8

I'm looking to switch from password based (which I starting to become overwhelmed with) to SSH keys based system.

I'd like to know if there any SSH keys management system or server solution, which would allow me to distribute and revoke keys over machines?

Or the best approach is to use Puppet for this task? If yes, then would the approach of single key-pair per client machine (described here: Best system for managing ssh keys?) be the best?

SyRenity
  • 3,159
  • 11
  • 55
  • 79

2 Answers2

3

Yes, Puppet is the right way to do this, and from that other question, Option 3 seem to be the most sensible (as well as being the accepted answer [always a good sign!]).

There's a ssh_key module for puppet which makes the whole thing trivially easy.

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148
  • Can you point me to this module? Also, in case one client becomes compromised (laptop stolen for example), I can easily disable this public key? And I can easily add new keys? – SyRenity Jan 03 '10 at 00:19
  • 1
    Yes it's easy to add and remove keys centrally, although practically speaking every publically available SSH key management module for puppet is arse; it's easier just to use a fragmented file directly. – womble Jan 03 '10 at 03:09
  • Can you explain what you mean by fragmented file? Is it a centrally stored file or something? – SyRenity Jan 03 '10 at 16:12
  • 1
    I seem to recall it being a combination of http://reductivelabs.com/trac/puppet/wiki/TypeReference#ssh-authorized-key and http://reductivelabs.com/trac/puppet/wiki/Recipes/Authorized_keys I'll check later which it was exactly. – Tom O'Connor Jan 03 '10 at 19:18
3

SSH is nice, but when you start to scale to large numbers of keys and ACLs, it gets ugly fast.

Kerberos was designed to operate in this sort of environment (lots of ACLs, key revocation, etc.) User management with kerberos is a pain, but if you've got a very small number of users, it is pretty easy.

chris
  • 11,784
  • 6
  • 41
  • 51