I have too many machines floating around, some virtual, some physical, and they’re getting added and removed semi-frequently as I play around with different tools/try out ideas. One recurring pain point is I have no easy way to manage SSH keys around them, and it’s a pain to deal with adding/removing/cycling keys. I know I can use AuthorizedKeysCommand on sshd_config to make the system fetch a remote key for validation, I know I could theoretically publish my pub key to github or alike, but I’m wondering if there’s something more flexible/powerful where I can manage multiple users (essentially roles) such that each machine can be assigned a role and automatically allow access accordingly?

I’ve seen Keyper before, but the container haven’t been updated for years, and the support discord owner actively kicks everyone from the server, even after asking questions.

Is there any other solution out there that would streamline this process a bit?

  • Kool_Newt@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    This is a common pattern, typically called a “jump host” or “bastion host”.

    a script to cat my priv key through the relay

    When it comes to security, I typically recommend against rolling your own. SSH already has agent forwarding option to do this securely and the -J option to accomplish the same without even needing to forward the key. The agent can seem complex at first, it’s actually pretty simple and worth learning.

    Feel free to message me if you have more questions, I’ve got lots of experience w/ SSH.

    • InverseParallax@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      I did not know -J, I rolled my own because I’ve been doing it forever and many of my tricks (non-ssh included) aren’t as easily portable across different os’s.

      For some reason ssh-copy-id has been failing for me sometimes lately because it can’t reach the agent, while cat always works, but I never learned much about the user agent, let me look into that now, thanks for the tip!