this post was submitted on 10 Oct 2023
50 points (96.3% liked)
Linux
48372 readers
1645 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I'm surprised no one mentioned ansible yet. It's meant for this (and more).
By ssh keys I assume you're talking about authorized_keys, not private keys. I agree with other posters that private keys should not be synced, just generate new ones and add them to the relevant servers authorized_keys with ansible.
If the keys are password protected.... eh why not sync them.
Also ssh certificates are a thing, they make doing that kind of stuff way easier instead of updating known hosts and authorized keys all the time
Passwords will be brute forced if it can be done offline.
Private SSH keys should never leave a machine. If a key gets compromised without you knowing, in worst case you will revoke the access it has once the machine's lifespan is over. If you copy around one key, it may get compromised on any of the systems, and you will never revoke the access it has.
And you may not want to give all systems the same access everywhere. With one key per machine, you can have more granularity for access.
Set a good high entropy password, you can even tie it to your login password with ssh-agent usually
If this actually matters, put your SSH key on a yubikey or something
People generally don't sit on keys, this is worthless. Also knowing people I've worked with... no, they won't think to revoke it unless forced to
Just replace the key in authorized_keys and resync
One of the few reasons to do this, though this tends to not match "one key per machine" and more like "one key per process that needs it"
Like yeah, it's decent standard advice... for corporate environments with many users. For a handful of single-user systems, it essentially doesn't matter (do you have a different boot and login key for each computer lol, the SSH keys are not the weak point)