How can you do dynamic, key-based SSH similar to GitHub?

Question

I wan't to provide SSH/RSYNC like features to users of my app. I'd like them to just be able to paste/save an SSH key into my app similar to how GitHub does:

So, my question is, once I let users save their key (preferably in the database):

Is there a way I can provide/mimic SSH/RSYNC features without actually creating Linux user accounts? I'd love to be able to authorize based on their database-stored public key and let them RSYNC in/out of a specific folder (say, based on their username in the app, for example).

(if it matters, it will be a Rails app deployed to an Ubuntu server)

Answer 1

Take a look at the command-option for SSH's authorized_keys-file. This way, you can force a command on specific users accessing your machine depending on their SSH key.

Imagine a user named "git" on your server. This user has the following authorized_keys-file as an example:

command="/path/to/script user1",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa [public key of user1]
command="/path/to/script user2",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa [public key of user2]

So when user1 runs ssh git@yourserver.com "/execute/command --with --parameter", /path/to/script is called (as git user). This script can access the original command (/execute/command --with --parameter) in the environment variable $SSH_ORIGINAL_COMMAND (dive into the SSH documentation for more details).

This way, it is only a matter of getting the right lines into the authorized_keys-file (you could dynamically build the file from the keys stored in your database).

From there you could write your own shell or do whatever you want with the original command.

This is basically how gitolite and gitosis manage git repository permissions (Github uses one of these I think).

Hope this helps a bit - kind regards!

Answer 2

The OP specifically says that he want to assign keys to multiple users, and that he wants the users to be stored in a database, not as actual linux users. In the Github style setup mentioned above, there is a single git user.

For the answer to be complete, the OP would also need to use the AuthorizedKeyCommand directive, which is explained very well here - OpenSSH with public keys from database

So, you use a combination of both. Authentication to the server for x number of users, stored in a database, is done by . based on a custom authentication script (a bash script that you call some script in your web application from)

When your custom script is returning a public key to OpenSSH for authentication (in place of an authorized_keys file), you provide it in the format described in Michael Trojanek's answer. This way, you provide Authorization over specific functionality that your dynamic user can access.

Answer 3

Linux user might come not only from /etc/passwd and shadow, but also from other NSS modules. Say, there are MySQL NSS module and LDAP NSS modules, besides others. But, configure their home directories to descend from different place than /home, for a reason that soon become apparent.

You can synthesize their home directories with handwritten FUSE module Such a module is quite easy to write; as an example, I suggest to look at the MySQL FUSE file system sources (what you are going to do must be easier). You should synthesize a ~/.ssh/authorized_keys file from the database key record, for key-based authentication to take effect, where you also restrict what user could do when connecting with that key. Your FUSE module might proxy some requests to actual file system, to not to store files in the database; for the sample implementation see encfs sources, you'll essetinally do the same but without encryption.

So you mount such filesystem somewhere, and that would all of your synthesized user homes.

And voila, everything uses data from database and details are synthesized. Note, what you creating here is still actual user accounts, but all their details are stored in the database, and these users are made arbitrary restricted.