Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How do you manage your ssh key?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How do you manage your ssh key?

PaleoftPaleoft Member
edited April 2017 in General

OK. Easter sale just passed. And five more VPS added into my (idle) collection.
I have 67 VPS and 6 dedicated servers.
There are too many ssh keys now.

I know that some of you are managing more than hundreds of servers.
Any good practice for ssh key management?
How could you manage many ssh keys?

Some people recommend me to use these:
http://sshkeybox.com/
http://gravitational.com/teleport/

But I like my Mobaxterm and just paid for a license. Any suggestions?

«1

Comments

  • edited April 2017

    I just have one public SSH key (GPG) stored on Yubikey. Convenient when you need to sign stuff on other computers, and you don't need to store the keys on the computer itself.

    All of the servers are connected using Tinc, and run consul, so I can just connect to the servers by running ssh root@<name>.node.<region>.consul and enter in my YubiKey PIN if not unlocked.

    Thanked by 3Paleoft ehab deadbeef
  • ZerpyZerpy Member

    I separate keys depending on environment, if I have two systems that are not allowed to talk together, I use a new set of keys - so a single key can be on hundreds or thousands of servers.

    Is it insecure? No - not really, I do take safety precautions by only allowing SSH from a very small subset of trusted networks, and I rotate my keys rather frequently - every 3-4 months depending on the environment.

    Thanked by 1Paleoft
  • vfusevfuse Member, Host Rep

    I use Royal TSX (win/mac), you can store your keys and other authentication data and servers in an encrypted document.

    Thanked by 3Paleoft imok raindog308
  • I don't. Passwords are better

    Thanked by 1BG32
  • @vfuse said:
    I use Royal TSX (win/mac), you can store your keys and other authentication data and servers in an encrypted document.

    I will look into this one.
    Connection agent with Credential management.

  • @ALinuxNinja said:
    I just have one public SSH key (GPG) stored on Yubikey. Convenient when you need to sign stuff on other computers, and you don't need to store the keys on the computer itself.

    All of the servers are connected using Tinc, and run consul, so I can just connect to the servers by running ssh root@<name>.node.<region>.consul and enter in my YubiKey PIN if not unlocked.

    need sometimes to setup for the first but I think this is a nice solution. Wil try this one too.

    @Zerpy said:
    I separate keys depending on environment, if I have two systems that are not allowed to talk together, I use a new set of keys - so a single key can be on hundreds or thousands of servers.

    Is it insecure? No - not really, I do take safety precautions by only allowing SSH from a very small subset of trusted networks, and I rotate my keys rather frequently - every 3-4 months depending on the environment.

    I also like this solution. However, how could you manage to rotate hundreds of ssh key in one go?

    @GenjiSwitchPls said:
    I don't. Passwords are better

    My brain sucks.
    Cannot remember too many passwords.

  • NekkiNekki Veteran

    Passwds ftw

  • BG32BG32 Member

    Store em on GitHub like your API keys

  • @Nekki said:
    Passwds ftw

    The Password is Dead, Long Live the Password

  • ehabehab Member

    @ALinuxNinja said:

    any special cool .ssh/config patterns?

  • @Paleoft said:

    @ALinuxNinja said:
    I just have one public SSH key (GPG) stored on Yubikey. Convenient when you need to sign stuff on other computers, and you don't need to store the keys on the computer itself.

    All of the servers are connected using Tinc, and run consul, so I can just connect to the servers by running ssh root@<name>.node.<region>.consul and enter in my YubiKey PIN if not unlocked.

    need sometimes to setup for the first but I think this is a nice solution. Wil try this one too.

    @Zerpy said:
    I separate keys depending on environment, if I have two systems that are not allowed to talk together, I use a new set of keys - so a single key can be on hundreds or thousands of servers.

    Is it insecure? No - not really, I do take safety precautions by only allowing SSH from a very small subset of trusted networks, and I rotate my keys rather frequently - every 3-4 months depending on the environment.


    I also like this solution. However, how could you manage to rotate hundreds of ssh key in one go?

    @GenjiSwitchPls said:
    I don't. Passwords are better


    My brain sucks.
    Cannot remember too many passwords.

    Just use a single password?

  • Use Xshell, have a great key management.

  • WSSWSS Member

    I'm one of those freaks who has a different ssh key on every machine, and usually has password auth disabled. If something catastrophic happens and I lose the handful of equipment I have registered already, I've got bigger problems than attaching to a console and setting init=/bin/..

  • raindog308raindog308 Administrator, Veteran

    GenjiSwitchPls said: I don't. Passwords are better

    GenjiSwitchPls said: Just use a single password?

    Not sure if...no, actually I am sure. You're trolling.

  • At a point, setting up Kerberos and turning on key exchange makes more sense then managing SSH keys.

  • TomTom Member
    edited April 2017

    ALinuxNinja said: stored on Yubikey.

    Whoa! Could you expand on this? I've a old yubikey (this one) and wondering if it is worth upgrading. If it has this, I am definitely grabbing a new upgrade. :)

  • @flatland_spider said:
    At a point, setting up Kerberos and turning on key exchange makes more sense then managing SSH keys.

    Will also give Kerberos a shot, thanks.

  • edited April 2017

    For those who asked, https://www.jfry.me/articles/2015/gpg-smartcard/ provides a good overview. It generates a GPG key that can also be used as a SSH key (see here for more details on how that works).

    I customized mine a bit, but the configuration is generally the same.

    For mac, place this in ~/.gnupg/gpg-agent.conf (remove old contents if exists).
    You will need GPGTools installed.

    pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
    enable-ssh-support
    write-env-file
    use-standard-socket
    default-cache-ttl 600
    max-cache-ttl 7200
    

    After the key is plugged in, the pinentry will popup the first time you need to use the GPG SSH key.

  • @WSS said:
    I'm one of those freaks who has a different ssh key on every machine, and usually has password auth disabled. If something catastrophic happens and I lose the handful of equipment I have registered already, I've got bigger problems than attaching to a console and setting init=/bin/..

    Me too. So what? I'm just anal about backups and such I wouldn't be in trouble if my box went up in flames.

    Plus: The beauty of scripting and one can get good security comfortably. For high sec needs one can even encrypt the ssh priv keys - and all of that beauty with a single password.

  • @Paleoft said:

    Some people recommend me to use these:
    http://sshkeybox.com/
    http://gravitational.com/teleport/

    But I like my Mobaxterm and just paid for a license. Any suggestions?

    WOW, I only store ssh key on my Macbook, Why we need different keys ? and sshkeybox seems interesting, never heard of that.

  • PaleoftPaleoft Member
    edited April 2017

    @jameshsi said:

    @Paleoft said:

    Some people recommend me to use these:
    http://sshkeybox.com/
    http://gravitational.com/teleport/

    But I like my Mobaxterm and just paid for a license. Any suggestions?

    WOW, I only store ssh key on my Macbook, Why we need different keys ? and sshkeybox seems interesting, never heard of that.

    There are plenty of reasons to have multiple keys.
    Many people have one for work and one for private usage.

    I separate my servers into various working groups.
    Servers in the same working group share one key.

  • I only use one SSH key for all my servers.

  • vimalwarevimalware Member
    edited April 2017

    One passphrase-protected private key per owned machine, stored on FDE volumes.

    I have a nice templated .ssh/config that is live-synced to all machines, and tries all the private keys in pre-defined paths ( if key isn't found, it just tries next one until a match on filesystem)
    Works for me and worth investing a few hours into.

    I have wildcards defined like:

    hostname- (myuser@hostname key-auth)

    hostname-root (root@hostname key-auth)

    hostnameunsafe (root@hostname with explicit password auth; only used for copying keys initially)

    Next step, yubikey.

  • pbgbenpbgben Member, Host Rep

    password and 2fa

  • nepsneps Member

    WSS said: I'm one of those freaks who has a different ssh key on every machine, and usually has password auth disabled.

    This for me too.

  • I use same key on all machines just for one user. On most important servers 2FA and all machines accept ssh connections just from my VPN IP.

  • @neps said:

    WSS said: I'm one of those freaks who has a different ssh key on every machine and usually has password auth disabled.

    This for me too.

    I also disable password auth. If I leave ssh password authentication on, there will be thousands fail attempts in 24 hours.

    Thanked by 1flatland_spider
  • M66BM66B Veteran
    edited April 2017

    I do always install two public ssh keys on each server. One for regular use and one as backup. The private backup key is securely stored somewhere.

    Thanked by 1flatland_spider
  • ZerpyZerpy Member

    @Paleoft said:

    @Zerpy said:
    I separate keys depending on environment, if I have two systems that are not allowed to talk together, I use a new set of keys - so a single key can be on hundreds or thousands of servers.

    Is it insecure? No - not really, I do take safety precautions by only allowing SSH from a very small subset of trusted networks, and I rotate my keys rather frequently - every 3-4 months depending on the environment.


    I also like this solution. However, how could you manage to rotate hundreds of ssh key in one go?

    @GenjiSwitchPls said:
    I don't. Passwords are better


    My brain sucks.
    Cannot remember too many passwords.

    I generate the key pair - I maintain a list of authorized keys, I update my key, push it with ansible, takes just a few minutes for a few hundred servers worldwide.

  • sinsin Member

    @WSS said:
    I'm one of those freaks who has a different ssh key on every machine, and usually has password auth disabled. If something catastrophic happens and I lose the handful of equipment I have registered already, I've got bigger problems than attaching to a console and setting init=/bin/..

    I do the same, I have a key for each server.

Sign In or Register to comment.