I have too many machines floating around, some virtual, some physical, and they’re getting added and removed semi-frequently as I play around with different tools/try out ideas. One recurring pain point is I have no easy way to manage SSH keys around them, and it’s a pain to deal with adding/removing/cycling keys. I know I can use AuthorizedKeysCommand on sshd_config to make the system fetch a remote key for validation, I know I could theoretically publish my pub key to github or alike, but I’m wondering if there’s something more flexible/powerful where I can manage multiple users (essentially roles) such that each machine can be assigned a role and automatically allow access accordingly?

I’ve seen Keyper before, but the container haven’t been updated for years, and the support discord owner actively kicks everyone from the server, even after asking questions.

Is there any other solution out there that would streamline this process a bit?

  • neoney@lemmy.neoney.dev
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    4
    ·
    1 year ago

    all I know is that on NixOS you can declare the authorized keys for each user in the config

    • chiisana@lemmy.chiisana.netOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Yeah, the problem is that I have 2 physical servers, each with 5 to 10 VMs on it, and a bunch of other VMs scattered across different cloud providers; it gets tricky to edit the ~/.ssh/authorized_keys file on each of them to reflect a new SSH key (i.e.: new machine on the “network”) or replace an existing SSH key (i.e.: annual key cycle).

      • neoney@lemmy.neoney.dev
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        5
        ·
        1 year ago

        yeah what i mean is on nixos you make 1 config for them all and you’d just change the key in 1 spot

        • Daniel Phan@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          You do realize that those machines are not necessarily NixOS right? It is best to separate the management of SSH from NixOS declarative nature since what you would really want to be declarative is ACL rules, not network topology/SSH keys. For example you can use Netbird or Tailscale and their respective SSH feature.