this post was submitted on 23 Jul 2023
59 points (96.8% liked)

Selfhosted

40941 readers
985 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I have too many machines floating around, some virtual, some physical, and they're getting added and removed semi-frequently as I play around with different tools/try out ideas. One recurring pain point is I have no easy way to manage SSH keys around them, and it's a pain to deal with adding/removing/cycling keys. I know I can use AuthorizedKeysCommand on sshd_config to make the system fetch a remote key for validation, I know I could theoretically publish my pub key to github or alike, but I'm wondering if there's something more flexible/powerful where I can manage multiple users (essentially roles) such that each machine can be assigned a role and automatically allow access accordingly?

I've seen Keyper before, but the container haven't been updated for years, and the support discord owner actively kicks everyone from the server, even after asking questions.

Is there any other solution out there that would streamline this process a bit?

you are viewing a single comment's thread
view the rest of the comments
[–] MajorHavoc 3 points 1 year ago* (last edited 1 year ago)

Sometimes the obvious solution is the way to go.

Your idea sounds good to go ahead and publish your pubkey(s) to fully public URL you control and can memorize.

Then you can stash or memorize the curl command needed to grab it (them) and authorize something to it (them).

A lot of more complicated solutions are just fancy ways to safely move private keys around.

For my private keys, I prefer to generate a new one for each use case, and throw them out when I'm done with them. That way I don't need a solution to move, share or store them.

Edit: Full disclosure - I do also use Ansible to deploy my public keys.