Associates multiple SSH public keys with Django user accounts.
Project description
django-sshkey allows you to associate multiple SSH public keys with Django user accounts. It provides views to list, add, edit, and delete keys, each of which is intended for end-user consumption. It also provides a lookup view and corresponding lookup commands that are suitable for use with the AuthorizedKeysCommand feature in OpenSSH 6.2 and above.
The Django app
To use django-sshkey in your Django project, simply add django_sshkey to INSTALLED_APPS in settings.py, map the URLs into your project, and provide templates for the views (example templates are provided in the source).
In order to associate an incoming public key with a user you must define SSHKEY_AUTHORIZED_KEYS_OPTIONS in your project’s settings.py. This should be a string containing options accepted by sshd, with {username} being replaced with the username of the user associated with the incoming public key.
For instance:
SSHKEY_AUTHORIZED_KEYS_OPTIONS = 'command="my-command {username}",no-pty'
in settings.py will cause keys produced by the below commands to look similar to:
command="my-command fred",no-pty ssh-rsa AAAAB3NzaC1yc2E...
assuming the key AAAAB3NzaC1yc2E... is owned by fred.
URL Configuration
This text assumes that your project’s urls.py maps django_sshkey.urls into the URL namespace as follows:
import django_sshkey.urls
urlpatterns = patterns('',
...
url('^sshkey/', include(django_sshkey.urls)),
...
)
You will need to adjust your URLs in the examples below if you use a different mapping.
Tying OpenSSH to django-sshkey
There are multiple methods of connecting OpenSSH to django-sshkey. All of the methods listed here require the use of the AuthorizedKeysCommand directive in sshd_config present in OpenSSH 6.2 and above. Please note that the command that is referenced by this directive and its ancestor directories must be owned by root and writable only by owner.
Unless otherwise stated, all of the methods below use the SSHKEY_LOOKUP_URL environment variable to determine the URL of the /sshkey/lookup URL. If this environment variable is not defined then it will default to http://localhost:8000/sshkey/lookup. If this environment variable is defined in the sshd process then it will be inherited by the AuthorizedKeysCommand.
Additionally, all of the methods below use either curl (preferred) or wget. Some commands also use ssh-keygen. These commands must be present in PATH.
If you would prefer not to use these external commands then there are variants of the lookup commands implemented purely in Python. However, they are much slower. To use the variants, replace lookup with pylookup. For example, use django-sshkey-pylookup-all instead of django-sshkey-lookup-all.
Using django-sshkey-lookup-all
Usage: django-sshkey-lookup-all
This program prints all SSH public keys that are defined on your site. sshd will have to scan through all of them to find the first match, so with many keys this method will be slow. However, it does not require a patched OpenSSH server.
This program:
can be used directly with AuthorizedKeysCommand (the username parameter is ignored).
does not require a patched OpenSSH server.
does not scale well to a large number of user keys.
Using django-sshkey-lookup-by-username
Usage: django-sshkey-lookup-by-username USERNAME
This program prints all SSH public keys that are associated with the specified user.
This program:
can be used directly with AuthorizedKeysCommand.
does not require a patched OpenSSH server.
is ideal if each Django user corresponds to a system user account.
Using django-sshkey-lookup-by-fingerprint
Usage: django-sshkey-lookup-by-fingerprint
This program prints all SSH public keys that match the given fingerprint. The fingerprint is determined by the first of the following that is found:
The SSH_KEY_FINGERPRINT environment variable, which should contain the MD5 fingerprint of the key (this is the second field generated by ssh-keygen -l).
The SSH_KEY environment variable, which should contain the key in standard openssh format (the same format as ~/.ssh/id_rsa.pub), is sent to ssh-keygen -l to determine the fingerprint.
The key in standard openssh format is read from standard input and is sent to ssh-keygen -l to determine the fingerprint.
This program:
can be used directly with AuthorizedKeysCommand (the username parameter is ignored).
requires a patched OpenSSH server; compatible patches can be found at one of the following locations:
openssh-akcenv (this is the preferred patch)
is ideal if you want all Django users to access SSH via a shared system user account and be identified by their SSH public key.
Using django-sshkey-lookup
Usage: django-sshkey-lookup URL [USERNAME]
This program is a wrapper around the previous two commands. The first parameter is placed in the SSHKEY_LOOKUP_URL environment variable. If the second parameter is present then django-sshkey-lookup-by-username is executed; otherwise django-sshkey-lookup-by-fingerprint is executed.
This command is compatible with the old script lookup.sh but was renamed to have a less ambiguous name when installed system-wide. A symlink is left in its place for backwards compatibility.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
