Re: shared ssh config management

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMMjill at <-
MLisa Kachold at ->
Attachments:
Message as email
+ (text/plain)
+ (text/plain)
Delete this message
Reply to this message
Author: der.hans
Date:  
To: Main PLUG discussion list
Subject: Re: shared ssh config management
Am 11. Jun, 2012 schwätzte jill so:

moin moin Jill,

> Run into a brain puzzler, hoping you guys can help me find a good
> solution.
>
> I have a rather long list of ssh config file entries for a variety of
> different customer servers. Right now I keep my own .ssh/config checked
> into a git repo so I can easily synchronize it across systems, which
> works really really well for one maybe two people. I'm trying to figure
> out how best to be able to share out with employees the customer
> entries, but not share my other personal system entries. Right now when
> I make updates I'm hand-editing out a separate file for employees that
> they then copy into their personal config, but that's going to get
> rapidly unwieldy. Ideally I'd love an Include directive in .ssh/config
> so we can all just checkout a '.ssh/company_config' that lives alongside
> each users personal .ssh/config, or even have them separated by
> customer. Only it looks like someone submitted an almost-working patch
> for this in 2009 to a different few places that never got worked on or
> integrated, and I've seen feature requests going back 5+ years with no
> progress on that front. So I'm not holding my breath.

The way I think Joey Hess[0] ( author of many great tools such as etckeeper,
mr, debian-installer, debhelper and debconf ) would do it is probably to
create files for each category and then a script to combine them as
needed. Another way is create a config-type file that denotes hostname and
what categor{y,ies} are appropriate for the host, then have a script that
can pull together the entries for the hosts in the combination you desire.

If you go with ~/.ssh/company_config, then you could invoke ssh with -F
for work-related stuff, "ssh -F ~/.ssh/company_config". 'alias
sshwork=""ssh -F ~/.ssh/company_config"' could simplify that even more.

> In lieu of being able to do ssh includes, a few people with the same
> idea seem to be doing things with ssh proxies that contain the more
> advanced configs, or running scripts in their bash profile that cat a
> bunch of disparate files together into one .ssh/config. We could make
> the company-wide config a part of the global ssh conf for every system
> we use it on, until we get to stuff like my jumphost at home that I
> share with my family and need that data to be account/profile specific.
> There are some enterprise tools that I believe could help manage all
> this, and things I could probably do with pam/domain policy/config
> management servers, I'm just finding us sitting right in a gap between
> 'that's probably overkill right now from a time and money perspective,
> but in the meantime we also have too much manage by hand much longer'.
>
> Anyone run into this before and figured out a graceful,
> easily-maintainable way of doing this on a small/medium scale? I'm not
> looking to invest a huge amount of time in building out custom tools,
> but anything that has a reasonably low barrier to entry/deploy is good.
> The issue isn't so much getting the raw data out to user systems, git
> handles that just fine as would a number of other options, it's managing
> how ssh knows where to find and use said data when it comes from
> different sources that I'm beating my head on.

Creating the wrapper shouldn't be too difficult. A git hook to call it
after updates should be easy as well.

If the company ssh config options are each per host, then there shouldn't
be any inadvertant config collisions.

cat ~/.ssh/config_personal $git_ssh_configfiles >~/.ssh/config

Add something to keep old versions of config around if you want :).

I did something like this for managing authorized_keys in puppet. A couple
of machines needed a little custom logic, so the script did the custom
logic to determine which keys to allow, then built the authorize_keys file
to be used for the host.

[0] I've been abusing etckeeper recently, so I've been trying to
capitolize on his excellent ideas :). For certain things, "How would Joey
Hess do it?" is an excellent mental exercise.

ciao, 

der.hans
-- 
#  http://www.LuftHans.com/        http://www.LuftHans.com/Classes/
#  Molotov Bible - religion thrown at other people in order to cause an
#  explosive situation - der.hans
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-shared ssh config managementRe: shared ssh config management->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)