Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How does your company handle SSH keys
10 points by tosbourn on Jan 7, 2016 | hide | past | favorite | 9 comments
Our team is reaching a size when we probably need to get serious about SSH key management.

I was wondering how different places handle how dev's get access to servers. A shared key? A gatekeeper? Public keys added to all servers?

What practices and tools do you use in order to manage this?




We use puppet and add our public keys to all servers. IMHO a nice solution, but clearly a lot of work without something like puppet.


This.

We have a simple Puppet recipe that creates a user, group and home, sets the correct permissions/groups and installs the public key. It will also remove users if they leave the company.

The script reads all users' details from YAML so if there are any changes, we push the YAML to all servers and run the script. It's not as automated as Puppet-Agent, but it's fine for a small number of servers.


+1 We do this too


ansible pushes authorized_keys to all the boxes -- there's a different keys file for different "clusters" -- dev/prod/staging. Most of the users's keys are the same between these files, but it gives you the ability to have users who have access to dev/staging but not prod pretty easily. All of this config lives in the main git repo.

Even if your initial solution is just to copy an authorized_keys file to each box, check that into git. You can just have a small shell script checked in as well that copies the relevant file to the relevant boxes...

Also, always have a backdoor account that uses a key you have and isn't updated this way so if someone biffs the key file you push, you don't lock yourself out.


Recently learned of openssh's AuthorizedKeysCommand option, and I've been wondering if it could be used to set up a central "authorised keys" server.


There is pretty much a working solution for this using LDAP.

RedHat distros have a perl(i think?) script that can be used to do the key lookup, and you just need a small schema extension to allow the storage of the public keys in the directory.


My current company is small. Our servers are in AWS. You can ask AWS to pre-populate authorized_keys when launching servers.

In my old company my team maintained a bunch of microservices running on AWS. we used basically the same strategy, except there was one key for each service. Our application server ran on our own datacenter. Access to that was granted through LDAP, not SSH keys.


Is there a open source framework, which could be used for SSH keys management?


Did you checkout Hashicorp Vault for this? More here: https://www.vaultproject.io/docs/secrets/ssh/index.html




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: