summaryrefslogtreecommitdiff
path: root/src/linux:updating_ssh_keys_across_an_environment.ascii
blob: 8f489a0ae3d7991c203f8bf364255d49d9d18b1e (plain) 
    1 Updating SSH Keys Across an Environment
    2 =======================================
    3 :author: Aaron Ball
    4 :email: nullspoon@iohq.net
    5 :revdate: February 15, 2016
    6 
    7 
    8 == {doctitle}
    9 
   10 Most Linux environments with a sizeable number of servers generally use keys to
   11 perform tasks from simple manual administration to gathering manifests, backing
   12 up config files across an environment, and really any kind of automation. This
   13 is because automation is effectively useless if you have to type a password
   14 repeatedly to use it.
   15 
   16 I recognize that statement isn't entirely true with the increase in popularity
   17 of the various configuration management tools such as Puppet, Ansible, Chef,
   18 SaltStack, etc. However, even with those tools (excepting ansible, since it
   19 requires ssh keys to function as well) there are certain edge cases where
   20 programatic login is still useful to have an ssh key configured.
   21 
   22 That said, if a key is installed to several servers in an environment, like
   23 with passwords, it is prudent to cycle this key (or keys) frequently to prevent
   24 potential breaches in security that involve the login keys. To make this
   25 process a bit easier, I wrote link:src/nullspoon/keymanage.git[a script] that
   26 handles the process of key swapping.
   27 
   28 With the keymanage script, you can execute the following operation on a list of
   29 servers...
   30 
   31 * push a new key, being prompted for a password (it caches, so you will only be
   32   prompted once)
   33 
   34 * push a new key, using another key for passwordless login
   35 
   36 * delete a remote key, again being prompted for a password, or using an ssh key
   37   to do passwordless logins
   38 
   39 * Swap a remote key with a different key. Note that this operation is seamless
   40   in that it uses the key to be removed for initial login, then the new key to
   41   remove the old key.
   42 
   43 
   44 I hope this script is useful to folks out there. If you have any questions,
   45 comments, or improvements you'd like to make, send me an email and/or pull
   46 request at {email}.
   47 
   48 
   49 Category:Linux
   50 
   51 [role="datelastedit"]
   52 Last edited: {revdate}
   53 // vim: set syntax=asciidoc:

Generated by cgit