[OOTB-infra] Fwd: ssh pubkeys
Martin Cosgrave
martin at ocretail.com
Wed Feb 18 20:41:43 GMT 2015
On 18/02/15 19:33, Heiko Robert wrote:
> Hi Martin,
>
> the keys of the infra team are stored on the wiki:
> https://support.orderofthebee.org/projects/infra/wiki (s.
> Admins/Developers)
> We could store the pub keys on github or more secure stuff on
> support.orderofthebee.org's svn (which uses the same auth component).
OK I can add those users to the list
BTW I'm not sure that redmine is going to be a popular choice for
documentation, we may not want to get too attached to it.
>
> Midterm I'd vote to run a samba4 server as active directory and
> kerberos server. This would reduce any user management and
> authentication to one place and would enable us to have all required
> users prepopulated on any system (pfsense, vpn, vmware, redmine,
> alfresco, ssh, testsystems) because they all support ldap and/or
> kerberos. To close the loop we can store the public keys in the active
> directory which can be accessed by ldap.
>
> But to start kiss we should define a store/git/svn where everyone can
> upload their keys. I'm a fan of naming conventions to avoid complex
> code. So if people take care about naming their public key files and
> additionally set their key comment with their unique bee account name
> everything can be automated at a later time.
>
> Heiko
>
> -------- Weitergeleitete Nachricht --------
> Betreff: [OOTB-infra] ssh pubkeys
> Datum: Wed, 18 Feb 2015 14:17:10 +0100
> Von: Martin Cosgrave <martin at ocretail.com>
> An: ootb-infra at xtreamlab.net
>
>
>
> Foreman/puppet can manage the ssh keys and users for each machine in its
> control, so what I can do is create a puppet manifest with authorised
> users' usernames and keys in, and apply that to the configuration of
> every machine. This means that puppet will constantly keep the
> authorized_keys updated and if we want to remove a key from all servers
> we can do so very easily from a single configuration.
>
> Therefore if you would like to send me your public ssh keys, please do
> so. I will add you as a user to the manifest along with your keys, so
> you should be able to log on to all puppet-managed machines
>
> We can selectively apply the keys on a per-machine basis, for example we
> may define flags such as 'allow_devs' 'allow_testers' etc. and apply
> them differently to each machine.
>
>
> _______________________________________________
> OOTB-infra mailing list
> OOTB-infra at xtreamlab.net
> http://www.xtreamlab.net/mailman/listinfo/ootb-infra
>
>
>
>
> _______________________________________________
> OOTB-infra mailing list
> OOTB-infra at xtreamlab.net
> http://www.xtreamlab.net/mailman/listinfo/ootb-infra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.xtreamlab.net/pipermail/ootb-infra/attachments/20150218/136eec2b/attachment.html>
More information about the OOTB-infra
mailing list