Private keys


#1

Hello, all.

What is the opscode-recommended method for managing ssh keys - private
keys in particular?

My aim is to create the rsa keypairs on source nodes, then have the pub
key added to another user’s authorized_keys on destination nodes;
preferably in databags / encrypted. Ideally having unique keypairs for
each source node.


#2

If it’s root keys you need to manage, and the SSH server can reach the nominal SSH client, it can be reasonable to use ssh-keyscan to obtain the public hostkeys and use. The private hostkeys on the client end. There are security ramifications of this, but it!s very quick and easy to update.

Alternatively, the rsnapshot tries to do what you ask, but suffers the same problem as the current ‘users’ cookbook. It leaves plaintext of SSH private keys on the chef server, where any client can read them.

Nico Kadel-Garcia
Email: nkadel@gmail.com
Sent from iPhone

On Sep 2, 2015, at 11:46, “K. Adam Wolfe” kadamwolfe@gmail.com wrote:

Hello, all.

What is the opscode-recommended method for managing ssh keys - private
keys in particular?

My aim is to create the rsa keypairs on source nodes, then have the pub
key added to another user’s authorized_keys on destination nodes;
preferably in databags / encrypted. Ideally having unique keypairs for
each source node.