Compare commits
No commits in common. "master" and "6c25bb5edd549327a23d44e89efe2621df687c11" have entirely different histories.
master
...
6c25bb5edd
14
authorized_keys
Normal file
14
authorized_keys
Normal file
|
@ -0,0 +1,14 @@
|
|||
# Yubikey
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoRxIS1Dr33Jhybd/ck7UCLQ1Df5msSpvw03w/ljgB+1sx/U+965+q597XRHHnzPey8NFrOdID4I1l0tfco1XG5DJG2yJ/zY+tbyK+0b0Yi4qbRFnH2kxKYcdHq29CiVk64o1VHJxxj78IO2wTUcgK4sXijm05LWqCik4LSfcOBEyOwK6f37Mew19KDq7UAojHLTEbVB6xiv2ufh9evn3PggirE1VtvQlTBnt3NdBDumxD1RzRoVgwMuU1FNvQeMwLnlMlvLX76vjPkRRrgBGEJ2k0BUm7slrAtRnBzIvIbouk55MIBzpPjCIi53L91KxwNkHNPldYG81C+BczN/R5 cardno:000604717732
|
||||
|
||||
# Chromebook (GalliumOS)
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDxUNqjpukVhDXJnicD0dOhMMaQPOqYgPR14NSUd9rLp lobo@gallium
|
||||
|
||||
# Home server
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4qu/tmKfeTtFDFimpcKH+1HRiiug7eNzNvORoH1ngh lobo@nas2
|
||||
|
||||
# Corp workspaces
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqdB5I6TIaXo0vMTjQ59SA4OL9TWWVXt+afbKRgU2u3 lobo@DESKTOP-VT5VL1V
|
||||
|
||||
# Phone
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPb49syadEvvwlBpRs6DaZxJGV1HgOC/bYZR1WIYvNus u0_a276@localhost
|
8
makeitso
8
makeitso
|
@ -5,12 +5,9 @@ if [ $# -ne 1 ]; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -d /home/authorizedkeysuser ]; then
|
||||
#sudo adduser --disabled-login --gecos 'User for AuthorizedKeysCommand' authorizedkeysuser ||
|
||||
sudo useradd -c 'User for AuthorizedKeysCommand' -d /home/authorizedkeysuser -m -s/usr/sbin/nologin authorizedkeysuser
|
||||
fi
|
||||
|
||||
grep -qF 'AuthorizedKeysCommand /etc/ssh/get_authorized_keys' /etc/ssh/sshd_config || \
|
||||
sudo sh -c "echo 'Match User $1
|
||||
AuthorizedKeysCommand /etc/ssh/get_authorized_keys
|
||||
AuthorizedKeysCommandUser authorizedkeysuser' >> /etc/ssh/sshd_config"
|
||||
|
@ -19,4 +16,9 @@ sudo cp get_authorized_keys /etc/ssh
|
|||
|
||||
sudo chmod 755 /etc/ssh/get_authorized_keys
|
||||
|
||||
sudo -u authorizedkeysuser mkdir ~authorizedkeysuser/.aws
|
||||
sudo -u authorizedkeysuser cp config ~authorizedkeysuser/.aws
|
||||
sudo -u authorizedkeysuser cp .credentials ~authorizedkeysuser/.aws/credentials
|
||||
sudo -u authorizedkeysuser chmod 600 ~authorizedkeysuser/.aws/*
|
||||
sudo -H -u authorizedkeysuser sh -c 'command -v aws > /dev/null 2>&1 || pip install --user awscli'
|
||||
sudo systemctl restart sshd
|
||||
|
|
74
trigger/authorized_keys.py
Normal file
74
trigger/authorized_keys.py
Normal file
|
@ -0,0 +1,74 @@
|
|||
import json
|
||||
import boto3
|
||||
|
||||
ddb = boto3.client('dynamodb')
|
||||
codecommit = boto3.client('codecommit')
|
||||
targetarn = 'arn:aws:codecommit:us-west-2:932028523435:authorized_keys'
|
||||
|
||||
|
||||
def lambda_handler(event, context):
|
||||
# {
|
||||
# "Records": [
|
||||
# {
|
||||
# "awsRegion": "us-west-2",
|
||||
# "codecommit": {
|
||||
# "references": [
|
||||
# {
|
||||
# "commit": "5c4ef1049f1d27deadbeeff313e0730018be182b",
|
||||
# "ref": "refs/heads/master"
|
||||
# }
|
||||
# ]
|
||||
# },
|
||||
# "customData": "this is custom data",
|
||||
# "eventId": "5a824061-17ca-46a9-bbf9-114edeadbeef",
|
||||
# "eventName": "TriggerEventTest",
|
||||
# "eventPartNumber": 1,
|
||||
# "eventSource": "aws:codecommit",
|
||||
# "eventSourceARN": "arn:aws:codecommit:us-west-2:123456789012:repo",
|
||||
# "eventTime": "2016-01-01T23:59:59.000+0000",
|
||||
# "eventTotalParts": 1,
|
||||
# "eventTriggerConfigId": "5a824061-17ca-46a9-bbf9-114edeadbeef",
|
||||
# "eventTriggerName": "my-trigger",
|
||||
# "eventVersion": "1.0",
|
||||
# "userIdentityARN": "arn:aws:iam::123456789012:root"
|
||||
# }
|
||||
# ]
|
||||
# }
|
||||
print(json.dumps(event))
|
||||
records = event["Records"]
|
||||
if records is None or len(records) == 0:
|
||||
raise RuntimeError('No records property in event')
|
||||
print(records)
|
||||
for record in records:
|
||||
repoArn = record['eventSourceARN']
|
||||
if repoArn is None:
|
||||
print('no eventSourceARN on record')
|
||||
continue
|
||||
print('Record from ARN' + repoArn)
|
||||
if repoArn != targetarn:
|
||||
print('Not target ARN. Continuting')
|
||||
continue
|
||||
resp = codecommit.get_file(repositoryName='authorized_keys',
|
||||
filePath='authorized_keys')
|
||||
data = resp['fileContent'].decode("utf-8")
|
||||
ddbitem = ddb.scan(TableName='key') # ddbitem['Items']...
|
||||
found = False
|
||||
for item in ddbitem['Items']: # should be only one anyway - whatever
|
||||
if item['key']['S'] == data:
|
||||
found = True
|
||||
break
|
||||
if found:
|
||||
print('no change to keys. continuing')
|
||||
continue
|
||||
# Something's changed - let's make the update in DDB
|
||||
ddb.put_item(TableName='key', Item={'key': {'S': data}})
|
||||
for item in ddbitem['Items']: # should be only one anyway - whatever
|
||||
print('deleting old item')
|
||||
ddb.delete_item(TableName='key', Key=item)
|
||||
|
||||
print('All records processed')
|
||||
|
||||
return {
|
||||
'statusCode': 200,
|
||||
'body': json.dumps('Processing complete')
|
||||
}
|
Loading…
Reference in New Issue
Block a user