github.com/utilitywarehouse/ssh-key-agent

Release v1.0.13

Client counterpart to ssh-key-manager

Homepage Go HCL Documentation

Keywords
infrastructure, ssh, system, uw-dep-alpine, uw-dep-go, uw-owner-system
License
MIT
Install
go get github.com/utilitywarehouse/ssh-key-agent

Documentation

ssh-key-agent

Companion service for https://github.com/utilitywarehouse/ssh-key-manager runs on the host and populates authorized_keys file based on the groups provided.

Required environment variables:

env var example desc
SKA_KEY_URI https://[app/bucket]/authmap URI location of the authmap file create by ssh-key-manager
SKA_GROUPS group@gsuite-domain.com,group2@gsuite-domain.com Comma seperated list of groups that are allowed access
SKA_AKF_LOC /home/user/.ssh/authorized_keys Location of the authorized_keys file which to write to
SKA_INTERVAL 60 Interval, how often the keys should be synced (seconds) AWS access key

systemd service file

Example systemd service: ./terraform/resources/ssh-key-agent.service

Terraform module

Repository includes a terraform module, for use instructions have a look at ./terraform/README.md

Releasing

Before creating a tag/release in Github, please update the verion in ./terraform/variables.tf

Docker instructions

If you prefer to run ssh-key-agent with docker, here's an example service:

[Unit]
Description=ssh-key-agent
After=docker.service
Requires=docker.service
[Service]
Restart=on-failure
ExecStartPre=-/usr/bin/mkdir -p /home/core/.ssh
ExecStartPre=-/usr/bin/touch /home/core/.ssh/authorized_keys
ExecStartPre=-/usr/bin/chown -R "core":"core" /home/core/.ssh
ExecStartPre=-/usr/bin/chmod 700 /home/core/.ssh
ExecStartPre=-/usr/bin/chmod 644 /home/core/.ssh/authorized_keys
ExecStart=/bin/sh -c 'docker run --name=%p_$(uuidgen) --rm \
 -v /home/core/.ssh/authorized_keys:/authorized_keys \
 -e SKA_KEY_URI=${uri} \
 -e SKA_GROUPS=${groups} \
 -e SKA_AKF_LOC=/authorized_keys \
 -e SKA_INTERVAL=60 \
 quay.io/utilitywarehouse/ssh-key-agent:${version}'
ExecStop=/bin/sh -c 'docker stop -t 3 "$(docker ps -q --filter=name=%p_)"'
[Install]
WantedBy=multi-user.target

Whatever file you are mounting into container needs to exist prior, otherwise docker will create it as directory:

If you use -v or --volume to bind-mount a file or directory that does not yet exist on the Docker host, -v will create the endpoint for you. It is always created as a directory.

Debugging boxes where SKA is not successful

Either ssh-key-agent could not start or node has no internet access, you will need to load a static key to log on. Example ignition file:

data "ignition_file" "authorized_keys" {
  filesystem = "root"
  path       = "/home/core/.ssh/authorized_keys"
  mode       = 493

  content {
    content = <<-EOF
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5OOYqgvQMxnDnSQtMNNLl9JtIx1cdVXoiQ3+GXP0oZ gangel@uw.co.uk
EOF
  }
}

Stats

Dependencies
2
Dependent packages
0
Dependent repositories
0
Total releases
5
Latest release
First release
Stars
1
Forks
0
Watchers
10
Contributors
9
Repository size
139 KB
SourceRank
10

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

v1.0.17
v1.0.16
v1.0.15
v1.0.14
v1.0.13

Contributors

George Angel dependabot[bot] Foivos Filippopoulos Hector Huertas Ashok Siyani Yann Vigara Rob Best sean


See all contributors

Login to resync this project