aylen384/sshkeys
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
2 commits 2 branches 0 tags 52 KiB
  • Shell 100%
Find a file
Exact
Dominik Heidler adfd245c3a
 Add ssh keys for dhcp server
2026-02-27 19:32:47 +01:00
authorized_keys Add ssh keys for dhcp server 2026-02-27 19:32:47 +01:00
allowed_signers Add first allowed_signers 2026-02-27 19:32:47 +01:00
README.md Add first allowed_signers 2026-02-27 19:32:47 +01:00
update.sh Add first allowed_signers 2026-02-27 19:32:47 +01:00

README.md

SSH Key distribution

Workflow

  • Update your files and create a PR.
  • The PR needs to be merged by an SSH signed commit.
  • The key of the signer has to be in ./allowed_signers - added of course already in an earlier commit.
  • The cronjob on the server will fetch the repo every hour and update to the newest commit signed by a key that is in the ./allowed_signers checked out on the server at that time.

Setup on server

This is what you do on the server in order for it to pull the updated authorized_keys from this repo:

cd /root
git clone https://git.nerdberg.de/Nerdberg/sshkeys
mkdir -p ~/.ssh
ln -s /root/sshkeys/authorized_keys/INSERT_SERVERNAME_HERE ~/.ssh/authorized_keys
ln -s /root/sshkeys/update.sh /etc/cron.hourly/update_sshkeys.sh

If the server can't run git or openssh, the last workaround (loosing the signing check) is to do something like this:

cat <<EOF > /etc/cron.daily/update_sshkeys.sh
#!/bin/sh

curl -sfo /root/.ssh/authorized_keys https://git.nerdberg.de/Nerdberg/sshkeys/raw/branch/master/authorized_keys/INSERT_SERVERNAME_HERE
chmod +x /etc/cron.daily/update_sshkeys.sh
EOF
Obviously you would not check the commit signature here, so don't use that if there is no other alternative.

Gaining access to a server

Simply add your public SSH key to authorized_keys/INSERT_SERVERNAME_HERE and open a PR.
Then annoy a person that is listed in ./allowed_signers until they merge your change using a signed commit.

Repo preparation

For working on this repo - mostly when you want to sign commits, run:

git config gpg.format ssh
git config gpg.ssh.allowedSignersFile ./allowed_signers

# Only needed to sign commits
#git config user.signingkey ~/.ssh/id_ed25519.pub

Merging changes

Caution

Merging has to be done manually and not by clicking [Merge] on the WebUI in order to create a signed merge commit.

# on the forgejo WebUI expand the options for manual PR merging and run the first command for fetching the branch
git fetch -u https://git.nerdberg.de/someuser/sshkeys foobranch:someuser-foobranch

# examine the changes - e.g. by running…
git log someuser-foobranch
git show someuser-foobranch

# merge the changes - note the -S for creating a signed merge commit
git merge --no-ff -S someuser-foobranch
git push origin master

Adding user allowed to sign commits

Add a line with the commiter E-Mail address, a space and the ssh public key entry of that user to allowed_signers:

echo "$(git config --get user.email) $(cat ~/.ssh/id_ed25519.pub)" >> allowed_signers

It should look something like this:

dheidler@suse.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUE5rMLdNwDppCBdsHcMfOgO9qUMlaW7rTTCcq11lro dheidler@midas