Allowing SSH access to the members of a GitHub team.
This script leverages GitHub's public key management as a tool to manage public ssh keys.
This makes the following assumptions:
- You trust the developers/individuals that have access to your code in GitHub to also have access to the servers running said code. You have much deeper problems if you dont...
- You trust that managing verified public key on GitHub is properly secure.
- The keys hosted on GitHub represent the identity of your developers and operations team.
lockpick
is meant to be run as a script. You can either install it via Rubygems:
$ gem install lockpick
You may need to use sudo
if you are installing against the system Ruby...
Or clone this repo:
$ git clone https://github.com/fredjean/lockpick.git
You will probably need to run bundle install
if you choose that path...
lockpick
is a simple script that uses the GitHub APIs to retrieve the list of verified, public ssh keys for the
members of one or more teams.
All you need to do to run the lockpick script:
$ lockpick
You can also use cron to run it periodically. Adding the following line to your crontab:
5 * * * * /usr/local/rbenv/shims/lockpick
The script uses Ara's Main gem to run. It will open up an editor with a template configuration:
github:
token: "github oauth token"
org: myorg
team_ids:
- 123456
default_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyflVzdA6S6DUFs4FVID+AJ6xf6125crlB1BlacmPe+Zq25PgaVGPC9L4SlZqEkkK5NOZjhTGnoH6r33Bdb+vECh5rRxn0s37hZI1ayVtjUudaKTZD09JQSKq1q1NOno5NhOAivh1SSqwmFBpPzlo1N1YfW+HphPSkAfHgxP2bZUdvQJTK9l1WlQy2UaMEREL3G/0yfFUnOew3GfHU/B4oHYxjGN41Q/WBQ4pxSGMo5zYufKyrQqKFR+Zsdq6GN4QgwAJzS09EPZXADHyJoZ2wwJuQozQtlLxp2z5YhNTJqQVAJnswLWf/I5oKQV9wgqcQ9OfywUKynweHdPsDyXGpQ== dojo4@dojo4.com
It will then proceed to pull the keys from GitHub. The configuration is stored under ~/.lockpick/config.yml
- Fork it
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Add some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request