[OOTB-infra] Fwd: ssh pubkeys
Heiko Robert
heiko.orderofthebee.info at ecm4u.de
Wed Feb 18 18:33:04 GMT 2015
Hi Martin,
the keys of the infra team are stored on the wiki:
https://support.orderofthebee.org/projects/infra/wiki (s. Admins/Developers)
We could store the pub keys on github or more secure stuff on
support.orderofthebee.org's svn (which uses the same auth component).
Midterm I'd vote to run a samba4 server as active directory and kerberos
server. This would reduce any user management and authentication to one
place and would enable us to have all required users prepopulated on any
system (pfsense, vpn, vmware, redmine, alfresco, ssh, testsystems)
because they all support ldap and/or kerberos. To close the loop we can
store the public keys in the active directory which can be accessed by
ldap.
But to start kiss we should define a store/git/svn where everyone can
upload their keys. I'm a fan of naming conventions to avoid complex
code. So if people take care about naming their public key files and
additionally set their key comment with their unique bee account name
everything can be automated at a later time.
Heiko
-------- Weitergeleitete Nachricht --------
Betreff: [OOTB-infra] ssh pubkeys
Datum: Wed, 18 Feb 2015 14:17:10 +0100
Von: Martin Cosgrave <martin at ocretail.com>
An: ootb-infra at xtreamlab.net
Foreman/puppet can manage the ssh keys and users for each machine in its
control, so what I can do is create a puppet manifest with authorised
users' usernames and keys in, and apply that to the configuration of
every machine. This means that puppet will constantly keep the
authorized_keys updated and if we want to remove a key from all servers
we can do so very easily from a single configuration.
Therefore if you would like to send me your public ssh keys, please do
so. I will add you as a user to the manifest along with your keys, so
you should be able to log on to all puppet-managed machines
We can selectively apply the keys on a per-machine basis, for example we
may define flags such as 'allow_devs' 'allow_testers' etc. and apply
them differently to each machine.
_______________________________________________
OOTB-infra mailing list
OOTB-infra at xtreamlab.net
http://www.xtreamlab.net/mailman/listinfo/ootb-infra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.xtreamlab.net/pipermail/ootb-infra/attachments/20150218/ff73a0ea/attachment.html>
More information about the OOTB-infra
mailing list