OpenSSH AuthorizedKeysCommand to fetch keys from GitHub
MIT License
This is a command that can be used as a AuthorizedKeysCommand
for OpenSSH.
It fetches the public keys for all members of a specific GitHub team in a specific organization and allows them to login.
At the moment it is made for a single login user, so all members of the team are allowed to login as that user.
All keys are fetched in a single API call using the GitHub V4 API, so the request latency should be a lot lower compared to solutions using the V3 API.
cargo build --release
, the binary will be in target/release/ssh-auth-github
./etc/ssh-auth-github.ini
, and specify organization and team.read:org
scope.AuthorizedKeysCommand /path/to/ssh-auth-github
in your sshd_config
and reload sshd.You can also create a ssh-auth-github.ini
in this directory and build a container with it using
docker build . -t sshtunnel
. That will create a container running SSH and only allow tunneling as the tunnel
user.
It only fetches the first 100 users in the team and the first 100 keys for each user. It does not yet attempt to do pagination to fetch more than that.
There is no caching, so you might run in to GitHub request limits. At the point of writing the limit is roughly 500,000 public keys per hour. So how many login attempts that translates into depends on the size of your team.
A simple way to do caching is to run this as a cron job and write out the results to the authorized_keys
file,
instead of running it as a AuthorizedKeysCommand
.