I have too many machines floating around, some virtual, some physical, and they’re getting added and removed semi-frequently as I play around with different tools/try out ideas. One recurring pain point is I have no easy way to manage SSH keys around them, and it’s a pain to deal with adding/removing/cycling keys. I know I can use AuthorizedKeysCommand on sshd_config to make the system fetch a remote key for validation, I know I could theoretically publish my pub key to github or alike, but I’m wondering if there’s something more flexible/powerful where I can manage multiple users (essentially roles) such that each machine can be assigned a role and automatically allow access accordingly?

I’ve seen Keyper before, but the container haven’t been updated for years, and the support discord owner actively kicks everyone from the server, even after asking questions.

Is there any other solution out there that would streamline this process a bit?

  • Max-P@lemmy.max-p.me
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I would switch to certificate based SSH authentication.

    All the server keys gets signed by your CA, all clients also gets signed by your CA. Everyone implicitly trust eachother though the CA and it’s as safe as regular SSH keys.

    You can also sign short lived client keys if you want to make revocations easier, the servers don’t care because now all it cares is that it’s a valid cert issues by the CA, which can be done entirely offline!

    HashiCorp Vault can also help managing the above, but it’s also pretty easy to do manually.

  • RegalPotoo@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You could try SSH certificates using something like https://smallstep.com/sso-ssh/ - essentially you delegate validation of your public key to a IDP, which your servers are configured to trust.

    The other approach would be something like ansible or puppet to deploy trusted keys to all servers

  • kool_newt@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    1 year ago

    Are you initiating SSH connections from all these hosts?

    If you just need to SSH to these hosts, use a single key and copy the public key only to the hosts you need to connect to. If you don’t want to copy the pubkeys to target hosts, use LDAP + SSSD or certificates.

    Then, if you do need to initiate connections from these hosts and use an SSH agent you can forward your agent and SSH to another host

    client> ssh -A host1
    host1> ssh host2
    host2>
    
    client> ssh -A host1
    host1> ssh -A host2
    host2> ssh -A host3
    host3> 
    
    • InverseParallax@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      1 year ago

      Have an alias so trusted hosts can bounce through my authorization host and end up on a tmux session on the targetted host. It has logging and such but mostly it’s for simplicity.

      If I plan to use that connection a lot there’s a script to cat my priv key through the relay.

      Have an scp alias too, but that gets more complicated.

      For more sensitive systems I have 2fa from gauth set up, works great.

      • kool_newt@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        This is a common pattern, typically called a “jump host” or “bastion host”.

        a script to cat my priv key through the relay

        When it comes to security, I typically recommend against rolling your own. SSH already has agent forwarding option to do this securely and the -J option to accomplish the same without even needing to forward the key. The agent can seem complex at first, it’s actually pretty simple and worth learning.

        Feel free to message me if you have more questions, I’ve got lots of experience w/ SSH.