guzmanbraso

Better SSH Authorized Keys Management

A seemingly common problem that people encounter is how to handle all of your users authorized_keys file.

People struggle over management, ensuring that users only have specific keys in the authorized_keys file or even a method for expiring keys. A centralized key management system could help provide all of this functionality with a little scripting.

One piece of functionality overlooked in OpenSSH is the AuthorizedKeysCommand configuration keyword. This configuration allows you to specify a command that will run during login to retrieve a users public key file from a remote source and perform validation just as if the authorized_keys file was local.

Here is an example directory structure for a set of users with SSH public keys that can be shared out via a web server:

guzmanbraso

#!/bin/bash
# This script will clean executions older than a given amount of days ($DAYS) but will keep at least $KEEP executions.
# Based on @unicolet gist that keeps last 30 exec of each job ( https://gist.github.com/unicolet/af648a97163ce6b44645 )
# Taken from @lucabusin the workflow tables cleaning code ( https://gist.github.com/lucabusin/cad36a45764f2fc2e2daa81e2db4186d )
# setup ~/.mycnf or ~/.pgpass to allow passwordless connection to mysql/postgres
# Comment / Uncomment below to use postgres or mysql.

# Days to keep executions.
DAYS=90
# Minimum Amount to Keep

guzmanbraso

#!/bin/bash
#
# Report time to first byte for the provided URL using a cache buster to ensure
# that we're measuring full cold-cache performance

while (($#)); do
    echo $1
    curl -so /dev/null -H "Pragma: no-cache" -H "Cache-Control: no-cache" \
        -w "%{http_code}\tPre-Transfer: %{time_pretransfer}\tStart Transfer: %{time_starttransfer}\tTotal: %{time_total}\tSize: %{size_download}\n" \
        "$1?`date +%s`"