Compare commits
No commits in common. "master" and "6c25bb5edd549327a23d44e89efe2621df687c11" have entirely different histories.
master
...
6c25bb5edd
14
authorized_keys
Normal file
14
authorized_keys
Normal file
|
|
@ -0,0 +1,14 @@
|
||||||
|
# Yubikey
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoRxIS1Dr33Jhybd/ck7UCLQ1Df5msSpvw03w/ljgB+1sx/U+965+q597XRHHnzPey8NFrOdID4I1l0tfco1XG5DJG2yJ/zY+tbyK+0b0Yi4qbRFnH2kxKYcdHq29CiVk64o1VHJxxj78IO2wTUcgK4sXijm05LWqCik4LSfcOBEyOwK6f37Mew19KDq7UAojHLTEbVB6xiv2ufh9evn3PggirE1VtvQlTBnt3NdBDumxD1RzRoVgwMuU1FNvQeMwLnlMlvLX76vjPkRRrgBGEJ2k0BUm7slrAtRnBzIvIbouk55MIBzpPjCIi53L91KxwNkHNPldYG81C+BczN/R5 cardno:000604717732
|
||||||
|
|
||||||
|
# Chromebook (GalliumOS)
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDxUNqjpukVhDXJnicD0dOhMMaQPOqYgPR14NSUd9rLp lobo@gallium
|
||||||
|
|
||||||
|
# Home server
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4qu/tmKfeTtFDFimpcKH+1HRiiug7eNzNvORoH1ngh lobo@nas2
|
||||||
|
|
||||||
|
# Corp workspaces
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqdB5I6TIaXo0vMTjQ59SA4OL9TWWVXt+afbKRgU2u3 lobo@DESKTOP-VT5VL1V
|
||||||
|
|
||||||
|
# Phone
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPb49syadEvvwlBpRs6DaZxJGV1HgOC/bYZR1WIYvNus u0_a276@localhost
|
||||||
12
makeitso
12
makeitso
|
|
@ -5,12 +5,9 @@ if [ $# -ne 1 ]; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -d /home/authorizedkeysuser ]; then
|
#sudo adduser --disabled-login --gecos 'User for AuthorizedKeysCommand' authorizedkeysuser ||
|
||||||
#sudo adduser --disabled-login --gecos 'User for AuthorizedKeysCommand' authorizedkeysuser ||
|
sudo useradd -c 'User for AuthorizedKeysCommand' -d /home/authorizedkeysuser -m -s/usr/sbin/nologin authorizedkeysuser
|
||||||
sudo useradd -c 'User for AuthorizedKeysCommand' -d /home/authorizedkeysuser -m -s/usr/sbin/nologin authorizedkeysuser
|
|
||||||
fi
|
|
||||||
|
|
||||||
grep -qF 'AuthorizedKeysCommand /etc/ssh/get_authorized_keys' /etc/ssh/sshd_config || \
|
|
||||||
sudo sh -c "echo 'Match User $1
|
sudo sh -c "echo 'Match User $1
|
||||||
AuthorizedKeysCommand /etc/ssh/get_authorized_keys
|
AuthorizedKeysCommand /etc/ssh/get_authorized_keys
|
||||||
AuthorizedKeysCommandUser authorizedkeysuser' >> /etc/ssh/sshd_config"
|
AuthorizedKeysCommandUser authorizedkeysuser' >> /etc/ssh/sshd_config"
|
||||||
|
|
@ -19,4 +16,9 @@ sudo cp get_authorized_keys /etc/ssh
|
||||||
|
|
||||||
sudo chmod 755 /etc/ssh/get_authorized_keys
|
sudo chmod 755 /etc/ssh/get_authorized_keys
|
||||||
|
|
||||||
|
sudo -u authorizedkeysuser mkdir ~authorizedkeysuser/.aws
|
||||||
|
sudo -u authorizedkeysuser cp config ~authorizedkeysuser/.aws
|
||||||
|
sudo -u authorizedkeysuser cp .credentials ~authorizedkeysuser/.aws/credentials
|
||||||
|
sudo -u authorizedkeysuser chmod 600 ~authorizedkeysuser/.aws/*
|
||||||
|
sudo -H -u authorizedkeysuser sh -c 'command -v aws > /dev/null 2>&1 || pip install --user awscli'
|
||||||
sudo systemctl restart sshd
|
sudo systemctl restart sshd
|
||||||
|
|
|
||||||
74
trigger/authorized_keys.py
Normal file
74
trigger/authorized_keys.py
Normal file
|
|
@ -0,0 +1,74 @@
|
||||||
|
import json
|
||||||
|
import boto3
|
||||||
|
|
||||||
|
ddb = boto3.client('dynamodb')
|
||||||
|
codecommit = boto3.client('codecommit')
|
||||||
|
targetarn = 'arn:aws:codecommit:us-west-2:932028523435:authorized_keys'
|
||||||
|
|
||||||
|
|
||||||
|
def lambda_handler(event, context):
|
||||||
|
# {
|
||||||
|
# "Records": [
|
||||||
|
# {
|
||||||
|
# "awsRegion": "us-west-2",
|
||||||
|
# "codecommit": {
|
||||||
|
# "references": [
|
||||||
|
# {
|
||||||
|
# "commit": "5c4ef1049f1d27deadbeeff313e0730018be182b",
|
||||||
|
# "ref": "refs/heads/master"
|
||||||
|
# }
|
||||||
|
# ]
|
||||||
|
# },
|
||||||
|
# "customData": "this is custom data",
|
||||||
|
# "eventId": "5a824061-17ca-46a9-bbf9-114edeadbeef",
|
||||||
|
# "eventName": "TriggerEventTest",
|
||||||
|
# "eventPartNumber": 1,
|
||||||
|
# "eventSource": "aws:codecommit",
|
||||||
|
# "eventSourceARN": "arn:aws:codecommit:us-west-2:123456789012:repo",
|
||||||
|
# "eventTime": "2016-01-01T23:59:59.000+0000",
|
||||||
|
# "eventTotalParts": 1,
|
||||||
|
# "eventTriggerConfigId": "5a824061-17ca-46a9-bbf9-114edeadbeef",
|
||||||
|
# "eventTriggerName": "my-trigger",
|
||||||
|
# "eventVersion": "1.0",
|
||||||
|
# "userIdentityARN": "arn:aws:iam::123456789012:root"
|
||||||
|
# }
|
||||||
|
# ]
|
||||||
|
# }
|
||||||
|
print(json.dumps(event))
|
||||||
|
records = event["Records"]
|
||||||
|
if records is None or len(records) == 0:
|
||||||
|
raise RuntimeError('No records property in event')
|
||||||
|
print(records)
|
||||||
|
for record in records:
|
||||||
|
repoArn = record['eventSourceARN']
|
||||||
|
if repoArn is None:
|
||||||
|
print('no eventSourceARN on record')
|
||||||
|
continue
|
||||||
|
print('Record from ARN' + repoArn)
|
||||||
|
if repoArn != targetarn:
|
||||||
|
print('Not target ARN. Continuting')
|
||||||
|
continue
|
||||||
|
resp = codecommit.get_file(repositoryName='authorized_keys',
|
||||||
|
filePath='authorized_keys')
|
||||||
|
data = resp['fileContent'].decode("utf-8")
|
||||||
|
ddbitem = ddb.scan(TableName='key') # ddbitem['Items']...
|
||||||
|
found = False
|
||||||
|
for item in ddbitem['Items']: # should be only one anyway - whatever
|
||||||
|
if item['key']['S'] == data:
|
||||||
|
found = True
|
||||||
|
break
|
||||||
|
if found:
|
||||||
|
print('no change to keys. continuing')
|
||||||
|
continue
|
||||||
|
# Something's changed - let's make the update in DDB
|
||||||
|
ddb.put_item(TableName='key', Item={'key': {'S': data}})
|
||||||
|
for item in ddbitem['Items']: # should be only one anyway - whatever
|
||||||
|
print('deleting old item')
|
||||||
|
ddb.delete_item(TableName='key', Key=item)
|
||||||
|
|
||||||
|
print('All records processed')
|
||||||
|
|
||||||
|
return {
|
||||||
|
'statusCode': 200,
|
||||||
|
'body': json.dumps('Processing complete')
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue
Block a user