Automating distribution of authorized_keys

[Luke Youngblood]

I read Christian Pearce’s article on Managing Root Access and I had a few questions.  I would have written to Christian directly, but since he’s active on this list, I figured I might as well post here and get everyone’s input.

 

This seems like a pretty good strategy for automating root access management using cfengine, however, a couple of things come to mind:

 

• This might work in a small shop where the same group of Sysadmins have root on all boxes.
• This could even work in a large shop if you use something like SingleCopy nirvana to distribute the authorized_keys based on server role or department.

 

What I would really like to know is this:

 

1. Has anyone implemented an authorized_keys distribution system that uses editfiles rather than copy?
2. Do you think it would be possible to build an authorized_keys file on the fly if you had each sysadmin’s public key as a line in an editfiles statement?
3. Taking this even further, could a sysadmin’s public key automatically be copied from their home directory and updated on the master cfengine repository to be included in an editfiles statement.  (This last action would allow anyone to regenerate their ssh key using ssh-keygen and have cfengine automatically update all authorized_keys files on all servers they have access to)

 

I think the most difficult thing would be trying to turn the id_rsa.pub files (public keys) into an importable .cf file that could be included in an editfiles statement for #3 above.  Or is there an easier way to do this that I’m missing.

 

Thanks in advance for all your input.

Luke Youngblood
Senior System Administrator
PhoneCharge, Inc.
(203) 732-7639 x279
http://www.phonechargeinc.com