Ok, I’m coming clean. Controlling access to our various servers has been a mess. Sure, we’ve stored passwords in a safe way (1Password for teams ftw!) but what happens if someone leaves the company or that root password somehow were to get out… Well, we did not have a plan for such a thing.
Sure, setting up ssh keys is easy, but we never got around to it. We manage more than a handful servers, and making sure the authorized_keys on these boxes is up to date just felt unmanageable.
This changed today when i got the idea to make use of this GitHub’s feature which exposes the public keys. I wrote a little script that fetches all users within our GitHub organization, pulls down the public keys and updates the ~.ssh/authorized_keys-file nightly with a cron job.
| <?php | |
| # import github keys | |
| $ch = curl_init('https://api.github.com/orgs/EarthPeople/members'); | |
| curl_setopt($ch, CURLOPT_USERPWD, "XXX:XXX"); | |
| curl_setopt($ch, CURLOPT_TIMEOUT, 30); | |
| curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); | |
| curl_setopt($ch, CURLOPT_USERAGENT,'EpBot'); | |
| $users = @json_decode(curl_exec($ch)); | |
| curl_close($ch); | |
| echo "found ".count($users)." users in organisation\n"; | |
| if($users){ | |
| foreach($users as $user => $params){ | |
| echo "user: ".$params->login."\n"; | |
| $keys[] = file_get_contents('https://github.com/'.$params->login.'.keys'); | |
| } | |
| } | |
| echo "found ".count($keys)." keys\n"; | |
| if(count($users) === count($keys)){ | |
| file_put_contents('/root/.ssh/authorized_keys', implode($keys, "\n")); | |
| echo "imported to keys to ~/.ssh/authorized_keys\n"; | |
| }else{ | |
| echo "error, could not fetch keys for all users\n"; | |
| } |
Yes, this is PHP but when all you’ve got is a hammer – everything looks like a nail. This needs some error handling too, but I thought I’d share it anyway.
/Peder