initial abstract notes
This commit is contained in:
parent
462cfed50a
commit
0502d4e55c
1 changed files with 51 additions and 1 deletions
50
README.md
50
README.md
|
@ -1,3 +1,53 @@
|
|||
# TeamAuthorizedKeys
|
||||
|
||||
Manage the authorized keys for a host, based on group/role membership (i.e. Github Group).
|
||||
|
||||
## Abstract
|
||||
|
||||
In `sshd_config` there is a configuration `AuthorizedKeysCommand` with the following description:
|
||||
|
||||
Specifies a program to be used to look up the user's public keys. The program must be owned by root, not
|
||||
writable by group or others and specified by an absolute path. Arguments to `AuthorizedKeysCommand`
|
||||
accept the tokens described in the TOKENS section. If no arguments are specified then the username of
|
||||
the target user is used.
|
||||
|
||||
The program should produce on standard output zero or more lines of authorized_keys output (see
|
||||
AUTHORIZED_KEYS in sshd(8)). `AuthorizedKeysCommand` is tried after the usual `AuthorizedKeysFile`
|
||||
files and will not be executed if a matching key is found there. By default, no `AuthorizedKeysCommand`
|
||||
is run.
|
||||
|
||||
The workflow would be: When deploying a node, the command would be configured with it's auth token and the group/role/team. When a user `ssh`'s to the host, the command checks the members of the group, and the corresponding pubkeys for this user set.
|
||||
|
||||
Further improvements can be:
|
||||
|
||||
- periodic caching/purging of the available keys
|
||||
- mapping of the user name being ssh'ed to (i.e. `core` vs `build`, etc)
|
||||
|
||||
For github, the user's ssh keys are available by appending `.keys` to the user's URL.
|
||||
For example, my are https://github.com/vbatts.keys
|
||||
|
||||
As an example test, I've added to my `/etc/ssh/sshd_config`:
|
||||
|
||||
```
|
||||
AuthorizedKeysCommand /opt/bin/authorized_keys fgr="%f" home="%h" key="%k" ktype="%t" uid="%U" user="%u"
|
||||
AuthorizedKeysCommandUser nobody
|
||||
```
|
||||
|
||||
and created a shell script at `/opt/bin/authorized_keys`:
|
||||
|
||||
```shell
|
||||
#!/bin/bash
|
||||
|
||||
set -eu
|
||||
|
||||
echo "$@" >> /tmp/xx
|
||||
```
|
||||
|
||||
and `adduser test` a dummy user to `ssh test@localhost`.
|
||||
Now `/tmp/xx` has all the public keys in from my current user's ssh-agent:
|
||||
|
||||
```
|
||||
fgr="SHA256:jh7FlZkLnOxIVEoNYaJXjM+funB3kT1rkn/SOLIrDVw" home="/home/test" key="AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAABAIbmlzdHA1MjEAAACFBABNaiMzEtWCNDMsBd6fsUzYRhcifWXPCGyRnuAfuDSoP8Od/95xn6i1mQBgqt8S+gRPcO92nIn3OVXGx0IXXsuu8QEx3QuLiMBhTN+Boae+bs+Fo5Dg0CRrP9Qd7efeQNUZ83X5FY1rYsTpG7A6DL73EZxi/Er3HBAgtFV1iN1VGUzofg==" ktype="ecdsa-sha2-nistp521" uid="1001" user="test"
|
||||
fgr="SHA256:Fo0hGLTLki9TdbOX43CmfiqdkIgMEiF57W3AcovaK7E" home="/home/test" key="AAAAC3NzaC1lZDI1NTE5AAAAIJEuxEjjdx5+vMAHfYvqf9Fzx3cDNyAxi6jsjLL1q/uJ" ktype="ssh-ed25519" uid="1001" user="test"
|
||||
```
|
||||
|
||||
|
|
Loading…
Reference in a new issue