We have many different systems that are managed by several people. We have chosen to use SSH public key authentication to access those systems. This works great, as there is no need to manage or share administrative account passwords, no need to remember passwords to the various systems (only the pass-phrase to your private key), no need to interaction (entering password) with every remote command.
The problem is, the public keys installed on the systems need to be managed somehow. People come and go, keys may get compromised, responsibilities change (a person authorised to enter one system today may be authorised to access a different one tomorrow). Currently we manage it by manually editing ~/.ssh/authorized_keys files on every account that needs that, but that is a lot of work and prone for mistakes.
Is there any ready tool to manage public keys in such scenario? Do you have your own solutions? Or is that whole idea of managing systems this way flawed?
As already mentioned by pulegium, any generic configuration management software like Puppet, Chef, Bcfg2 or cfengine could accomplish the task.
Since the authorized_keys file is not that complicated, you could also use rsync or a (D)SCM like git or hg to manage this file. You have the "master" file on one of your servers and serve it via rsync/git/hg/…. On every other server you run a cron job which periodically retrieves the master copy (if it was changed) and copies it to the correct local location. Heck, this would even work with pure HTTP or FTP.
The bottom line is: Have one "master" copy of your authorized_keys file and update it. Let the "clients" (the computers, which should have the current authorized_keys file) fetch it from your master server and deploy it locally.
There is a patch available for OpenSSH that allows it to use public keys from an LDAP server, but this only really makes sense if your auth/account checks are also done against that LDAP server (which is how my environment is set up). Also it's only as secure as your LDAP configuration (so you want to be using SSL & verifying keys).
See http://code.google.com/p/openssh-lpk/ for the patch and further details. I don't know any OS that ships with this patch by default, but if you're running FreeBSD it's an optional patch if you use the OpenSSH from ports.
i run a very easy solution, that does the same with firewall-rules
example file hosts.conf:
distribute.sh:
thats the whole magic :-)
I am currently checking out SSH KeyDB. It is meant to do exactly that, administrate roles, servers and users, distribute user keys, gather host keys etc. It even has something called "locations".
I haven't worked it all out yet and I am not sure if it is fully working. The code is in python however and seems to be fairly manageable, so it shouldn't be too hard to dust it off and get it working.
I'm not sure what you mean by many, nor do I know if you're willing to change, but Kerberos is the droid you're looking for. That will solve your problems elegantly, and will authenticate both people and machines.
You have two (that generally turn into 3) different problems that you're trying to solve:
Public-key auth is an ok way to authenticate sometimes, but doesn't address authorization at all. I don't like public-key auth, as it is very easy to compromise (especially internally) unless you have some good controls in place.
That's where solutions like Kerberos come into play. In the Windows world, Active Directory solves this problem. In the Unix world, there are an abundance of choices, which is both a good thing and a bad thing.
I'd check out the Red Hat FreeIPA project, which is a bundle of software that makes it easy to get an AD-like Kerberos/LDAP/DNS system up and running quickly.
You can use Bcfg2 with bcfg2-accounts to distribute
authorized_keys. As added bonus, you'll have ability to control users and groups.Bcfg2 enables pain-free maintenance of
/etc/ssh/ssh_known_hostswith SSHbase as well.There's also SKM