[OOTB-infra] Fwd: ssh pubkeys

Martin Cosgrave martin at ocretail.com
Wed Feb 18 20:41:43 GMT 2015 

On 18/02/15 19:33, Heiko Robert wrote:
> Hi Martin,
>
> the keys of the infra team are stored on the wiki: 
> https://support.orderofthebee.org/projects/infra/wiki (s. 
> Admins/Developers)
> We could store the pub keys on github or more secure stuff on 
> support.orderofthebee.org's svn (which uses the same auth component).

OK I can add those users to the list

BTW I'm not sure that redmine is going to be a popular choice for 
documentation, we may not want to get too attached to it.
>
> Midterm I'd vote to run a samba4 server as active directory and 
> kerberos server. This would reduce any user management and 
> authentication to one place and would enable us to have all required 
> users prepopulated on any system (pfsense, vpn, vmware, redmine, 
> alfresco, ssh, testsystems) because they all support ldap and/or 
> kerberos. To close the loop we can store the public keys in the active 
> directory which can be accessed by ldap.
>
> But to start kiss we should define a store/git/svn where everyone can 
> upload their keys. I'm a fan of naming conventions to avoid complex 
> code. So if people take care about naming their public key files and 
> additionally set their key comment with their unique bee account name 
> everything can be automated at a later time.


>
> Heiko
>
> -------- Weitergeleitete Nachricht --------
> Betreff: 	[OOTB-infra] ssh pubkeys
> Datum: 	Wed, 18 Feb 2015 14:17:10 +0100
> Von: 	Martin Cosgrave <martin at ocretail.com>
> An: 	ootb-infra at xtreamlab.net
>
>
>
> Foreman/puppet can manage the ssh keys and users for each machine in its
> control, so what I can do is create a puppet manifest with authorised
> users' usernames and keys in, and apply that to the configuration of
> every machine. This means that puppet will constantly keep the
> authorized_keys updated and if we want to remove a key from all servers
> we can do so very easily from a single configuration.
>
> Therefore if you would like to send me your public ssh keys, please do
> so. I will add you as a user to the manifest along with your keys, so
> you should be able to log on to all puppet-managed machines
>
> We can selectively apply the keys on a per-machine basis, for example we
> may define flags such as 'allow_devs' 'allow_testers' etc. and apply
> them differently to each machine.
>
>
> _______________________________________________
> OOTB-infra mailing list
> OOTB-infra at xtreamlab.net
> http://www.xtreamlab.net/mailman/listinfo/ootb-infra
>
>
>
>
> _______________________________________________
> OOTB-infra mailing list
> OOTB-infra at xtreamlab.net
> http://www.xtreamlab.net/mailman/listinfo/ootb-infra

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.xtreamlab.net/pipermail/ootb-infra/attachments/20150218/136eec2b/attachment.html>

More information about the OOTB-infra mailing list