This Bash script pulls authorized_keys files from remote URLs and updates SSH access for multiple local users.
- Pull-based (ideal for cron or systemd timer)
- Supports multiple users
- Works with:
- ✅ Public URLs (method:
raw) - ✅ Private GitHub repositories via GitHub API (method:
api, requires token) - ✅ GitHub user public keys (method:
ghuser)
- ✅ Public URLs (method:
- Safe: Only updates keys if they’ve changed
- Logs activity per user
User configuration is stored in a separate users.conf file in the same directory as the script.
Edit users.conf to define users and their key sources.
Each entry uses the format:
["username"]="method:url"
- raw: Fetches directly from a public URL.
- api: Fetches from a private GitHub repo using the GitHub API (requires
GITHUB_TOKENenvironment variable). - ghuser: Fetches public keys from a GitHub user's profile (provide the GitHub username after the colon).
You can also set your GitHub token in the config file using CONF_GITHUB_TOKEN.
If GITHUB_TOKEN is not set in the environment, the script will use CONF_GITHUB_TOKEN from users.conf.
Example users.conf:
CONF_GITHUB_TOKEN="your_github_token_here"
declare -A USER_KEYS=(
["ubuntu"]="raw:https://example.com/ssh-keys/ubuntu.authorized_keys"
["devuser"]="api:https://api.github.com/repos/yourorg/ssh-keys/contents/keys/devuser.authorized_keys?ref=main"
["alice"]="ghuser:alice-github-username"
)- Edit the
users.conffile to define users and their key URLs or GitHub usernames. - If using the
apimethod, either export your GitHub token or setCONF_GITHUB_TOKENinusers.conf:export GITHUB_TOKEN=your_token_here - Make sure the script is executable:
chmod +x sync-ssh-keys.sh
- Add to root's crontab:
*/15 * * * * /usr/local/bin/sync-ssh-keys.sh >> /var/log/ssh-key-sync.log 2>&1
- The script sources
users.conffor configuration. - Uses a helper function
fetch_key_fileto fetch keys using the appropriate method. - Only updates a user's
authorized_keysif the remote file has changed. - Logs all actions with timestamps.