initial abstract notes

This commit is contained in:
Vincent Batts 2021-03-09 15:18:56 +00:00
parent 462cfed50a
commit 0502d4e55c

View file

@ -1,3 +1,53 @@
# TeamAuthorizedKeys
Manage the authorized keys for a host, based on group/role membership (i.e. Github Group).
## Abstract
In `sshd_config` there is a configuration `AuthorizedKeysCommand` with the following description:
Specifies a program to be used to look up the user's public keys. The program must be owned by root, not
writable by group or others and specified by an absolute path. Arguments to `AuthorizedKeysCommand`
accept the tokens described in the TOKENS section. If no arguments are specified then the username of
the target user is used.
The program should produce on standard output zero or more lines of authorized_keys output (see
AUTHORIZED_KEYS in sshd(8)). `AuthorizedKeysCommand` is tried after the usual `AuthorizedKeysFile`
files and will not be executed if a matching key is found there. By default, no `AuthorizedKeysCommand`
is run.
The workflow would be: When deploying a node, the command would be configured with it's auth token and the group/role/team. When a user `ssh`'s to the host, the command checks the members of the group, and the corresponding pubkeys for this user set.
Further improvements can be:
- periodic caching/purging of the available keys
- mapping of the user name being ssh'ed to (i.e. `core` vs `build`, etc)
For github, the user's ssh keys are available by appending `.keys` to the user's URL.
For example, my are https://github.com/vbatts.keys
As an example test, I've added to my `/etc/ssh/sshd_config`:
```
AuthorizedKeysCommand /opt/bin/authorized_keys fgr="%f" home="%h" key="%k" ktype="%t" uid="%U" user="%u"
AuthorizedKeysCommandUser nobody
```
and created a shell script at `/opt/bin/authorized_keys`:
```shell
#!/bin/bash
set -eu
echo "$@" >> /tmp/xx
```
and `adduser test` a dummy user to `ssh test@localhost`.
Now `/tmp/xx` has all the public keys in from my current user's ssh-agent:
```
fgr="SHA256:jh7FlZkLnOxIVEoNYaJXjM+funB3kT1rkn/SOLIrDVw" home="/home/test" key="AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAABAIbmlzdHA1MjEAAACFBABNaiMzEtWCNDMsBd6fsUzYRhcifWXPCGyRnuAfuDSoP8Od/95xn6i1mQBgqt8S+gRPcO92nIn3OVXGx0IXXsuu8QEx3QuLiMBhTN+Boae+bs+Fo5Dg0CRrP9Qd7efeQNUZ83X5FY1rYsTpG7A6DL73EZxi/Er3HBAgtFV1iN1VGUzofg==" ktype="ecdsa-sha2-nistp521" uid="1001" user="test"
fgr="SHA256:Fo0hGLTLki9TdbOX43CmfiqdkIgMEiF57W3AcovaK7E" home="/home/test" key="AAAAC3NzaC1lZDI1NTE5AAAAIJEuxEjjdx5+vMAHfYvqf9Fzx3cDNyAxi6jsjLL1q/uJ" ktype="ssh-ed25519" uid="1001" user="test"
```