Re: Automating distribution of authorized

help-cfengine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Automating distribution of authorized_keys

From:	Adams, Russell L.
Subject:	Re: Automating distribution of authorized_keys
Date:	Wed, 18 May 2005 06:21:40 -0500
User-agent:	Mutt/1.4.2.1i

I don't see why this couldn't happen. A few m4 macros and block
editing in editfiles would make it a breeze.

Russell

On Tue, May 17, 2005 at 12:38:19PM -0400, Luke Youngblood wrote:
> I read Christian Pearce's article on Managing Root Access
> <http://www.sysnav.com/index.php?articles>  and I had a few questions.
> I would have written to Christian directly, but since he's active on
> this list, I figured I might as well post here and get everyone's input.
> 
>  
> 
> This seems like a pretty good strategy for automating root access
> management using cfengine, however, a couple of things come to mind:
> 
>  
> 
> *     This might work in a small shop where the same group of
> Sysadmins have root on all boxes.
> *     This could even work in a large shop if you use something like
> SingleCopy nirvana to distribute the authorized_keys based on server
> role or department.
> 
>  
> 
> What I would really like to know is this:
> 
>  
> 
> 1.    Has anyone implemented an authorized_keys distribution system
> that uses editfiles rather than copy?
> 2.    Do you think it would be possible to build an authorized_keys
> file on the fly if you had each sysadmin's public key as a line in an
> editfiles statement?
> 3.    Taking this even further, could a sysadmin's public key
> automatically be copied from their home directory and updated on the
> master cfengine repository to be included in an editfiles statement.
> (This last action would allow anyone to regenerate their ssh key using
> ssh-keygen and have cfengine automatically update all authorized_keys
> files on all servers they have access to)
> 
>  
> 
> I think the most difficult thing would be trying to turn the id_rsa.pub
> files (public keys) into an importable .cf file that could be included
> in an editfiles statement for #3 above.  Or is there an easier way to do
> this that I'm missing.
> 
>  
> 
> Thanks in advance for all your input.
> 
> Luke Youngblood
> Senior System Administrator
> PhoneCharge, Inc.
> (203) 732-7639 x279
>  <http://www.phonechargeinc.com> http://www.phonechargeinc.com 
> 
>  
> 

> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://lists.gnu.org/mailman/listinfo/help-cfengine

[Prev in Thread]

Current Thread

[Next in Thread]

Automating distribution of authorized_keys, Luke Youngblood, 2005/05/17
- Re: Automating distribution of authorized_keys, Jamie Wilkinson, 2005/05/18
- Re: Automating distribution of authorized_keys, Jamie Wilkinson, 2005/05/18
- Re: Automating distribution of authorized_keys, Alexander Jolk, 2005/05/18
- Re: Automating distribution of authorized_keys, Adams, Russell L. <=
- Re: Automating distribution of authorized_keys, Armin Wolfermann, 2005/05/18

Prev by Date: Re: Automating distribution of authorized_keys
Next by Date: Re: Automating distribution of authorized_keys
Previous by thread: Re: Automating distribution of authorized_keys
Next by thread: Re: Automating distribution of authorized_keys
Index(es):
- Date
- Thread