SSH Manager – manage authorized_key file on remote servers

This is a simple tool that I came up after having to on-boarding and off-boarding developers on a very colourful palette of environments from AWS to 3rd party hosting providers.

As every one of my creations this tool is solving my problem. It does not warranty your problem will be solved, but in that highly unlikely event please let me know, fixes and pull requests, issues are all very welcome without again the promise that I’ll do anything, I’m normally really busy, apologies.


$ go get

How does it work?

First of all, from where you will run this tool, you need to be able to access to the server, on a port, with a working ssh key (that you don’t want to share with anybody else). First, think about your groups (if you need this feature), limiting users into group of servers, like live-servers, staging-servers, production etc. This is optional, and any time you can re-register the user with new groups (as long as you have their public key file, note to myself I have that info in the system, small todo). You register the server into the registry with an alias (and the groups where the server belongs), if you have user ssh .pub keys (this is optional) register users with their key file and email address (optionally with the user’s groups). After having a few servers defined (and optionally users) you can run auto discovery.

Configuration will be saved into ~/.ssh/.ssmman, if you need to move tool to any other server, copy this and the binary and you are set up. Configuration will not have any secure information.


Registering Servers

First, you need servers, that you can already access, with ~/.ssh/authorized_keys files on the server. Password auth doesn’t count.

To register a server, the syntax is

sshman register server {alias} {server_address:port} {user} {~/.ssh/} [group1 group2 ...]

Where groups are optional, it helps when you have several user roles or you want to limit users to certain servers.

Registering a server for example:

$ sshman register server google myuser ~/.ssh/ deploy hosting google

google will be my alias, it will access on port 22, with myuser user using ~/.ssh/ from the current user.

Registering Users

This is optional if you already have all the users on the servers and you just want to be able to move them around or delete them, auto discovery will auto-register the users for you, but adding new users will require this step.

Syntax is

sshman register user {email} {} [group1 group2 ...]

For example:

$ sshman register user [email protected] ~/.ssh/ production-team staging-servers

Auto Discovery users on registered servers

To run auto discovery users on registered servers, or to refresh the configuration if any 3rd party has changed ~/.ssh/authorized_keys files, run:

$ sshman update

Adding user to server

After registering user with email, key file and groups, uploading the user to the servers that the user can access:

$ sshman add [email protected]

This command will add user’s key to all ~/.ssh/authorized_keys files on the servers that groups allow.

If there is no group information for the user, you will give access to all servers.

Deleting user from servers

Any existing user can be deleted from all ~/.ssh/authorized_keys files from all servers by running

$ sshman add [email protected]

This will remove the entries from the servers but keep user information in configuration for further modification.

Listing who’s on what server

$ sshman list auth

This will display server alias -> email list mapping, easy to grep or add to reports.

Listing what user and server is in what group

Easier to explain this with an example scenario:

$ sshman list groups
production-team servers: [ live2 server3 client1.uat]
production-team users: [[email protected] [email protected]]
dev-team servers: [ client1.staging]
dev-team users: [[email protected] [email protected] [email protected]]

Notice that group alias is in every line with “servers” and “users” for using grep on the list.

Listing registered servers

Lists server aliases, what server/port, server is in what groups.

$ sshman list servers
client1.staging              [production-team dev-team]
client1.uat                  	[production-team dev-team]               	[production-team]

Listing registered users with groups

$ sshman list users

Will return a mapping of email to groups.

(Possible) Future Plans

  • Reuse stored ssh key for modifying user
  • Registering server to download information without the need of running update
  • Testing connection after creating authorized_keys entry
  • Tests, refactor for testability
  • Group management commands like addgroup (will reupload all group users to group servers)
  • Complete CRUD for missing use cases
  • More backend
  • Registering using password auth
  • Text UI
  • Web interface