Lib.rs

Authentication | Development tools
#access-key #ssh-key #automatic #devops #github #manage #automation

app klucznik

Manage your ssh access keys automatically

by Konrad Malik

3 releases

0.1.2 Nov 30, 2022
0.1.1 Nov 30, 2022
0.1.0 Nov 28, 2022

#471 in Authentication

GPL-3.0 license

24KB
345 lines

crates.io Actions Status Actions Status Actions Status

klucznik

Manage your ssh access keys automatically by for ex. synchronizing them from github.

Installation

$ cargo install --locked klucznik

Usage

Install the binary (optional)

Install the binary to some globally accessible place:

$ sudo install ~/.cargo/bin/klucznik /usr/local/bin/klucznik

As authorized_keys updater

warning this will overwrite your authorized_keys file!

Set-up a cron job similar to this:

* 12 * * * /usr/local/bin/klucznik --sources https://github.com/<your username>.keys --destination /home/<user>/.ssh/authorized_keys

You can add more sources via more flags.

Alternatively, use ssh-key-dir to not overwrite your authorized_keys:

* 12 * * * /usr/local/bin/klucznik --sources https://github.com/<your username>.keys --destination /home/<user>/.ssh/authorized_keys.d/klucznik

Then configure your AuthorizedKeysCommand in sshd_config to use ssh-key-dir to that ssh reads your overlays from that folder.

As AuthorizedKeysCommand (experimental!)

Change the following settings in your sshd_config:

AuthorizedKeysCommand /usr/local/bin/klucznik --sources https://github.com/<username>.keys
AuthorizedKeysCommandUser root

Roadmap

v0.1 'Not much more than overengineered curl replacement but works'

  • configurable via command-line arguments/flags
  • get authorized_keys from public URLs
  • validate if in fact keys are returned (basic)
  • save to file
  • automated cargo release

v0.1.1

  • fix writing multiple sources to one file
  • if destination is provided, and file-contents are the same, don't overwrite
  • if returned keys are empty, don't overwrite

v0.2 'curl with centralized config'

  • deduplicate keys
  • config file support (remote + local)
  • able to read/store host-specific configuration

v0.3

  • add authenticated (private) URLs support

v1

  • refine AuthorizedKeysCommand support (ability to use this instead of ssh-key-dir.
  • ability to authorize directly from URLs (use AuthorizedKeysCommand and no authorized_keys
  • make sure cache data properly so that it can still authenticate if Github/Gitlab is currently down.
  • ability to chain commands in AuthorizedKeysCommand

Dependencies

~4–5.5MB
~100K SLoC