moranis 0.5

data/.gitignore

@@ -0,0 +1,8 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*
+.rvmrc
+config/*
+config
+Capify

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in moranis.gemspec
+gemspec

data/README.md

@@ -0,0 +1,88 @@
+#Moranis
+
+Centralized Public Key management for small teams with lots of servers 
+
+##Why?
+ 
+Because my team has many servers, many developers and few system administrators and LDAP is great but it adds more overhead.
+This project currently only support SSH1/openSSH1 because in practice I have yet to need support for the second generation variants
+and did not want to have to write out two different key file formats but adding support should not be difficult
+
+##How?
+
+The basic idea is that anyone on the team who already has key based access as a specific user can be trusted to grant that same access
+to others. You or your system administrator may disagree but in practice this makes sense for small to medium sized teams.
+
+The idea is pretty simple:
+  Keep a local list of users and public keys that can be sync'd to many hosts that contain those users.
+
+I recommend not using this for root accounts. Basically always make sure there is an account that you can access to revert any
+rogue changes that render an account non accessible. The revert feature will fall back to root if the original user is not accessible.
+This means that a team member with root access may need to perform the revert for a user that does not have that access
+ 
+* Connect to each host in the host list for a given user
+* Write out the new authorized_keys.tmp file based on the locally enabled keys
+* Test the new key file
+* If any errors were encountered the old key file remains in place
+
+##Usage
+
+###Standalone
+A binary called key_master is installed with the gem. The binary accepts two required and one optional paramters
+The action you want to take for the group, The group you want to sync the keys for, and a config file that contains the users
+hosts and keys.  
+
+The config file portion can be removed if you set MORANIS_CONFIG_PATH in your environment to the path to your config file or if your
+present working directory is relative to the config file as ./config/moranis.yml
+
+The config file format is as follows
+
+```bash
+key_master sync group_name_1 ./config/config.yml
+
+key_master sync group_name_1
+````
+
+```haml
+
+group_name_1:
+  hosts:
+    - host1.com
+    - host2.com
+  users: 
+    - user1
+    - user2
+  keys:
+    - ssh-dss key1abcdeif....
+    - ssh-rsa key2abcdeif....
+
+
+group_name_2:
+  hosts:
+    - host1a.com
+    - host2a.com
+  users:
+    - user1a
+    - user2a
+  keys:
+    - ...
+ 
+````
+###Use From your code
+```ruby
+require 'moranis'
+
+key_master = Moranis::KeyMaster.new(config_path)
+
+#sync the keys with the local configuration on the specified group
+key_master.run_for_group(group)
+
+#revert the keys fro the specified group to the most recent backup
+key_master.revert_for_group(group)
+````
+##TODO
+* Add support for a key database as well as the current yml file
+* Add more fault tolerance and error handling, add checking to see if the root account is being synced and provide a warning
+* Tests
+* Support for ssh2/openssh2
+ 

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/bin/key_master

@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+require "moranis"
+
+action = ARGV[0] || ""
+group  = ARGV[1] || ""
+
+config_path = ARGV[2] || ENV["MORANIS_CONFIG_PATH"] || "#{Dir.pwd}/config/moranis.yml"
+
+key_master = Moranis::KeyMaster.new(config_path) if config_path
+
+case action
+when "sync"  ; key_master.run_for_group(group)
+when "revert"; key_master.revert_for_group(group)
+else
+  puts <<-HELP
+     ====================================================================
+     Moranis: Clortho the key master
+     
+     USAGE: key_master <sync|revert> <group> <optional config name>
+     
+     ====================================================================
+  HELP
+end

data/lib/moranis.rb

@@ -0,0 +1,6 @@
+require_relative 'moranis/key_master'
+require_relative 'moranis/remote_run'
+
+module Moranis
+  
+end

data/lib/moranis/key_master.rb

@@ -0,0 +1,81 @@
+module Moranis
+  class KeyMaster
+    
+    #TODO: move this in to a configuration object
+    #typical file is either authorized_keys, #authorized_keys2 or authorized depending on ssh version
+    #I only needed ssh1 support for my situation but this is here for convenience and can be changed 
+    #by setting Moranis::Keymaster::KEY_FILE = "authorized_keys2"
+    #given that we have not yet added support for ssh2 in the output file format this is probably not particularly useful yet
+    KEY_FILE = "authorized_keys"
+    
+    def initialize(config_path)
+      @config = YAML::load(File.open(config_path))
+    end
+    
+    def groups
+      @config.keys
+    end
+  
+    def run_for_group(group)
+      hosts = @config[group]["hosts"]
+      keys  = @config[group]["keys"]
+      users = @config[group]["users"]
+      
+      hosts.each do |host|
+        users.each do |user|
+          puts "Generating keys on #{host} for #{user}"
+          remote_run = Moranis::RemoteRun.new(host,user)
+          
+          #make sure the temporary auth file exists
+          remote_run.commands << "touch ~/.ssh/#{KEY_FILE}.tmp"
+          
+          #make sure the permissions are set up properly
+          remote_run.commands << "chmod 600 ~/.ssh/#{KEY_FILE}.tmp"
+          
+          #clear the temporary key file
+          remote_run.commands << "cat /dev/null > ~/.ssh/#{KEY_FILE}.tmp"
+          
+          #append the keys to the file
+          keys.each do |key|
+            remote_run.commands << "echo \"#{key}\" >> ~/.ssh/#{KEY_FILE}.tmp"
+          end
+          
+          #swap the key files
+          remote_run.commands << "mv ~/.ssh/#{KEY_FILE} ~/.ssh/#{KEY_FILE}.bak"
+          remote_run.commands << "mv ~/.ssh/#{KEY_FILE}.tmp ~/.ssh/#{KEY_FILE}"
+          
+          begin
+            remote_run.execute 
+          rescue Net::SSH::AuthenticationFailed 
+            puts "You do not have access to #{user} on #{host}"
+          end
+        end
+      end
+    end
+    
+    def revert_for_group(group)
+      hosts = @config[group]["hosts"]
+      keys  = @config[group]["keys"]
+      users = @config[group]["users"]
+      
+      hosts.each do |host|
+        users.each do |user|
+          remote_run = Moranis::RemoteRun.new(host,user)
+          begin
+            remote_run.commands << "if [ -f ~/.ssh/#{KEY_FILE}.bak  ] then mv ~/.ssh/#{KEY_FILE}.bak ~/.ssh/#{KEY_FILE} fi"
+            remote_run.execute
+          rescue
+            #we tried as the user, the keys file may be messed up or our key does not exist in the list any longer
+            # lets try as root
+            root_remote_run = Moranis::RemoteRun.new(host,"root")
+            root_remote_run.commands << "su - #{user}"
+            root_remote_run.commands << "if [ -f ~/.ssh/#{KEY_FILE}.bak  ] then mv ~/.ssh/#{KEY_FILE}.bak ~/.ssh/#{KEY_FILE} fi"
+            root_remote_run.execute rescue Net::SSH::AuthenticationFailed (puts "You may not have access to root on #{host}")
+          end
+        end
+      end
+      
+    end
+    
+  end
+end

data/lib/moranis/remote_run.rb

@@ -0,0 +1,84 @@
+# Execute commands on a remote server
+# 
+# Usage:
+#
+#   r = RemoteRun.new("qa-d0","webadmit_etl")
+#   r.commands << "source /etc/profile"
+#   r.commands << "cd ~/current"
+#   r.commands << "rake extractor:run cas=3 users=12550"
+# 
+#   r.execute
+#
+require 'net/ssh'
+require 'net/ssh/gateway'
+require 'yaml'
+module Moranis
+  
+  class RemoteRun  
+  
+    attr_accessor :hosts, :gateway_address, :gateway_user, :commands
+    
+    def initialize(hosts,user, options={})
+      @hosts        = [hosts].flatten #accept a single host or an array of hosts 
+      @gateway_address = options[:gateway_address]
+      @gateway_user = options[:gateway_user] 
+      @user         = user
+      @commands     = []
+    end
+    
+    #expects the config file to be formatted as yaml as follows
+    #environment:
+    #  group:
+    #    user: username
+    #    host: hostname
+    def self.initialize_from_config(config_file,environment,group,options={})
+      config_file = YAML.load_file(config_file)
+      env_config = config_file[environment][group]
+      options[:gateway_address] ||= env_config["gateway"]["host"] unless env_config["gateway"].nil?
+      options[:gateway_user]    ||= env_config["gateway"]["user"] unless env_config["gateway"].nil?
+      new(env_config["host"],env_config["user"],options)
+    end 
+    
+    #gateway wrapper
+    def gateway_wrapper
+      @gateway_host ||= if(@gateway_addr && @gateway_user)
+        Net::SSH::Gateway.new(@gateway_addr, @gateway_user, {:forward_agent => true})
+      else
+        nil
+      end
+    end
+    
+    def ssh_wrapper(host,command)
+       output = ""
+       Net::SSH.start(host, @user) do |ssh|
+         ssh.exec(command) do |channel,stream,data|
+           output = data
+         end
+       end
+       output 
+    end
+    
+    
+    def execute
+      run_me = @commands.join(" && ")
+      output = []
+      
+      if @gateway_host
+        gateway_wrapper.ssh(host, @user, {:forward_agent => true}) do |gateway|
+          @hosts.uniq.each do |h|
+            gateway.ssh(host, options[:gateway_user], {:forward_agent => true}) do |ssh|
+              ssh.exec(run_me) do |channel,stream,data|
+                output << data
+                puts data
+              end
+            end
+          end
+        end
+      else
+         @hosts.each{ |h| output << ssh_wrapper(h,run_me) }
+      end
+      
+      output.flatten
+    end
+  end
+end

data/lib/moranis/version.rb

@@ -0,0 +1,3 @@
+module Moranis
+  VERSION = "0.5"
+end

data/moranis.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "moranis/version"
+
+Gem::Specification.new do |s|
+  s.name        = "moranis"
+  s.version     = Moranis::VERSION
+  s.authors     = ["Bill Chapman"]
+  s.email       = ["byllc@overnothing.com"]
+  s.homepage    = ""
+  s.summary     = %q{ SSH Key management for teams}
+  s.description = %q{ Standalone centralized ssh key management for teams }
+
+  s.rubyforge_project = "moranis"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  # specify any dependencies here; for example:
+  # s.add_development_dependency "rspec"
+end
+

metadata

@@ -0,0 +1,56 @@
+--- !ruby/object:Gem::Specification
+name: moranis
+version: !ruby/object:Gem::Version
+  version: '0.5'
+  prerelease: 
+platform: ruby
+authors:
+- Bill Chapman
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-04-29 00:00:00.000000000Z
+dependencies: []
+description: ! ' Standalone centralized ssh key management for teams '
+email:
+- byllc@overnothing.com
+executables:
+- key_master
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- README.md
+- Rakefile
+- bin/key_master
+- lib/moranis.rb
+- lib/moranis/key_master.rb
+- lib/moranis/remote_run.rb
+- lib/moranis/version.rb
+- moranis.gemspec
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: moranis
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: SSH Key management for teams
+test_files: []