On Tue, Apr 15, 2014 at 10:29:11AM -0600, Yves Dorfsman wrote: > > We've been pushing ssh public keys with Ansible, but this is becoming > cumbersome: > > - it takes a significant amount of time to do so, this is growing as > the list of keys is growing (O(n) type of thing) > - keys only get pushed where somebody does a does a push, which > means that it becomes somebody job, and we still easily miss > new/temporary servers
If it is taking a long time to push pubkeys out, is this possibly due to the number of forks? Before 1.3 I believe the default was 5. Are keys pushed out as part of a master 'Do all the things' update, or are they tagged so that something like 'ansible-playbook site.yml -t pubkeys' pushes everything out? If so, a cron job and/or onboarding checklist should be able to take care of it. If new/temporary servers are not getting added to your ansible ( or any config management ) configuration... how are they being configured? > > We looked at LDAP with sshd AuthorizedKeysCommand, but beside the > pain of having to extend an ldap schema, it means maintaining our > own LDAP server, make that two to be redundant etc... The sort of > things we were trying to avoid by going to a cloud infrastructure. > > Played with sshd AuthorizedKeysCommand and S3, pulling the keys via > http, but that has its own set of safety issues, although mitigated > by the fact that our AWS instances use Amazon DNS servers.... > > What have you found that works well? > > Thanks. > > -- > Yves. > _______________________________________________ > Tech mailing list > Tech@lists.lopsa.org > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ -- Matt Okeson-Harlow http://technomage.net
signature.asc
Description: Digital signature
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
