999d-a3db2a40c72b","html_url":"https://github.com/samber/sync-ssh-keys","commit_stats":null,"previous_names":["samber/github-team-ssh-keys"],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samber%2Fsync-ssh-keys","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samber%2Fsync-ssh-keys/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samber%2Fsync-ssh-keys/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samber%2Fsync-ssh-keys/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/samber","download_url":"https://codeload.github.com/samber/sync-ssh-keys/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247294537,"owners_count":20915340,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github","gitlab","organization-membership","ssh-keys","sync"],"created_at":"2024-08-04T08:00:55.257Z","updated_at":"2025-04-05T06:07:20.277Z","avatar_url":"https://github.com/samber.png","language":"Go","readme":"# Sync ssh keys\n\nSync public ssh keys to `~/.ssh/authorized_keys`, based on Github/Gitlab organization membership.\n\n![diagram](./diagram.png)\n\n## Install\n\n```bash\n$ export GO111MODULE=on\n$ go get github.com/samber/sync-ssh-keys\n```\n\nor\n\n```bash\n$ curl -L -o /usr/local/bin/sync-ssh-keys \\\n      https://github.com/samber/sync-ssh-keys/releases/download/v0.5.0/sync-ssh-keys_0.5.0_linux-amd64\n$ chmod +x /usr/local/bin/sync-ssh-keys\n```\n\nor \n\n```bash\n$ docker pull samber/sync-ssh-keys:0.5.0\n$ docker run --rm samber/sync-ssh-keys:0.5.0 --github-username samber\n```\n\n### Sync using a crontask\n\n```bash\n$ crontab -e\n```\n\nThen:\n\n```\n# sync once per hour\n0 * * * * sync-ssh-keys --github-token XXXXXXXXXXXXXXX --github-org epitech --github-team sysadmin --output /root/.ssh/authorized_keys\n```\n\n## Usage\n\n```bash\n$ sync-ssh-keys --help\nusage: sync-ssh-keys [\u003cflags\u003e]\n\nFlags:\n      --help                   Show context-sensitive help (also try --help-long and --help-man).\n\n\n  -o, --output=OUTPUT          Write output to \u003cfile\u003e. Default to stdout\n      --Werror=WERROR          Treat warning as errors. Fatal error if organization, team or user does not exist.\n\n\n      --local-path=LOCAL-PATH  Path to a local authorized_keys file. It can be useful in case of network failure ;)\n\n\n      --github-endpoint=GITHUB-ENDPOINT\n                               Github Enterprise endpoint.\n      --github-token=GITHUB-TOKEN\n                               Github personal token.\n      --github-org=GITHUB-ORG  Github organization name.\n      --github-team=GITHUB-TEAM ...\n                               Team(s) allowed to access server.\n      --github-username=GITHUB-USERNAME ...\n                               Username(s) allowed to access server.\n      --exclude-github-username=EXCLUDE-GITHUB-USERNAME ...\n                               Username(s) to explicitly exclude.\n\n\n      --gitlab-endpoint=GITLAB-ENDPOINT\n                               Gitlab endpoint.\n      --gitlab-token=GITLAB-TOKEN\n                               Gitlab personal token.\n      --gitlab-group=GITLAB-GROUP ...\n                               Group allowed to access server.\n      --gitlab-username=GITLAB-USERNAME ...\n                               Username(s) allowed to access server.\n      --exclude-gitlab-username=EXCLUDE-GITLAB-USERNAME ...\n                               Username(s) to explicitly exclude.\n\n\n      --version                Show application version.\n```\n\n### Simple user\n\n```bash\n$ sync-ssh-keys --github-username samber\n\n#\n# Github\n#\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhDlAK8ewcwC............. samber@github\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCuLVeU6zqRrQ............. samber@github\n```\n\n### On Gitlab\n\n```bash\n$ sync-ssh-keys --gitlab-token XXXXXXXXXXXXXXXXXX \\\n                --gitlab-username samuelberthe\n```\n\n### More users\n\n```bash\n$ sync-ssh-keys --github-username samber \\\n                --github-username john \\\n                --github-username doe\n```\n\n### All members of an organizations\n\n```bash\n$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \\\n                --github-org epitech \\\n                        \u003e /root/.ssh/authorized_keys\n```\n\n### All members of teams \"root\" and \"sre\", of a Github organizations\n\n```bash\n$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \\\n                --github-org epitech \\\n                --github-team root \\\n                --github-team sre \\\n                        \u003e /root/.ssh/authorized_keys\n```\n\n### All members of an organizations excluding myself ;)\n\n```bash\n$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \\\n                --github-org epitech \\\n                --exclude-github-username samber \\\n                        \u003e /root/.ssh/authorized_keys\n```\n\n### In case of network failure, lets fallback to an hard-coded ssh key\n\n```bash\n$ sync-ssh-keys --github-username samber \\\n                --local-path /root/.ssh/instance_keys \\\n                        \u003e /root/.ssh/authorized_keys\n```\n\n### Pass destination file as parameter\n\n```bash\n$ sync-ssh-keys --github-username samber \\\n                -o /root/.ssh/authorized_keys\n```\n\n### Gitlab + Github + Local providers\n\n```bash\n$ sync-ssh-keys --github-username samber \\\n                --gitlab-username john-doe \\\n                --local-path /root/.ssh/instance_keys \\\n                -o /root/.ssh/authorized_keys\n```\n\n### Gitlab Subgroup\n\n```bash\n$ sync-ssh-keys --gitlab-token XXXXXXXXXXXXXXX \\\n                --gitlab-group \"gitlab-org/cluster-integration\" \\\n                --gitlab-group \"gitlab-org/monitor\" \\\n                -o /root/.ssh/authorized_keys\n```\n\n## About rate limiting\n\n⚠️ Request volume can grow very fast on large infrastructures. It will be multiplied by the number of servers.\n\nThis is highly recommanded to use a dedicated access token linked to dedicated Gitub/Gitlab account.\n\nGithub rate limits:\n- 5000 req/h authenticated\n- 60 req/h/IP unauthenticated\n\nGitlab rate limits:\n- 10 req/s/IP\n- 600 req/min\n\nWe send approximataly 1 request per organisation + 1 per group + 1 per user.\n\n### Example\n\n```bash\n$ sync-ssh-keys --github-token XXXXXXXXXXXXXXX \\\n                --github-org epitech \\\n                --github-team root \\\n                --github-team sre \\\n                --exclude-github-username samber \\\n```\n\n- \"Root\" team having 3 members.\n- \"SRE\" team having 10 members.\n- Executed at the same time on 50 servers\n\n50 servers * (1 org + 2 teams + 3 users + 10 users) = 800 requests\n\n### Trade-off\n\nIf you have too many servers and/or too many users:\n\n- Sync only twice a day.\n- At different time on each server.\n- Fetch once and scp everywhere.\n- Execute binary with `-Werror` and redirect to `.ssh/authorized_keys` using `-o` instead of `\u003e`. It will write ssh keys in a lazy way, if no error happened.\n\n## Contribute\n\n```bash\n$ make run\n```\n\n```bash\n$ make release\n$ make docker-release\n```\n\n## License\n\n[MIT license](./LICENSE)\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamber%2Fsync-ssh-keys","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsamber%2Fsync-ssh-keys","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamber%2Fsync-ssh-keys/lists"}