1 |
On 20/05/2015 23:06, Stefan G. Weichinger wrote: |
2 |
> |
3 |
> I am currently trying to slim down and minimize my own few machines. |
4 |
> |
5 |
> Way too much customer servers out there so I'd like to keep it simple in |
6 |
> here at least. |
7 |
> |
8 |
> This lead me to configuring and provisioning my machines via ansible. |
9 |
> |
10 |
> The goals: |
11 |
> |
12 |
> * make sure that my user exists |
13 |
> * roll out configs/dotfiles/git-repos/home-dir |
14 |
> * maybe roll out some system-configs as well (systemd-units, timers) / |
15 |
> ... separate ansible-role, OT here |
16 |
> |
17 |
> etc |
18 |
> |
19 |
> I have set up and maintained quite a list of bash-aliases to access my |
20 |
> customer-servers in daily work. |
21 |
> |
22 |
> Something like: |
23 |
> |
24 |
> alias abcd-server='ssh -p 51023 174.183.26.11' # demo only |
25 |
> |
26 |
> This is based on ssh-pubkey-authentication, sure. |
27 |
> |
28 |
> My questions: |
29 |
> |
30 |
> * if I have a user X on each machine, should each userX@machine have its |
31 |
> own ssh-pubkey? Or is it OK to roll out the same ~/.ssh to all machines? |
32 |
> |
33 |
> * same q for ~/.gnupg ... |
34 |
> |
35 |
> I can deploy the pubkeys to the servers via ansible, sure. |
36 |
> But I would like to keep it simple. stupid. |
37 |
> |
38 |
> ;) |
39 |
> |
40 |
|
41 |
|
42 |
My opinion on this question is that it's irrelevant really. Whether you |
43 |
have one or X key pairs really doesn't matter, as you effectively only |
44 |
have one from a security POV. |
45 |
|
46 |
What do I mean by that? Well, all your private keys are likely in one |
47 |
place, ~/.ssh on your own workstation, as it doesn't scale well to do it |
48 |
any other way. You probably store the passphrase for all keys in the |
49 |
same wallet, all protected by the same password. Let's be honest, we |
50 |
*all* do it like this :-) |
51 |
|
52 |
So effectively we do not have X keys, we have 1 key as they are all |
53 |
protected by the same thing. |
54 |
|
55 |
From a convenience POV, managing multiple keys is a huge PITA and |
56 |
there's no fast, accurate simple way to tell them apart. You have to |
57 |
store them in different places, or examine the trailing comment in each. |
58 |
|
59 |
My usual recommendation is to use the same key for everything, except |
60 |
those servers where you have a very good reason not to. Examples might |
61 |
be a customer contract where you agreed to deploy a unique key used |
62 |
nowhere else, or an exceptional machine with exceptional security needs. |
63 |
Or even an ancient machine that you can't update that can only use ssh-1 |
64 |
keys :-) Limit the number of things you have to keep in your head, that |
65 |
let's you focus on improving a smaller number of security aspects and is |
66 |
also more convenient. |
67 |
|
68 |
Additionally, the simpler your policy rules, the easier it is to write |
69 |
an ansible play to implement them. |
70 |
|
71 |
|
72 |
-- |
73 |
Alan McKinnon |
74 |
alan.mckinnon@×××××.com |