I have too many machines floating around, some virtual, some physical, and they’re getting added and removed semi-frequently as I play around with different tools/try out ideas. One recurring pain point is I have no easy way to manage SSH keys around them, and it’s a pain to deal with adding/removing/cycling keys. I know I can use AuthorizedKeysCommand on sshd_config to make the system fetch a remote key for validation, I know I could theoretically publish my pub key to github or alike, but I’m wondering if there’s something more flexible/powerful where I can manage multiple users (essentially roles) such that each machine can be assigned a role and automatically allow access accordingly?
I’ve seen Keyper before, but the container haven’t been updated for years, and the support discord owner actively kicks everyone from the server, even after asking questions.
Is there any other solution out there that would streamline this process a bit?
I would switch to certificate based SSH authentication.
All the server keys gets signed by your CA, all clients also gets signed by your CA. Everyone implicitly trust eachother though the CA and it’s as safe as regular SSH keys.
You can also sign short lived client keys if you want to make revocations easier, the servers don’t care because now all it cares is that it’s a valid cert issues by the CA, which can be done entirely offline!
HashiCorp Vault can also help managing the above, but it’s also pretty easy to do manually.
It’s such an underrated feature. It baffles me how people immediately turn to overly complicated solutions solving a problem they don’t really have to solve, just because everyone assumes the only way is the default commonly known way. Like OP, people immediately jump to the conclusion you need extra software to manage the keys, rather than using another authentication method natively supported, and keep filling their known_hosts file with junk, making the whole validation process useless because everyone just accepts whatever key the host presents.
It’s amazing how simple it is. Developer needs temporary access to debug a web server? Sure, here’s your 2h valid cert to log in as the web user on the server, don’t even need to actually log into the server to put their key in and then remove it. I mint a cert and it’s ready to go on whichever users and servers I specified in the cert. Can’t even gain persistence because regular authorized_keys is disabled and we have limited session durations.
I regularly leave people baffled at work because I come up with a clever and built-in super simple solution to something they expected to just slap more scripts and software to work around the only way they know to use the software. Read your manpages in full folks, it’ll save you so much work. Know what your software is capable of.
That’s a long rant, but your on point with it. I have a colleague who refuses to try new things cuz they don’t understand that it makes life easier, I do tend to find the solutions that are simpler and easier to work
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
I would switch to certificate based SSH authentication.
All the server keys gets signed by your CA, all clients also gets signed by your CA. Everyone implicitly trust eachother though the CA and it’s as safe as regular SSH keys.
You can also sign short lived client keys if you want to make revocations easier, the servers don’t care because now all it cares is that it’s a valid cert issues by the CA, which can be done entirely offline!
HashiCorp Vault can also help managing the above, but it’s also pretty easy to do manually.
I do this, use the small step ca/Cli to manage the lot. It’s amazing
It’s such an underrated feature. It baffles me how people immediately turn to overly complicated solutions solving a problem they don’t really have to solve, just because everyone assumes the only way is the default commonly known way. Like OP, people immediately jump to the conclusion you need extra software to manage the keys, rather than using another authentication method natively supported, and keep filling their known_hosts file with junk, making the whole validation process useless because everyone just accepts whatever key the host presents.
It’s amazing how simple it is. Developer needs temporary access to debug a web server? Sure, here’s your 2h valid cert to log in as the web user on the server, don’t even need to actually log into the server to put their key in and then remove it. I mint a cert and it’s ready to go on whichever users and servers I specified in the cert. Can’t even gain persistence because regular authorized_keys is disabled and we have limited session durations.
I regularly leave people baffled at work because I come up with a clever and built-in super simple solution to something they expected to just slap more scripts and software to work around the only way they know to use the software. Read your manpages in full folks, it’ll save you so much work. Know what your software is capable of.
That’s a long rant, but your on point with it. I have a colleague who refuses to try new things cuz they don’t understand that it makes life easier, I do tend to find the solutions that are simpler and easier to work
Is smallstep free to self host? Looking at their pricing page it’s kind of unclear, and their saas is pretty pricey.
It sure is, give this a read DIY-Single-Sign-On-for-SSH