Table of Contents
— Marc Verhaar 2021/04/29 08:26
SSH key management
Also check: https://medium.com/rackbrains/automate-ssh-key-rotation-with-ansible-part-1-a99934d2dfc9
The SSH key management system consists of several elements:
- private key: default location: ~/.ssh/id_rsa (0600) is the key the client uses for authentication
- public key: default location: ~/.ssh/id_rsa.pub (0644) is the key on the server
- known hosts: default location ~/.ssh/known_hosts (0644)
- authorized keys: default location: ~/.ssh/authorized_keys (0600)
Public keys can be shared freely and are stored in ~/.ssh/authorized_keys on the server.
Private keys must be kept secret and is stored as ~/.ssh/id_rsa on the client.
For a secure use of SSH keys and key rotation it is advised to use one key per user (which can be present at multiple client computers).
Type of is important; default key that is generated is rsa but ed25519 is more safe.
Rotating SSH keys:
The SSH key rotation process involves three steps:
- Create a new SSH key
- Add the public key to the authorized_keys file on all SSH servers
- Copy the private key to all clients
- Test the new keys and remove the old keys (from authorized_keys on servers and private keys from clients)
The location to hold the private keys is important! In my case it should probably be the SSH gateway because it requires 2FA. I need to determine if this server should also be the ansible server to run from or if it is possible to use the existing Ansible server and get the keys from the gateway.
The best option may be to add 2FA to the Ansible server.
Ansible playbook:
The ideal playbook would be able to:
- Create a keypair (optional)
- Can also be done manually
- Investigate other options (dsa/rsa, encryption bits)
- Have an inventory where servers and clients can be defined
- Copy the public key to the servers
- Copy the private key to the clients
- Remove old public keys from the servers
- Remove old private keys from the clients
- Check if all servers and clients received the new keys (how to handle offline nodes?)
- Make sure only key authentication is allowed
- Change password for user (optional)
Some things to consider:
- It is probably wise to first create a playbook to handle hostnames (share hosts file to all nodes)
- How to handle offline servers / clients and make sure playbook can be run another time:
- If the public keys on servers are removed, clients that did not receive the new keys are not able to connect. It is necessary that the Ansible playbook can still copy the private keys to the clients.
- If the old private keys are removed from the clients, they can not connect to servers which did not yet receive the new public keys. Therefor the playbook needs to be able to copy the new public keys to the servers which is not possible from clients that do not have the old new private key! Catch22!
- The way to solve this may be to keep a copy of the old and new keys on the ansible server and use these as is required for the task. These key pair should ne located in seperate directories.
- How much key pairs should be kept in order to be able to log into servers? Maybe it is best to just have 2 versions (old and new) and develop a method to make sure all keys were copied to all servers and clients.
- Should this be implemented in the playbook (check whether all servers and clients received new keys.
- If all else fails, allow password authentication to copy the keys.
To do:
<todo>Create 3 nodes (1 server, 2 clients) for testing</todo>
<todo>Task 2</todo>
<todo>Task 3</todo>
<todo>Task 4</todo>
