github.com/utilitywarehouse/ssh-key-agent

Client counterpart to ssh-key-manager


Keywords
infrastructure, ssh, system, uw-dep-alpine, uw-dep-go, uw-owner-system
License
MIT
Install
go get github.com/utilitywarehouse/ssh-key-agent

Documentation

ssh-key-agent

Companion service for https://github.com/utilitywarehouse/ssh-key-manager runs on the host and populates authorized_keys file based on the groups provided.

Required environment variables:

env var example desc
SKA_KEY_URI https://[app/bucket]/authmap URI location of the authmap file create by ssh-key-manager
SKA_GROUPS group@gsuite-domain.com,group2@gsuite-domain.com Comma seperated list of groups that are allowed access
SKA_AKF_LOC /home/user/.ssh/authorized_keys Location of the authorized_keys file which to write to
SKA_INTERVAL 60 Interval, how often the keys should be synced (seconds) AWS access key

systemd service file

Example systemd service: ./terraform/resources/ssh-key-agent.service

Terraform module

Repository includes a terraform module, for use instructions have a look at ./terraform/README.md

Releasing

Before creating a tag/release in Github, please update the verion in ./terraform/variables.tf

Docker instructions

If you prefer to run ssh-key-agent with docker, here's an example service:

[Unit]
Description=ssh-key-agent
After=docker.service
Requires=docker.service
[Service]
Restart=on-failure
ExecStartPre=-/usr/bin/mkdir -p /home/core/.ssh
ExecStartPre=-/usr/bin/touch /home/core/.ssh/authorized_keys
ExecStartPre=-/usr/bin/chown -R "core":"core" /home/core/.ssh
ExecStartPre=-/usr/bin/chmod 700 /home/core/.ssh
ExecStartPre=-/usr/bin/chmod 644 /home/core/.ssh/authorized_keys
ExecStart=/bin/sh -c 'docker run --name=%p_$(uuidgen) --rm \
 -v /home/core/.ssh/authorized_keys:/authorized_keys \
 -e SKA_KEY_URI=${uri} \
 -e SKA_GROUPS=${groups} \
 -e SKA_AKF_LOC=/authorized_keys \
 -e SKA_INTERVAL=60 \
 quay.io/utilitywarehouse/ssh-key-agent:${version}'
ExecStop=/bin/sh -c 'docker stop -t 3 "$(docker ps -q --filter=name=%p_)"'
[Install]
WantedBy=multi-user.target

Whatever file you are mounting into container needs to exist prior, otherwise docker will create it as directory:

If you use -v or --volume to bind-mount a file or directory that does not yet exist on the Docker host, -v will create the endpoint for you. It is always created as a directory.

Debugging boxes where SKA is not successful

Either ssh-key-agent could not start or node has no internet access, you will need to load a static key to log on. Example ignition file:

data "ignition_file" "authorized_keys" {
  filesystem = "root"
  path       = "/home/core/.ssh/authorized_keys"
  mode       = 493

  content {
    content = <<-EOF
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5OOYqgvQMxnDnSQtMNNLl9JtIx1cdVXoiQ3+GXP0oZ gangel@uw.co.uk
EOF
  }
}