1 |
On 7/15/22 1:53 AM, J. Roeleveld wrote: |
2 |
> I agree, but that is a tedious process. |
3 |
|
4 |
Yes, it can be. That's where some automation comes into play. |
5 |
|
6 |
> I have multiple machines I use as desktop depending on where I am. And |
7 |
> either I need to securely share the private keys between them or set |
8 |
> up different keys per desktop. |
9 |
|
10 |
I /currently/ use unique keys /per/ /client/ /system/. |
11 |
|
12 |
I am /planing/ on starting to use unique keys /per/ /client/ /per/ |
13 |
/server/. Meaning that each client will use a different key for each |
14 |
remote server. I think that this combined with location restrictions in |
15 |
the authorized_keys file will mean that SSH keys (or certificates) can't |
16 |
be used from anywhere other than their approved location or for anything |
17 |
other than their intended purpose. |
18 |
|
19 |
> I assume the same is true for most people. |
20 |
|
21 |
Yes. It depends what security posture you / your organization want. |
22 |
|
23 |
> Never mind that access to the servers needs to be possible for others |
24 |
> as well. |
25 |
|
26 |
I assume that other users will use their own individual accounts to log |
27 |
into the target systems with a similar configuration. |
28 |
|
29 |
E.g. I log into remote systems as "gtaylor" and you log into remote |
30 |
systems as "joost", and Neil logs into remote systems as "neil". We |
31 |
would all then escalate to root via "su -" with the automation providing |
32 |
the password to su. |
33 |
|
34 |
> Either way, to do this automatically, all the desktop machines need |
35 |
> to be powered and running while changing the keys. |
36 |
|
37 |
No, they don't. |
38 |
|
39 |
You just need to account for current and prior keys. |
40 |
|
41 |
I've done exactly this on a fleet of about 800 Unix systems that I |
42 |
helped administer at my last job. You do something like the following: |
43 |
|
44 |
1) Log into the remote system explicitly using the prior key. |
45 |
2) Append the current key to the ~/.ssh/authorized_keys file. |
46 |
3) Logout of the remote system. |
47 |
4) Log into the remote system explicitly using the current key. |
48 |
5) Remove the prior key from the ~/.ssh/authorized_keys file. |
49 |
6) Logout of the remote system. |
50 |
|
51 |
This can be fairly easily automated. |
52 |
|
53 |
You can then loop across systems using this automation to update the key |
54 |
on systems that are online. |
55 |
|
56 |
You can relatively easily deal with systems that are offline currently |
57 |
later when they are back online. -- There are ways to differentiate |
58 |
between offline and bad credentials during day to day operations. So |
59 |
when you hit the bad credentials you leverage the automation that tries |
60 |
old credentials to update them. |
61 |
|
62 |
You end up bifurcating the pool of systems into different groups that |
63 |
need to be dealt with differently. Online and doing what you want; |
64 |
online but not doing what you want; and offline. |
65 |
|
66 |
> Changing passwords for servers and storing them in a password vault |
67 |
> is easier to automate. |
68 |
|
69 |
I disagree. |
70 |
|
71 |
Using passwords tends to negate things like authenticating to sudo with |
72 |
SSH keys / certificates, thus prompting the use of NOPASSWD:. |
73 |
|
74 |
|
75 |
|
76 |
-- |
77 |
Grant. . . . |
78 |
unix || die |