Robert D. French

blog(8) System Manager's Manual blog(8)

Managing authentication for out-of-band infrastructure can be tricky. If you are operating below the level of a directory server or an identity provider, your options for “federated” login can be limited. Do you generate new passwords for each user, on each host? Or do you maintain a list of password hashes that get manually copied onto core infrastructure? (On a USB stick labelled "/etc/shadow")

One strategy I like for non-airgapped systems is to rely on SSH public keys provided by GitHub. Every GitHub user's public keys are available at the following URL:

https://github.com/USERNAME.keys

All you need to do is append those keys to each user's authorized_keys file. Then they will be able to log in with whatever private keys they've associated with their GitHub profile. Even better, if you force everyone to user their GitHub username on the out-of-band hosts, you can create new accounts fairly easily. For example, you can run the following to grant me access to the most important hosts on your network:

# adduser -batch robertdfrench
# ftp -o- https://github.com/robertdfrench.keys \
	>> /home/robertdfrench/.ssh/authorized_keys

Despite the potential convenience, there are some pretty obvious downsides to this. Specifically, this approach will not work if:

  • Your out-of-band systems can't reach the internet
  • You can't (by choice or by policy) trust GitHub
  • You don't (or can't) trust your admins to use 2FA on their GitHub accounts
  • You don't (or can't) trust your admins to keep their personal SSH keys secure
2025-04-04 Robert D. French