Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/dalen/ssh-auth-github

OpenSSH AuthorizedKeysCommand to fetch keys from GitHub
https://github.com/dalen/ssh-auth-github

github ssh

Last synced: 1 day ago
JSON representation

OpenSSH AuthorizedKeysCommand to fetch keys from GitHub

Host: GitHub
URL: https://github.com/dalen/ssh-auth-github
Owner: dalen
License: mit
Created: 2018-04-25T18:56:46.000Z (over 6 years ago)
Default Branch: master
Last Pushed: 2021-08-02T04:17:33.000Z (about 3 years ago)
Last Synced: 2024-04-13T19:26:25.511Z (6 months ago)
Topics: github, ssh
Language: Rust
Size: 446 KB
Stars: 7
Watchers: 3
Forks: 1
Open Issues: 5
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        ## About

This is a command that can be used as a `AuthorizedKeysCommand` for OpenSSH.

It fetches the public keys for all members of a specific GitHub team in a specific organization and allows them to login.

At the moment it is made for a single login user, so all members of the team are allowed to login as that user.

All keys are fetched in a single API call using the GitHub V4 API,

so the request latency should be a lot lower compared to solutions using the V3 API.

## Usage

* Build with `cargo build --release`, the binary will be in `target/release/ssh-auth-github`.

* Put a config file at `/etc/ssh-auth-github.ini`, and specify organization and team.

  The token should be a GitHub Oauth token with the `read:org` scope.

  You can create it under Settings -> Developer Settings -> Personal access tokens

* Add `AuthorizedKeysCommand /path/to/ssh-auth-github` in your `sshd_config` and reload sshd.

You can also create a `ssh-auth-github.ini` in this directory and build a container with it using

`docker build . -t sshtunnel`. That will create a container running SSH and only allow tunneling as the `tunnel` user.

## Limitations

It only fetches the first 100 users in the team and the first 100 keys for each user.

It does not yet attempt to do pagination to fetch more than that.

There is no caching, so you might run in to GitHub request limits.

At the point of writing the limit is roughly 500,000 public keys per hour.

So how many login attempts that translates into depends on the size of your team.

A simple way to do caching is to run this as a cron job and write out the results to the `authorized_keys` file,

instead of running it as a `AuthorizedKeysCommand`.

## Related work:

* https://github.com/cloudposse/github-authorized-keys

* https://github.com/trevoro/sshauth