At my last place we had a chef cookbook set up that pulled public keys
out of a chef databag. Every server, virtual or physical, included a
core cookbook that enforced certain standards across the fleet, which in
turn ingested the public key cookbook. Within an hour of checking the
new key in, every server would have picked it up, and the old key would
have been expired. Having it automated in such a simple way allowed us
to easily expand it to handle other conditions, e.g. if the server was a
virtual one in a public cloud, require our cloud specific ssh keys. The
additional workload on the server and client was pretty negligible.
Paul
On 4/15/2014 9:29 AM, Yves Dorfsman wrote:
We've been pushing ssh public keys with Ansible, but this is becoming
cumbersome:
- it takes a significant amount of time to do so, this is growing as
the list of keys is growing (O(n) type of thing)
- keys only get pushed where somebody does a does a push, which means
that it becomes somebody job, and we still easily miss new/temporary
servers
We looked at LDAP with sshd AuthorizedKeysCommand, but beside the pain
of having to extend an ldap schema, it means maintaining our own LDAP
server, make that two to be redundant etc... The sort of things we
were trying to avoid by going to a cloud infrastructure.
Played with sshd AuthorizedKeysCommand and S3, pulling the keys via
http, but that has its own set of safety issues, although mitigated by
the fact that our AWS instances use Amazon DNS servers....
What have you found that works well?
Thanks.
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
