this post was submitted on 23 Jul 2023
59 points (96.8% liked)

Selfhosted

40008 readers
1030 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I have too many machines floating around, some virtual, some physical, and they're getting added and removed semi-frequently as I play around with different tools/try out ideas. One recurring pain point is I have no easy way to manage SSH keys around them, and it's a pain to deal with adding/removing/cycling keys. I know I can use AuthorizedKeysCommand on sshd_config to make the system fetch a remote key for validation, I know I could theoretically publish my pub key to github or alike, but I'm wondering if there's something more flexible/powerful where I can manage multiple users (essentially roles) such that each machine can be assigned a role and automatically allow access accordingly?

I've seen Keyper before, but the container haven't been updated for years, and the support discord owner actively kicks everyone from the server, even after asking questions.

Is there any other solution out there that would streamline this process a bit?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (1 children)

Are you initiating SSH connections from all these hosts?

If you just need to SSH to these hosts, use a single key and copy the public key only to the hosts you need to connect to. If you don't want to copy the pubkeys to target hosts, use LDAP + SSSD or certificates.

Then, if you do need to initiate connections from these hosts and use an SSH agent you can forward your agent and SSH to another host

client> ssh -A host1
host1> ssh host2
host2>
client> ssh -A host1
host1> ssh -A host2
host2> ssh -A host3
host3> 
[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (1 children)

Have an alias so trusted hosts can bounce through my authorization host and end up on a tmux session on the targetted host. It has logging and such but mostly it's for simplicity.

If I plan to use that connection a lot there's a script to cat my priv key through the relay.

Have an scp alias too, but that gets more complicated.

For more sensitive systems I have 2fa from gauth set up, works great.

[–] [email protected] 4 points 1 year ago (1 children)

This is a common pattern, typically called a "jump host" or "bastion host".

a script to cat my priv key through the relay

When it comes to security, I typically recommend against rolling your own. SSH already has agent forwarding option to do this securely and the -J option to accomplish the same without even needing to forward the key. The agent can seem complex at first, it's actually pretty simple and worth learning.

Feel free to message me if you have more questions, I've got lots of experience w/ SSH.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

I did not know -J, I rolled my own because I've been doing it forever and many of my tricks (non-ssh included) aren't as easily portable across different os's.

For some reason ssh-copy-id has been failing for me sometimes lately because it can't reach the agent, while cat always works, but I never learned much about the user agent, let me look into that now, thanks for the tip!

[–] [email protected] 1 points 1 year ago

I think -J is newer and may not work if you have distro versions older than like 5 years (eg. Centos 7 or before). There is a less convenient syntax that does the same thing though

$ ssh -o ProxyCommand="ssh -W %h:%p bastion-host" remote-host

See: https://www.redhat.com/sysadmin/ssh-proxy-bastion-proxyjump