[withinboredom]

There is an amazingly simple directive missing here:

    # in sshd_config:

    AuthorizedKeysCommand /usr/bin/php /etc/ssh/auth.php %u

    # in /etc/ssh/auth.php

    $user = $argv[1] ?? '';
    $user = rawurlencode($user);
    echo file_get_contents("https://gihub.com/{$user}.keys");

This is obviously not production quality code, but just demonstrates the gist of the configuration. Basically, you can do a number of things, like verify the user is part of your org and in a certain group on Github. Then, if the user exists (and is rewritten via nss-ato or something), they can login to the server.

This saves a lot of trouble when off/on-boarding folks, since you can simply add/remove them from a github group to revoke or grant access to your machines.

[pxc]

Amazon Linux does something sort of like this, which I guess is 'production quality', meaning much more complex. It annoys me on older versions of Amazon Linux (2 and earlier) because it involves (among other things) an invocation of the openssl CLI to verify the format of individual keys in the authorized keys file that is hardcoded to use RSA, so you can't authenticate to Amazon Linux 2 hosts using ed25519 even though the version of OpenSSH on them supports it.

In theory it's kinda nice because it can let you do fancy things¹, but my actual experiences with it breaking basic functionality even for people who don't use those fancy things has ultimately made me trust Amazon Linux less.

It was especially frustrating because when I first encountered this, I was trying to SSH into a box owned by one of our cloud-first DevOps guys. I couldn't diagnose the box because I didn't have hands on it. He couldn't diagnose the issue because he knows AWS better than he knows Linux and didn't know where to look. He'd chosen Amazon Linux because it's by the owner of the cloud platform, so it must be 'more compatible', right? But here, 'more compatible' actually meant 'more full of stupid surprises'.

Bleh.

--

1: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-...

[Shadowmist]

Use AWS SSM with something like Leapp.

[pxc]

Thanks for the tip! I will probably learn and play with SSM at some point.

As it is, I'm much the opposite of our cloud-first DevOps guys: I know how to operate Linux a lot better than I know how to operate AWS. That makes yours a more intimidating proposition to me.

At the same time, this particular box was a shortlived VM that was already behind a VPN, my organization already has tentative plans to implement a different network access system than SSM, it won't be my project to execute, and I don't get to be in the room for architecture decisions related to it.

[zamadatix]

Things like this make me wish I wasn't in the network side (where we miss out on awesome shit like this because "the network isn't working right" is part our job).

[withinboredom]

The real life script runs a cron job and caches the keys for all users in a group. It always does a sanity check on the user, but if that fails it still allows that user to login (because we all know GitHub goes down) if they have cached keys.

[hhh]

Can the real life script be shared?

[uses]

little typo there: "gihub"

[ReactiveJelly]

brb buying gihub.com

[joshspankit]

Registered 2010, I think you’re late

[withinboredom]

Nice catch! Too late to edit it though.

[frays]

TIL about https://github.com/{$user}.keys - thanks!

[n8henrie]

Really handy for NixOS users!

[fmajid]

You really should use ssh certificates for this instead.

[withinboredom]

Yeah, if you have PKI infra, that’s the way to go.

[bomewish]

why php?

[withinboredom]

It’s the only language I could think of that could express a whole working example in only a couple of lines of code in a highly readable way.

Other languages I know would require imports/boilerplate that would distract (Go/C#/C/Python/Scala/JS) from the example. Bash might be more familiar with devops but less familiar to regular programmers — part of the illustration I wanted to make was that it didn’t need to be a devops thing. Also PHP (along with JS) is a language most devs know a little bit about, whether they want to or not.

[pxc]

Worked out beautifully imo. That PHP script is super concise and readable, so it's a great little illustration.

[n8henrie]

Can curl do the url encoding? Isn't there some new "variables" thing in the newest release?

Can valid Unix usernames have special characters that need escaping? I should know that by now.