Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

How do you manage your ssh key?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

How do you manage your ssh key?

PaleoftPaleoft Member
edited April 20 in General

OK. Easter sale just passed. And five more VPS added into my (idle) collection.
I have 67 VPS and 6 dedicated servers.
There are too many ssh keys now.

I know that some of you are managing more than hundreds of servers.
Any good practice for ssh key management?
How could you manage many ssh keys?

Some people recommend me to use these:
http://sshkeybox.com/
http://gravitational.com/teleport/

But I like my Mobaxterm and just paid for a license. Any suggestions?

Comments

  • ALinuxNinjaALinuxNinja Member
    edited April 20

    I just have one public SSH key (GPG) stored on Yubikey. Convenient when you need to sign stuff on other computers, and you don't need to store the keys on the computer itself.

    All of the servers are connected using Tinc, and run consul, so I can just connect to the servers by running ssh root@<name>.node.<region>.consul and enter in my YubiKey PIN if not unlocked.

    Devops Consultant | GitHub

    Thanked by 3Paleoft ehab deadbeef
  • ZerpyZerpy Member

    I separate keys depending on environment, if I have two systems that are not allowed to talk together, I use a new set of keys - so a single key can be on hundreds or thousands of servers.

    Is it insecure? No - not really, I do take safety precautions by only allowing SSH from a very small subset of trusted networks, and I rotate my keys rather frequently - every 3-4 months depending on the environment.

    Thanked by 1Paleoft
  • vfusevfuse Member, Provider

    I use Royal TSX (win/mac), you can store your keys and other authentication data and servers in an encrypted document.

    NIXStats monitoring service (servers, http(s), ICMP, tcp ports) - monitoring 8000+ servers - Uptime Report - API Docs

    Thanked by 3Paleoft imok raindog308
  • I don't. Passwords are better

    Yeah, I have memes. Not much else. Links are affiliate links

    Powered by VMHaus (NVMe servers in UK, FR & CA with DDoS protection and BGP Sessions in UK) & Piohost Premium Bristolingrad

    Thanked by 1BG32
  • PaleoftPaleoft Member

    @vfuse said: I use Royal TSX (win/mac), you can store your keys and other authentication data and servers in an encrypted document.

    I will look into this one.
    Connection agent with Credential management.

  • PaleoftPaleoft Member

    @ALinuxNinja said: I just have one public SSH key (GPG) stored on Yubikey. Convenient when you need to sign stuff on other computers, and you don't need to store the keys on the computer itself.

    All of the servers are connected using Tinc, and run consul, so I can just connect to the servers by running ssh root@<name>.node.<region>.consul and enter in my YubiKey PIN if not unlocked.

    need sometimes to setup for the first but I think this is a nice solution. Wil try this one too.

    @Zerpy said: I separate keys depending on environment, if I have two systems that are not allowed to talk together, I use a new set of keys - so a single key can be on hundreds or thousands of servers.

    Is it insecure? No - not really, I do take safety precautions by only allowing SSH from a very small subset of trusted networks, and I rotate my keys rather frequently - every 3-4 months depending on the environment.

    I also like this solution. However, how could you manage to rotate hundreds of ssh key in one go?

    @GenjiSwitchPls said: I don't. Passwords are better

    My brain sucks.
    Cannot remember too many passwords.

  • NekkiNekki Member

    Passwds ftw

    CHAT SHIT GET BANGED

  • BG32BG32 Member

    Store em on GitHub like your API keys

    Thanked by (44)

  • PaleoftPaleoft Member

    @Nekki said: Passwds ftw

    The Password is Dead, Long Live the Password

  • ehabehab Member

    @ALinuxNinja said:

    any special cool .ssh/config patterns?

    "too much is never enough"

  • @Paleoft said:

    @ALinuxNinja said: I just have one public SSH key (GPG) stored on Yubikey. Convenient when you need to sign stuff on other computers, and you don't need to store the keys on the computer itself.

    All of the servers are connected using Tinc, and run consul, so I can just connect to the servers by running ssh root@<name>.node.<region>.consul and enter in my YubiKey PIN if not unlocked.

    need sometimes to setup for the first but I think this is a nice solution. Wil try this one too.

    @Zerpy said: I separate keys depending on environment, if I have two systems that are not allowed to talk together, I use a new set of keys - so a single key can be on hundreds or thousands of servers.

    Is it insecure? No - not really, I do take safety precautions by only allowing SSH from a very small subset of trusted networks, and I rotate my keys rather frequently - every 3-4 months depending on the environment.

    I also like this solution. However, how could you manage to rotate hundreds of ssh key in one go?

    @GenjiSwitchPls said: I don't. Passwords are better

    My brain sucks.
    Cannot remember too many passwords.

    Just use a single password?

    Yeah, I have memes. Not much else. Links are affiliate links

    Powered by VMHaus (NVMe servers in UK, FR & CA with DDoS protection and BGP Sessions in UK) & Piohost Premium Bristolingrad

  • Use Xshell, have a great key management.

  • WSSWSS Member

    I'm one of those freaks who has a different ssh key on every machine, and usually has password auth disabled. If something catastrophic happens and I lose the handful of equipment I have registered already, I've got bigger problems than attaching to a console and setting init=/bin/..

    · #DoNotTalkAboutLETClub ·

  • raindog308raindog308 Moderator

    GenjiSwitchPls said: I don't. Passwords are better

    GenjiSwitchPls said: Just use a single password?

    Not sure if...no, actually I am sure. You're trolling.

    My Advice: VPS Advice

    For LET support, please click here.

  • At a point, setting up Kerberos and turning on key exchange makes more sense then managing SSH keys.

  • TomTom Member
    edited April 20

    ALinuxNinja said: stored on Yubikey.

    Whoa! Could you expand on this? I've a old yubikey (this one) and wondering if it is worth upgrading. If it has this, I am definitely grabbing a new upgrade. :)

  • PaleoftPaleoft Member

    @flatland_spider said: At a point, setting up Kerberos and turning on key exchange makes more sense then managing SSH keys.

    Will also give Kerberos a shot, thanks.

  • ALinuxNinjaALinuxNinja Member
    edited April 21

    For those who asked, https://www.jfry.me/articles/2015/gpg-smartcard/ provides a good overview. It generates a GPG key that can also be used as a SSH key (see here for more details on how that works).

    I customized mine a bit, but the configuration is generally the same.

    For mac, place this in ~/.gnupg/gpg-agent.conf (remove old contents if exists). You will need GPGTools installed.

    pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
    enable-ssh-support
    write-env-file
    use-standard-socket
    default-cache-ttl 600
    max-cache-ttl 7200
    

    After the key is plugged in, the pinentry will popup the first time you need to use the GPG SSH key.

    Devops Consultant | GitHub

  • bsdguybsdguy Member

    @WSS said: I'm one of those freaks who has a different ssh key on every machine, and usually has password auth disabled. If something catastrophic happens and I lose the handful of equipment I have registered already, I've got bigger problems than attaching to a console and setting init=/bin/..

    Me too. So what? I'm just anal about backups and such I wouldn't be in trouble if my box went up in flames.

    Plus: The beauty of scripting and one can get good security comfortably. For high sec needs one can even encrypt the ssh priv keys - and all of that beauty with a single password.

    My favourite prime number is 42. - WSS has kidnapped a digit from Pi!

  • @Paleoft said:

    Some people recommend me to use these:
    http://sshkeybox.com/
    http://gravitational.com/teleport/

    But I like my Mobaxterm and just paid for a license. Any suggestions?

    WOW, I only store ssh key on my Macbook, Why we need different keys ? and sshkeybox seems interesting, never heard of that.

  • PaleoftPaleoft Member
    edited April 21

    @jameshsi said:

    @Paleoft said:

    Some people recommend me to use these:
    http://sshkeybox.com/
    http://gravitational.com/teleport/

    But I like my Mobaxterm and just paid for a license. Any suggestions?

    WOW, I only store ssh key on my Macbook, Why we need different keys ? and sshkeybox seems interesting, never heard of that.

    There are plenty of reasons to have multiple keys.
    Many people have one for work and one for private usage.

    I separate my servers into various working groups.
    Servers in the same working group share one key.

  • msg7086msg7086 Member

    I only use one SSH key for all my servers.

  • vimalwarevimalware Member
    edited April 21

    One passphrase-protected private key per owned machine, stored on FDE volumes.
    I have a nice templated .ssh/config that is live-synced to all machines, and tries all the private keys in pre-defined paths ( if key isn't found, it just tries next one until a match on filesystem)
    Works for me and worth investing a few hours into.

    I have wildcards defined like:
    hostname- ([email protected] key-auth)
    hostname-root ([email protected] key-auth)
    hostnameunsafe ([email protected] with explicit password auth; only used for copying keys initially)

    Next step, yubikey.

  • pbgbenpbgben Member, Provider

    password and 2fa

  • nepsneps Member

    WSS said: I'm one of those freaks who has a different ssh key on every machine, and usually has password auth disabled.

    This for me too.

  • I use same key on all machines just for one user. On most important servers 2FA and all machines accept ssh connections just from my VPN IP.

  • PaleoftPaleoft Member

    @neps said:

    WSS said: I'm one of those freaks who has a different ssh key on every machine and usually has password auth disabled.

    This for me too.

    I also disable password auth. If I leave ssh password authentication on, there will be thousands fail attempts in 24 hours.

    Thanked by 1flatland_spider
  • M66BM66B Member
    edited April 21

    I do always install two public ssh keys on each server. One for regular use and one as backup. The private backup key is securely stored somewhere.

    Thanked by 1flatland_spider
  • ZerpyZerpy Member

    @Paleoft said:

    @Zerpy said: I separate keys depending on environment, if I have two systems that are not allowed to talk together, I use a new set of keys - so a single key can be on hundreds or thousands of servers.

    Is it insecure? No - not really, I do take safety precautions by only allowing SSH from a very small subset of trusted networks, and I rotate my keys rather frequently - every 3-4 months depending on the environment.

    I also like this solution. However, how could you manage to rotate hundreds of ssh key in one go?

    @GenjiSwitchPls said: I don't. Passwords are better

    My brain sucks.
    Cannot remember too many passwords.

    I generate the key pair - I maintain a list of authorized keys, I update my key, push it with ansible, takes just a few minutes for a few hundred servers worldwide.

  • sinsin Member

    @WSS said: I'm one of those freaks who has a different ssh key on every machine, and usually has password auth disabled. If something catastrophic happens and I lose the handful of equipment I have registered already, I've got bigger problems than attaching to a console and setting init=/bin/..

    I do the same, I have a key for each server.

    Get your cheap domains at Namesilo! Use promocode: NEWDOMAIN1 for $1 off your purchase.

  • bapbap Member

    +1 vote for different ssh key on each server, Im not a server addict anyway. But for a large backend (load balanced backend for example), I just use single ssh key.

  • dmzhostdmzhost Member

    Sorry if i'm asking you , but what's the reason of buying so many vps? Wasn't more easy buy a big dedicated ( let's say with 128gb of ram and dual cpu ) and later virtualize it?

  • dmzhost said: Sorry if i'm asking you , but what's the reason of buying so many vps? Wasn't more easy buy a big dedicated ( let's say with 128gb of ram and dual cpu ) and later virtualize it?

    Don't put all your eggs in one basket. Besides I guess most people have so many of them around the world because they probably couldn't resist a nice discount on them.

  • PaleoftPaleoft Member

    @dmzhost said: Sorry if i'm asking you , but what's the reason of buying so many vps? Wasn't more easy buy a big dedicated ( let's say with 128gb of ram and dual cpu ) and later virtualize it?

    There's plenty of reasons to have a group of small machines.
    Storage, image hosting, VPN, reverse proxy, etc.

  • @Paleoft said:

    @dmzhost said: Sorry if i'm asking you , but what's the reason of buying so many vps? Wasn't more easy buy a big dedicated ( let's say with 128gb of ram and dual cpu ) and later virtualize it?

    There's plenty of reasons to have a group of small machines.
    Storage, image hosting, VPN, reverse proxy, etc.

    Hoarding. Thats more LET. I've killed my addiction at last

    Yeah, I have memes. Not much else. Links are affiliate links

    Powered by VMHaus (NVMe servers in UK, FR & CA with DDoS protection and BGP Sessions in UK) & Piohost Premium Bristolingrad

    Thanked by 1Fries
  • ardaarda Member

    I also used to use GPG on my Yubikey 4, however, that gpg2ssh stuff always hogs the cpu on 2 of my machines, so I gave up.

    I store it in my personal machine and a backup on an offline usb flash drive. I try to 2fa everywhere I can.

  • +1 to xshell and also to Cryptostick.

    Getting old is wonderful, when you consider the alternative.

  • PaleoftPaleoft Member

    @IonSwitch_Nick said: I generally build a script that changes SSH port, disables root login, and installs my Foxpass script (an LDAP, semi-free as a service, allows for SSH key syncing) that I run as a startup script on the machine. https://www.foxpass.com/

    This is new for me. I will try it.

Sign In or Register to comment.