Skip to content
/ authorized_users Public

A repo to store which github users are allowed to access @csivitu servers

1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

csivitu/authorized_users

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits
breaker
breaker
 
 
csictf
csictf
 
 
csivit-2020
csivit-2020
 
 
csivit
csivit
 
 
gravitas
gravitas
 
 
README.md
README.md
 
 
get_keys.sh
get_keys.sh
 
 

Repository files navigation

authorized_users

This repo stores names of github users which are allowed to login into csi servers

The repo follows a simple directory structure. Each folder on the root level represents a server (for example csivit) Inside a server's folder, each file of filename name stores the usernames of github users allowed to access the user with username name on the server. (eg, csivit/root stores github usernames of people allowed to login as root on the csivit server)

Why?

OpenSSH keys are normally listed in the ~/.ssh/authorized_keys file, but this is terrible to manage, as you have to deal with issues like removing old keys, and its really difficult to read this file. What ends up happening is a big blob of random keys in a file added by completely random people. And then if you have multiple servers, the issue just becomes worse.

How does this repo work?

This repo is inspired by https://gist.github.com/sivel/c68f601137ef9063efd7 . In brief, it takes advantage of the AuthorizedKeysCommand configuration option that can be provided to OpenSSH.

Let's say a user tries to login on root@csivit.com. The sshd daemon on the server will first try to search if the user is given access through /root/.ssh/authorized_keys. If not, it will execute the get_keys.sh script.

This script obtains the github usernames of permitted users from the csivit/root file on this repo, and then obtain github public keys for every user in that file by obtaining them from https://github.com/<username>.keys. It finally tells OpenSSH to allow just these public keys to login!

Great! How do I use it?

Install the get_keys.sh script on /usr/local/bin on the server, and make it executable

cd /usr/local/bin
wget -O get_keys https://raw.githubusercontent.com/csivitu/authorized_users/master/get_keys.sh
chmod +x get_keys

Add the following lines in /etc/ssh/sshd_config , where server_name is same as the folder name for that server on this repo and user_name is name of usertype (ex: root).

AuthorizedKeysCommand /usr/local/bin/get_keys https://raw.githubusercontent.com/csivitu/authorized_users/master <server_name> <user_name>
AuthorizedKeysCommandUser nobody

Restart SSH service on the server

sudo systemctl restart ssh

Now if you want to give access, to say github user thebongy to root on the server, just make a file at server_name/root on this repo, and add thebongy inside the file. That's it!

About

A repo to store which github users are allowed to access @csivitu servers

Topics

ssh auth csivitu

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 13

Languages