Nisanth Chunduru nisanthchunduru

Better SSH Authorized Keys Management

A seemingly common problem that people encounter is how to handle all of your users authorized_keys file.

People struggle over management, ensuring that users only have specific keys in the authorized_keys file or even a method for expiring keys. A centralized key management system could help provide all of this functionality with a little scripting.

One piece of functionality overlooked in OpenSSH is the AuthorizedKeysCommand configuration keyword. This configuration allows you to specify a command that will run during login to retrieve a users public key file from a remote source and perform validation just as if the authorized_keys file was local.

Here is an example directory structure for a set of users with SSH public keys that can be shared out via a web server:

Clone a server's harddisk

Login to Hetzner's web interface https://robot.your-server.de/ and activate the Rescue System for the server whose disk you wish to clone.

Ssh into the Rescue System (Replace 1.2.3.4 in the command below with the actual ip address of the server)

ssh -o HostKeyAlias=hetzner-rescue.1.2.3.4 root@1.2.3.4

Run

issuetopr 1256

to convert issue 1256 to a pull request.

Copy the function issuetopr to your .bashrc or .zshrc to start using it.

	# Install imagemagick first
	# brew install imagemagick

	require "shellwords"

	photos_dir = "ENV['Home']/Downloads/Photos to Upload"
	Dir["#{photos_dir}/*/"].each do \|file_path\|
	system("mogrify -strip #{Shellwords.shellescape(file_path)}")
	end

	require "base64"

	def decode_session_cookie(session_cookie)
	Marshal.load(Base64.decode64(session_cookie.split("--").first))
	end

	session_cookie = "copy_the_session_cookie_from_google_chrome_developers_console"
	decode_session_cookie(session_cookie)

	root@Ubuntu-1604-xenial-64-minimal ~ # cat /etc/network/interfaces
	### Hetzner Online GmbH installimage

	source /etc/network/interfaces.d/*

	auto lo
	iface lo inet loopback
	iface lo inet6 loopback

	auto eth0

	http://cgit.freedesktop.org/xorg/app/edid-decode/plain/edid-decode.c

	compile with:
	gcc edid-decode.c -o edid-decode

	get EDID from IORegistryExplorer (mine, an old 24" Apple Cinema Display, is attached).

	Convert to binary with this command:
	ruby -e 'File.open("edid", "wb").write(File.read("edid.txt").split.map { \|s\| ("0x"+s).to_i(16) }.inject("", "<<"))'

	server {
	listen 443;
	root /home/rails/apps/magicbell_site/current/public;
	server_name magicbell.io;

	# Use certificates we purchased from https://www.ssl2buy.com
	ssl on;
	ssl_certificate /etc/nginx/certs/magicbell.io/magicbell.io.crt;
	ssl_certificate_key /etc/nginx/certs/magicbell.io/magicbell.io.key;

	require "fileutils"

	class DotfileInfo
	def initialize(dotfile_info_string)
	@dotfile_info_string = dotfile_info_string
	end

	def path
	@dotfile_info_string.split(":")[0]
	end

	<?PHP
	/**
	* pingdom.php
	*
	* This application will check your server swap, hard drive, cpu, and MySQL conditions.
	* It will then generate an appropriate XML file for a Pingdom HTTP Custom check.
	*
	* If any usage is above your preset thresholds, then a down message will be returned,
	* indicating that your server may be under more load than usual, hopefully, providing
	* a bit of advanced notice before a true failure due to lack of resources