
Ask HN: How does your company handle SSH keys - tosbourn
Our team is reaching a size when we probably need to get serious about SSH key management.<p>I was wondering how different places handle how dev&#x27;s get access to servers. A shared key? A gatekeeper? Public keys added to all servers?<p>What practices and tools do you use in order to manage this?
======
herbst
We use puppet and add our public keys to all servers. IMHO a nice solution,
but clearly a lot of work without something like puppet.

~~~
andymurd
This.

We have a simple Puppet recipe that creates a user, group and home, sets the
correct permissions/groups and installs the public key. It will also remove
users if they leave the company.

The script reads all users' details from YAML so if there are any changes, we
push the YAML to all servers and run the script. It's not as automated as
Puppet-Agent, but it's fine for a small number of servers.

------
mattbillenstein
ansible pushes authorized_keys to all the boxes -- there's a different keys
file for different "clusters" \-- dev/prod/staging. Most of the users's keys
are the same between these files, but it gives you the ability to have users
who have access to dev/staging but not prod pretty easily. All of this config
lives in the main git repo.

Even if your initial solution is just to copy an authorized_keys file to each
box, check that into git. You can just have a small shell script checked in as
well that copies the relevant file to the relevant boxes...

Also, always have a backdoor account that uses a key you have and isn't
updated this way so if someone biffs the key file you push, you don't lock
yourself out.

------
therealidiot
Recently learned of openssh's AuthorizedKeysCommand option, and I've been
wondering if it could be used to set up a central "authorised keys" server.

~~~
stephenr
There is pretty much a working solution for this using LDAP.

RedHat distros have a perl(i think?) script that can be used to do the key
lookup, and you just need a small schema extension to allow the storage of the
public keys in the directory.

------
shakkhar
My current company is small. Our servers are in AWS. You can ask AWS to pre-
populate authorized_keys when launching servers.

In my old company my team maintained a bunch of microservices running on AWS.
we used basically the same strategy, except there was one key for each
service. Our application server ran on our own datacenter. Access to that was
granted through LDAP, not SSH keys.

------
mehta_april
Is there a open source framework, which could be used for SSH keys management?

~~~
neduma
Did you checkout Hashicorp Vault for this? More here:
[https://www.vaultproject.io/docs/secrets/ssh/index.html](https://www.vaultproject.io/docs/secrets/ssh/index.html)

