[OOTB-infra] Fwd: ssh pubkeys

Heiko Robert heiko.orderofthebee.info at ecm4u.de
Wed Feb 18 18:33:04 GMT 2015 

Hi Martin,

the keys of the infra team are stored on the wiki: 
https://support.orderofthebee.org/projects/infra/wiki (s. Admins/Developers)
We could store the pub keys on github or more secure stuff on 
support.orderofthebee.org's svn (which uses the same auth component).

Midterm I'd vote to run a samba4 server as active directory and kerberos 
server. This would reduce any user management and authentication to one 
place and would enable us to have all required users prepopulated on any 
system (pfsense, vpn, vmware, redmine, alfresco, ssh, testsystems) 
because they all support ldap and/or kerberos. To close the loop we can 
store the public keys in the active directory which can be accessed by 
ldap.

But to start kiss we should define a store/git/svn where everyone can 
upload their keys. I'm a fan of naming conventions to avoid complex 
code. So if people take care about naming their public key files and 
additionally set their key comment with their unique bee account name 
everything can be automated at a later time.

Heiko

-------- Weitergeleitete Nachricht --------
Betreff: 	[OOTB-infra] ssh pubkeys
Datum: 	Wed, 18 Feb 2015 14:17:10 +0100
Von: 	Martin Cosgrave <martin at ocretail.com>
An: 	ootb-infra at xtreamlab.net



Foreman/puppet can manage the ssh keys and users for each machine in its
control, so what I can do is create a puppet manifest with authorised
users' usernames and keys in, and apply that to the configuration of
every machine. This means that puppet will constantly keep the
authorized_keys updated and if we want to remove a key from all servers
we can do so very easily from a single configuration.

Therefore if you would like to send me your public ssh keys, please do
so. I will add you as a user to the manifest along with your keys, so
you should be able to log on to all puppet-managed machines

We can selectively apply the keys on a per-machine basis, for example we
may define flags such as 'allow_devs' 'allow_testers' etc. and apply
them differently to each machine.


_______________________________________________
OOTB-infra mailing list
OOTB-infra at xtreamlab.net
http://www.xtreamlab.net/mailman/listinfo/ootb-infra



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.xtreamlab.net/pipermail/ootb-infra/attachments/20150218/ff73a0ea/attachment.html>

More information about the OOTB-infra mailing list