SSH keys

Print Friendly, PDF & Email

It’s just occurred to me, whilst reading about Monkey Sphere, that I don’t populate servers with known user SSH keys, except for admins. This is a bit of a pain for you to have to do ssh-copy-id for all of our servers over and over… but also in it’s self a bit of a security issue as:

  1. We don’t know that the key on the server is from someone we expect it to be.
  2. We have no way to revoke keys easily if it gets compromised or someone leaves the UoB.

To ensure that we accomplish the above it would be good to remove unknown keys. That would be quite disruptive so to start with I could just populate one if one is known. I could mine for existing keys on servers, but I imagine they could be out of date.

So, saving some time (in the long run) and so that initial login to a server just works, staff could send their SSH public key in to add it to bcfg2 to populate servers automatically.

I have in the past cogitated on the possibility of managing ssh keys centrally, that might be a bit of overkill for now. Maybe we could take a look at Monkey Sphere for SSH…