What is the easiest way to manage the authorized_keys file for openssh across a large number of hosts? If I need to add or revoke a new key to an account on 10 hosts say, I must login and add the public key manually, or through a clumsy shell script, which is time consuming.
在大量主机上管理openssh的authorized_keys文件的最简单方法是什么?如果我需要在10个主机上添加或撤销帐户的新密钥,我必须手动登录并添加公钥,或者通过笨拙的shell脚本,这很费时间。
Ideally there would be a central database linking keys to accounts@machines with some sort of grouping support (IE, add this key to username X on all servers in the web category). There's fork of SSH with ldap support, but I'd rather use the mainline SSH packages.
理想情况下,会有一个中心数据库将密钥连接到帐户@机器,并提供某种分组支持(IE,将此密钥添加到Web类别中所有服务器上的用户名X)。有支持ldap的SSH分支,但我宁愿使用主线SSH软件包。
4 个解决方案
#1
5
I'd checkout the Monkeysphere project. It uses OpenPGP's web of trust concepts to manage ssh's authorized_keys and known_hosts files, without requiring changes to the ssh client or server.
我要查看Monkeysphere项目。它使用OpenPGP的信任概念网来管理ssh的authorized_keys和known_hosts文件,而无需更改ssh客户端或服务器。
#2
3
I use Puppet for lots of things, including this. (using the ssh_authorized_key resource type)
我使用Puppet做很多事情,包括这个。 (使用ssh_authorized_key资源类型)
#3
0
I've always done this by maintaining a "master" tree of the different servers' keys, and using rsync to update the remote machines. This lets you edit things in one location, push the changes out efficiently, and keeps things "up to date" -- everyone edits the master files, no one edits the files on random hosts.
我总是通过维护不同服务器密钥的“主”树,并使用rsync更新远程计算机来完成此操作。这使您可以在一个位置编辑内容,有效地推送更改,并使事物“保持最新” - 每个人都编辑主文件,没有人编辑随机主机上的文件。
You may want to look at projects which are made for running commands across groups of machines, such as Func at https://fedorahosted.org/func or other server configuration management packages.
您可能希望查看为跨机器组运行命令而创建的项目,例如https://fedorahosted.org/func上的Func或其他服务器配置管理包。
#4
0
Have you considered using clusterssh (or similar) to automate the file transfer? Another option is one of the centralized configuration systems.
您是否考虑过使用clusterssh(或类似)自动执行文件传输?另一种选择是集中配置系统之一。
/Allan
#1
5
I'd checkout the Monkeysphere project. It uses OpenPGP's web of trust concepts to manage ssh's authorized_keys and known_hosts files, without requiring changes to the ssh client or server.
我要查看Monkeysphere项目。它使用OpenPGP的信任概念网来管理ssh的authorized_keys和known_hosts文件,而无需更改ssh客户端或服务器。
#2
3
I use Puppet for lots of things, including this. (using the ssh_authorized_key resource type)
我使用Puppet做很多事情,包括这个。 (使用ssh_authorized_key资源类型)
#3
0
I've always done this by maintaining a "master" tree of the different servers' keys, and using rsync to update the remote machines. This lets you edit things in one location, push the changes out efficiently, and keeps things "up to date" -- everyone edits the master files, no one edits the files on random hosts.
我总是通过维护不同服务器密钥的“主”树,并使用rsync更新远程计算机来完成此操作。这使您可以在一个位置编辑内容,有效地推送更改,并使事物“保持最新” - 每个人都编辑主文件,没有人编辑随机主机上的文件。
You may want to look at projects which are made for running commands across groups of machines, such as Func at https://fedorahosted.org/func or other server configuration management packages.
您可能希望查看为跨机器组运行命令而创建的项目,例如https://fedorahosted.org/func上的Func或其他服务器配置管理包。
#4
0
Have you considered using clusterssh (or similar) to automate the file transfer? Another option is one of the centralized configuration systems.
您是否考虑过使用clusterssh(或类似)自动执行文件传输?另一种选择是集中配置系统之一。
/Allan