Skip to content

konradmalik/klucznik

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits

.github/workflows

.github/workflows

 
 

src

src

 
 

.envrc

.envrc

 
 

.gitignore

.gitignore

 
 

Cargo.lock

Cargo.lock

 
 

Cargo.toml

Cargo.toml

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

default.nix

default.nix

 
 

flake.lock

flake.lock

 
 

flake.nix

flake.nix

 
 

shell.nix

shell.nix

 
 

Repository files navigation

crates.io Actions Status Actions Status

klucznik

⚠️ Disclaimer: I use this program to learn Rust, Nix and to automate stuff for personal use.

Manage your ssh access keys automatically by for ex. synchronizing them from github.

Installation

$ cargo install --locked klucznik

Usage

⚠️ Using a program to get authorized keys or allow SSH access based on data got from a remote server could be risky and insecure. If someone has control over the server you get the data from, or control over the network you're on then the attacker could easily inject their own keys and get full access to your machines. TL;DR use common sense!

Install the binary (optional)

Install the binary to some globally accessible place:

$ sudo install --mode 755 --owner root --group root ~/.cargo/bin/klucznik /usr/local/bin/klucznik

As authorized_keys updater

⚠️ this will overwrite your authorized_keys file!

Set-up a cron job similar to this:

* 12 * * * /usr/local/bin/klucznik --sources https://github.com/<your username>.keys --destination /home/<user>/.ssh/authorized_keys

You can add more sources via more flags.

Alternatively, use ssh-key-dir to not overwrite your authorized_keys:

* 12 * * * /usr/local/bin/klucznik --sources https://github.com/<your username>.keys --destination /home/<user>/.ssh/authorized_keys.d/klucznik

Then configure your AuthorizedKeysCommand in sshd_config to use ssh-key-dir to that ssh reads your overlays from that folder.

As AuthorizedKeysCommand (experimental!)

Change the following settings in your sshd_config:

AuthorizedKeysCommand /usr/local/bin/klucznik --sources https://github.com/<username>.keys
AuthorizedKeysCommandUser root

AuthorizedKeysCommand is pretty picky about permissions, ownership etc. of that binary file. Make sure to read the proper man entry.

Roadmap

v0.1 'Not much more than overengineered curl replacement but works'

  • configurable via command-line arguments/flags
  • get authorized_keys from public URLs
  • validate if in fact keys are returned (basic)
  • save to file
  • automated cargo release

v0.1.1

  • fix writing multiple sources to one file
  • if destination is provided, and file-contents are the same, don't overwrite
  • if returned keys are empty, don't overwrite

v0.1.2

  • fix created file permissions to 600

v0.2 'curl with centralized config'

  • deduplicate keys
  • config file support (remote + local)
  • able to read/store host-specific configuration

v0.3

  • add authenticated (private) URLs support

v1

  • refine AuthorizedKeysCommand support (ability to use this instead of ssh-key-dir.
  • ability to authorize directly from URLs (use AuthorizedKeysCommand and no authorized_keys
  • make sure cache data properly so that it can still authenticate if Github/Gitlab is currently down.
  • ability to chain commands in AuthorizedKeysCommand

About

Manage your ssh access keys automatically.

Topics

rust ssh devops automation authorized-keys sysadmin rust-lang devops-tools sysadmin-tool

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 3

v0.1.2 Not much more than overengineered `curl` replacement but works Latest
Nov 30, 2022
+ 2 releases

Languages