SSH Authentication with Github Teams
tl;dr: You can authenicate SSH access using Github Teams. Here’s the project on Github.
OpenSSH version 6.6 introduced this nifty config option that makes it possible
to run a command that will produce a users authorized_keys
file. This
means that instead of manually managing your authorized_keys
file on a
server you could just write a command that does it for you. You could collapse
a directory layout so that keys are kept per file, hit a remote endpoint or API,
or something else creative.
For a simple experiement I thought it would be neat to use the Github Teams API in order to create “groups” that are allowed to SSH into boxes.
The idea is simple enough: Create a team in your Github Organization called “ssh” or something, and then get all the SSH keys for the users in that team. This way, when you need to revoke access to a machine you can just remove someone from the “ssh” group and you’re done.
The AuthorizedKeysCommand
option in SSH is just a first pass. If the keys it
returns are not present for a user, it will continue to use the default
authorized_keys
file. That means you could have a backup or master key on all
the servers, but individual user keys could still be fetched from Github.
This has a few problems obviously. Github only allows 5000 requests / hour which means if someone is trying to brute-force your server and you don’t have something like denyhosts installed then you’ll burn through your request limit. It also essentially gives people at Github access to all your servers, so it’s not for the paranoid.
All the code is at github.com/trevoro/sshauth