Command ssh-key-sync
is a tool for managing authorized_key
files, by synchronizing
the contents with public keys managed by accounts on GitHub.
Module github.com/shoenig/ssh-key-sync
provides the command ssh-key-sync
.
The ssh-key-sync
command can be downloaded from the releases page.
Alternatively, you can use Go directly.
go install github.com/shoenig/ssh-key-sync@latest
There are a few arguments, but typically you should only need to specify --github-user
.
The Linux user and authorized_key
file are by default assumed to be of the user
running the command.
ssh-key-sync --github-user <user>
ssh-key-sync -help
Usage of ./ssh-key-sync:
-authorized-keys string
override the output authorized_keys file (default "/home/$USER/.ssh/authorized_keys")
-github-api string
specify the GitHub API endpoint (default "https://api.github.com")
-github-user string
specify the github user
-system-user string
specify the unix system user (default "$USER")
-prune
delete all keys not found in github
-verbose
print verbose logging
The following steps should get ssh-key-sync
running as a systemd-timer on any system with systemd.
You could also use cron or some other periodic task runner, but these instructions work with most major Linux distrobutions.
These examples use linux
and amd64
- be sure to use the correct version for your operating system and architecture.
$ wget https://github.com/shoenig/ssh-key-sync/releases/download/v1.7.2/ssh-key-sync_1.7.2_linux_amd64.tar.gz
$ sudo tar -C /usr/local/bin -xf ssh-key-sync_1.7.2_linux_amd64.tar.gz
$ mkdir ~/.ssh && chmod 700 ~/.ssh
$ touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
A great way to keep your authorized_key
file up-to-date is to run ssh-key-sync
periodically via a systemd timer.
To set this up, we will need two files - one service file which represents execution of ssh-key-sync
,
and a timer file which represents the schedule on which the service should be executed. Use the example below,
modifying paths to suite your needs.
[Unit]
Description=Synchronize ssh authorized keys with public keys from github.
[Service]
ExecStart=/usr/local/bin/ssh-key-sync -verbose -system-user <user> -github-user <user>
[Unit]
Description=Run ssk-key-sync every 6 hours
[Timer]
OnBootSec=5min
OnUnitActiveSec=6h
Unit=ssh-key-sync.service
[Install]
WantedBy=timers.target
$ sudo systemctl daemon-reload
$ sudo systemctl enable ssh-key-sync.timer
The timer will run in the background on its schedule, but it's nice to run the service immediately so we can see that it is working correctly. To do that, just start the service.
$ sudo systemctl start ssh-key-sync.service
And now we can view the status to make sure it ran correctly.
$ sudo systemctl status ssh-key-sync
You should see some output like,
○ ssh-key-sync.service - Synchronize ssh authorized keys with public keys from github.
Loaded: loaded (/etc/systemd/system/ssh-key-sync.service; static)
Active: inactive (dead) since Tue 2023-04-11 15:29:32 CDT; 2s ago
Duration: 236ms
TriggeredBy: ○ ssh-key-sync.timer
Process: 2104 ExecStart=/usr/local/bin/ssh-key-sync -verbose -system-user shoenig -github-user shoenig (code=exited>
Main PID: 2104 (code=exited, status=0/SUCCESS)
CPU: 22ms
Apr 11 15:29:32 localhost.localdomain systemd[1]: Started Synchronize ssh authorized keys with public keys from github..
Apr 11 15:29:32 localhost.localdomain ssh-key-sync[2104]: 2023/04/11 15:29:32 using default output authorized_keys file>
Apr 11 15:29:32 localhost.localdomain ssh-key-sync[2104]: 2023/04/11 15:29:32 process local user shoenig from shoenig@g>
Apr 11 15:29:32 localhost.localdomain ssh-key-sync[2104]: 2023/04/11 15:29:32 loaded 0 existing keys for user "shoenig"
Apr 11 15:29:32 localhost.localdomain ssh-key-sync[2104]: 2023/04/11 15:29:32 acquire github keys from "https://api.git>
Apr 11 15:29:32 localhost.localdomain ssh-key-sync[2104]: 2023/04/11 15:29:32 retrieved 10 keys for github user: shoenig
Apr 11 15:29:32 localhost.localdomain systemd[1]: ssh-key-sync.service: Deactivated successfully.
It works! And inspecting the ~/.ssh/authorized_keys
file should reveal it contains your public keys from GitHub.
The github.com/shoenig/ssh-key-sync
tool is always improving with new features
and error corrections. For contributing bug fixes and new features please file an issue.