guzmanbraso

Better SSH Authorized Keys Management

A seemingly common problem that people encounter is how to handle all of your users authorized_keys file.

People struggle over management, ensuring that users only have specific keys in the authorized_keys file or even a method for expiring keys. A centralized key management system could help provide all of this functionality with a little scripting.

One piece of functionality overlooked in OpenSSH is the AuthorizedKeysCommand configuration keyword. This configuration allows you to specify a command that will run during login to retrieve a users public key file from a remote source and perform validation just as if the authorized_keys file was local.

Here is an example directory structure for a set of users with SSH public keys that can be shared out via a web server:

guzmanbraso

#!/bin/bash
#
# Report time to first byte for the provided URL using a cache buster to ensure
# that we're measuring full cold-cache performance

while (($#)); do
    echo $1
    curl -so /dev/null -H "Pragma: no-cache" -H "Cache-Control: no-cache" \
        -w "%{http_code}\tPre-Transfer: %{time_pretransfer}\tStart Transfer: %{time_starttransfer}\tTotal: %{time_total}\tSize: %{size_download}\n" \
        "$1?`date +%s`"