shared ssh config management

jill lists at bespokess.com
Mon Jun 11 13:28:22 MST 2012


Run into a brain puzzler, hoping you guys can help me find a good
solution.

I have a rather long list of ssh config file entries for a variety of
different customer servers.  Right now I keep my own .ssh/config checked
into a git repo so I can easily synchronize it across systems, which
works really really well for one maybe two people.  I'm trying to figure
out how best to be able to share out with employees the customer
entries, but not share my other personal system entries.  Right now when
I make updates I'm hand-editing out a separate file for employees that
they then copy into their personal config, but that's going to get
rapidly unwieldy.  Ideally I'd love an Include directive in .ssh/config
so we can all just checkout a '.ssh/company_config' that lives alongside
each users personal .ssh/config, or even have them separated by
customer.  Only it looks like someone submitted an almost-working patch
for this in 2009 to a different few places that never got worked on or
integrated, and I've seen feature requests going back 5+ years with no
progress on that front.  So I'm not holding my breath.  

In lieu of being able to do ssh includes, a few people with the same
idea seem to be doing things with ssh proxies that contain the more
advanced configs, or running scripts in their bash profile that cat a
bunch of disparate files together into one .ssh/config.  We could make
the company-wide config a part of the global ssh conf for every system
we use it on, until we get to stuff like my jumphost at home that I
share with my family and need that data to be account/profile specific.
There are some enterprise tools that I believe could help manage all
this, and things I could probably do with pam/domain policy/config
management servers, I'm just finding us sitting right in a gap between
'that's probably overkill right now from a time and money perspective,
but in the meantime we also have too much manage by hand much longer'.

Anyone run into this before and figured out a graceful,
easily-maintainable way of doing this on a small/medium scale?  I'm not
looking to invest a huge amount of time in building out custom tools,
but anything that has a reasonably low barrier to entry/deploy is good.
The issue isn't so much getting the raw data out to user systems, git
handles that just fine as would a number of other options, it's managing
how ssh knows where to find and use said data when it comes from
different sources that I'm beating my head on.

Tanks!
-- 
Jill



More information about the PLUG-discuss mailing list