Table of Contents

Marc Verhaar 2021/04/29 08:26 FIXME

SSH key management

Also check: https://medium.com/rackbrains/automate-ssh-key-rotation-with-ansible-part-1-a99934d2dfc9

The SSH key management system consists of several elements:

Public keys can be shared freely and are stored in ~/.ssh/authorized_keys on the server.

Private keys must be kept secret and is stored as ~/.ssh/id_rsa on the client.

For a secure use of SSH keys and key rotation it is advised to use one key per user (which can be present at multiple client computers).

FIXME Type of is important; default key that is generated is rsa but ed25519 is more safe.

Rotating SSH keys:

The SSH key rotation process involves three steps:

  1. Create a new SSH key
  2. Add the public key to the authorized_keys file on all SSH servers
  3. Copy the private key to all clients
  4. Test the new keys and remove the old keys (from authorized_keys on servers and private keys from clients)

The location to hold the private keys is important! In my case it should probably be the SSH gateway because it requires 2FA. I need to determine if this server should also be the ansible server to run from or if it is possible to use the existing Ansible server and get the keys from the gateway.

The best option may be to add 2FA to the Ansible server.

Ansible playbook:

The ideal playbook would be able to:

Some things to consider:

To do:

<todo>Create 3 nodes (1 server, 2 clients) for testing</todo>

<todo>Task 2</todo>

<todo>Task 3</todo>

<todo>Task 4</todo>