csakshaug
commented
4 years ago @peay What about creating a PR and perhaps @michaelwittig would merge it or make some changes to it :-)
Closed peay closed 3 years ago
csakshaug
commented
4 years ago @peay What about creating a PR and perhaps @michaelwittig would merge it or make some changes to it :-)
michaelwittig
commented
4 years ago I think this could better be a separate project? Feel free to create a link in the README to point to the "cached" solution.
I have been testing a modification to
import_users.shwill provision that user's.ssh/authorized_keysfile during the regular users update from IAM.My motivation is as follows:
Using
AuthorizedKeysCommandis slow, as we are invokingaws iammultiple times, which has a startup cost and roundtrip cost. In my testing, I've observed that 3-5s login times are common, which is rather slow compared to vanilla ssh with public keys stored locally where I average below 0.5s.New users need the script to be available locally, so checking their key at ssh login doesn't help make them available sooner anyway.
Existing users can add their key to
.ssh/authorized_keysand retain access for up to 10min even if their key is removed from IAM, so checking their key at ssh login doesn't help make them become blocked sooner either.This change would be optional in
import_users.sh, andAuthorizedKeysCommandcan still be used if an almost-immediate update to keys of existing users is required and the up-to-10m delay is not acceptable for key updates.Would this be a welcome contribution to the project?