0

I have ssh access to almost a dozen machines, and tend to work from multiple devices myself (one main laptop, one home laptop, a smartphone via termux, a tablet via termux, one backup macbook, a cygwin install in the office). Additionally, some of those machines need access to each other (e.g. rsync over ssh for remote backup).

When I had fewer devices I was quite strict on unique key for each pair of connections, but that became way too cumbersome, so what I currently do is maintain two keys (called 'personal' and 'work') for each device, and have two different 'authorized_keys' files which list the public key for all my devices' keys. I have a simple bash script which pushes these authorised_keys files to the right machines.

This is also breaking down in terms of complexity because, for example, there are some devices which should have additional inter-device keys which I don't want to grant access to all my machines (e.g. a key just for backup shouldn't be allowed to access my home laptop).

What's a convenient way to manage the keys (and particularly authorized_keys) on each of those machines? I'm aware of ansible and puppet, and have taken a look at both, but they seem pretty overcomplicated for what I'm trying to do.

I suppose the ideal situation for me would be to have some type of matrix mapping between keys and machines, which would then generate the right authorized_keys file for all machines and push it, but openssh doesn't seem to have such a tool.

Improve this question

1 Answer 1

Reset to default
1

There is no single correct answer. On a mid-size system I've created a central server and scripts to push out and maintain ssh infrastructure. There are, however scaling limits to this - push architectures don't scale as well as pull ones.

The next step up is to use something like puppet, chef or cfengine to deploy a pull based architecture.

You can also move towards an LDAP based system (even storing ssh keys in LDAP) - eg https://shellpower.wordpress.com/2015/05/26/ssh-public-key-authentication-with-ldap-on-ubuntu/ or move to a different auth mechanism - SSH supports quite a few.

Improve this answer
3
  • Agree that homebrew scripts don't scale very well, which is what prompts this question for me. Puppet etc. do seem overkill for this scale though (a dozen or so machines), so I wonder what's in between.
    – Ng Oon-Ee
    Commented Feb 20, 2018 at 8:28
  • I have no problem managing a lot more then a dozen systems using a couple of home brew scripts. Reading your answer, the solution may be to rethink your script architecture. In my case (because I'm APHP/Bash guy) I wrote a config file (as an array/structure) in php and a few basic functions which I could then output and incorporate into my bash scripts. By doing this all on a single system which all the others trust I can push out SSH keys and even run arbitrary commands on classes/groups of systems.
    – davidgo
    Commented Feb 20, 2018 at 8:41
  • Nothing to stop you having a script to combine sets of keys before phttps://shellpower.wordpress.com/2015/05/26/ssh-public-key-authentication-with-ldap-on-ubuntu/ushing them to authorized_keys as appropriate to your config - or, alternatively, if different hosts have different users or IP relationships using an AllowUsers directive is the sshd config files.
    – davidgo
    Commented Feb 20, 2018 at 8:42

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .