Re: [Fab-user] New to fabric (deploying authorized_keys, ....)

[Jens Rantil]

Hi Thomas,

See my reply inline below.

On Thu, Sep 5, 2013 at 9:46 AM, Thomas Güttler <address@hidden> wrote:

Hi,

I am new to fabric, but I know SSH and python for some years.


How do you install the ssh public key (.ssh/authorized_keys) on the remote host?
I guess you use fabric....

Nope, not necessary. You could just SSH into the machine and add the line to your authorized_keys-file manually. Here's a page that describes how to generate a key: http://www.linuxproblem.org/art_9.html

That said, you could very well use Fabric to execute the command line necessary to add the line. Something like

    run('echo "ssh-rsa ClCkUZckWBQ...== my-key" >> ~/.ssh/authorized_keys');

 

We are about 10 developers and have some systems to manage (less then hundred).

Of course I want to use ssh public key auth, and not type in the password every time.

Just so you know, Fabric will cache the password. So, if you use the same password you will only have to enter it once and it will get reused for every single machine.

 

I am unsure if I should use one public/private key pair for all systems, or if
I should use a key for every system.

This obviously depends on your use-case. If you'd like different people to not have access to all machines, then you obviously will need to generate multiple keys. That said, I suggest you have one key pair for simplicity.

Also, when an SSH client connects to an SSH server, by default, it offers all of its private keys. There's a limit (at least in OpenSSH) as to how many keys can be offered on one login. I think it's like 10 or something. If you many keys you need to make sure to specify which key is for which host, which can be a hassle. Obviously, you could raise the limit but it's there for a reason.

 

One key pair would be more easy. But everyone how has access to this key can connect
to all systems ... not secure....

How do you handle this?

I'd say this is more of an organizational issue than anything else. Don't you trust your sysadmins? :) One way to handle this is to simply not allow your developers into these systems except possible a staging environment. You script things in Fabric, possibly using strict code reviewing if you have _really_ tight security. The only machine that is allowed to get into your machines is then a central provisioning server that has the golden key. You could also use something like http://rundeck.org to audit everything that gets executed.

 

I could not find the requirements on the remote host. I opened a bug report:

  https://github.com/fabric/fabric/issues/973

For give me, if I am blind....

Do I need to install python, bash, fabric, paramiko, ... on the remote host?

I've replied in your issue on Github.

Cheers,

Jens