New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How do you manage your ssh key?
OK. Easter sale just passed. And five more VPS added into my (idle) collection.
I have 67 VPS and 6 dedicated servers.
There are too many ssh keys now.
I know that some of you are managing more than hundreds of servers.
Any good practice for ssh key management?
How could you manage many ssh keys?
Some people recommend me to use these:
http://sshkeybox.com/
http://gravitational.com/teleport/
But I like my Mobaxterm and just paid for a license. Any suggestions?
Comments
I just have one public SSH key (GPG) stored on Yubikey. Convenient when you need to sign stuff on other computers, and you don't need to store the keys on the computer itself.
All of the servers are connected using Tinc, and run consul, so I can just connect to the servers by running
ssh root@<name>.node.<region>.consul
and enter in my YubiKey PIN if not unlocked.I separate keys depending on environment, if I have two systems that are not allowed to talk together, I use a new set of keys - so a single key can be on hundreds or thousands of servers.
Is it insecure? No - not really, I do take safety precautions by only allowing SSH from a very small subset of trusted networks, and I rotate my keys rather frequently - every 3-4 months depending on the environment.
I use Royal TSX (win/mac), you can store your keys and other authentication data and servers in an encrypted document.
I don't. Passwords are better
I will look into this one.
Connection agent with Credential management.
need sometimes to setup for the first but I think this is a nice solution. Wil try this one too.
I also like this solution. However, how could you manage to rotate hundreds of ssh key in one go?
My brain sucks.
Cannot remember too many passwords.
Passwds ftw
Store em on GitHub like your API keys
The Password is Dead, Long Live the Password
any special cool .ssh/config patterns?
Just use a single password?
Use Xshell, have a great key management.
I'm one of those freaks who has a different ssh key on every machine, and usually has password auth disabled. If something catastrophic happens and I lose the handful of equipment I have registered already, I've got bigger problems than attaching to a console and setting init=/bin/..
Not sure if...no, actually I am sure. You're trolling.
At a point, setting up Kerberos and turning on key exchange makes more sense then managing SSH keys.
Whoa! Could you expand on this? I've a old yubikey (this one) and wondering if it is worth upgrading. If it has this, I am definitely grabbing a new upgrade.
Will also give Kerberos a shot, thanks.
For those who asked, https://www.jfry.me/articles/2015/gpg-smartcard/ provides a good overview. It generates a GPG key that can also be used as a SSH key (see here for more details on how that works).
I customized mine a bit, but the configuration is generally the same.
For mac, place this in ~/.gnupg/gpg-agent.conf (remove old contents if exists).
You will need GPGTools installed.
After the key is plugged in, the pinentry will popup the first time you need to use the GPG SSH key.
Me too. So what? I'm just anal about backups and such I wouldn't be in trouble if my box went up in flames.
Plus: The beauty of scripting and one can get good security comfortably. For high sec needs one can even encrypt the ssh priv keys - and all of that beauty with a single password.
WOW, I only store ssh key on my Macbook, Why we need different keys ? and sshkeybox seems interesting, never heard of that.
There are plenty of reasons to have multiple keys.
Many people have one for work and one for private usage.
I separate my servers into various working groups.
Servers in the same working group share one key.
I only use one SSH key for all my servers.
One passphrase-protected private key per owned machine, stored on FDE volumes.
I have a nice templated .ssh/config that is live-synced to all machines, and tries all the private keys in pre-defined paths ( if key isn't found, it just tries next one until a match on filesystem)
Works for me and worth investing a few hours into.
I have wildcards defined like:
hostname- (myuser@hostname key-auth)
hostname-root (root@hostname key-auth)
hostnameunsafe (root@hostname with explicit password auth; only used for copying keys initially)
Next step, yubikey.
password and 2fa
This for me too.
I use same key on all machines just for one user. On most important servers 2FA and all machines accept ssh connections just from my VPN IP.
I also disable password auth. If I leave ssh password authentication on, there will be thousands fail attempts in 24 hours.
I do always install two public ssh keys on each server. One for regular use and one as backup. The private backup key is securely stored somewhere.
I generate the key pair - I maintain a list of authorized keys, I update my key, push it with ansible, takes just a few minutes for a few hundred servers worldwide.
I do the same, I have a key for each server.