Controlling ssh access with GitHub organizations

Screen Shot 2016-04-27 at 17.54.47

Ok, I’m coming clean. Controlling access to our various servers has been a mess. Sure, we’ve stored passwords in a safe way (1Password for teams ftw!) but what happens if someone leaves the company or that root password somehow were to get out… Well, we did not have a plan for such a thing.

Sure, setting up ssh keys is easy, but we never got around to it. We manage more than a handful servers, and making sure the authorized_keys on these boxes is up to date just felt unmanageable.

This changed today when i got the idea to make use of this GitHub’s feature which exposes the public keys. I wrote a little script that fetches all users within our GitHub organization, pulls down the public keys and updates the ~.ssh/authorized_keys-file nightly with a cron job.


<?php
# import github keys
$ch = curl_init('https://api.github.com/orgs/EarthPeople/members');
curl_setopt($ch, CURLOPT_USERPWD, "XXX:XXX");
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_USERAGENT,'EpBot');
$users = @json_decode(curl_exec($ch));
curl_close($ch);
echo "found ".count($users)." users in organisation\n";
if($users){
foreach($users as $user => $params){
echo "user: ".$params->login."\n";
$keys[] = file_get_contents('https://github.com/'.$params->login.'.keys');
}
}
echo "found ".count($keys)." keys\n";
if(count($users) === count($keys)){
file_put_contents('/root/.ssh/authorized_keys', implode($keys, "\n"));
echo "imported to keys to ~/.ssh/authorized_keys\n";
}else{
echo "error, could not fetch keys for all users\n";
}

Yes, this is PHP but when all you’ve got is a hammer – everything looks like a nail. This needs some error handling too, but I thought I’d share it anyway.

 

/Peder