shared ssh config management

Lisa Kachold lisakachold at obnosis.com
Mon Jun 11 14:28:15 MST 2012


The use of puppet or chef could would handle this, as well as other
configurations like /etc/hosts, guid/uid for SAMBA, smb.conf, and more.

Each of puppet and Chef have their best uses, but automation is the only
way to make large scale systems management economically feasible while
secure.

On Mon, Jun 11, 2012 at 1:28 PM, jill <lists at bespokess.com> wrote:

> Run into a brain puzzler, hoping you guys can help me find a good
> solution.
>
> I have a rather long list of ssh config file entries for a variety of
> different customer servers.  Right now I keep my own .ssh/config checked
> into a git repo so I can easily synchronize it across systems, which
> works really really well for one maybe two people.  I'm trying to figure
> out how best to be able to share out with employees the customer
> entries, but not share my other personal system entries.  Right now when
> I make updates I'm hand-editing out a separate file for employees that
> they then copy into their personal config, but that's going to get
> rapidly unwieldy.  Ideally I'd love an Include directive in .ssh/config
> so we can all just checkout a '.ssh/company_config' that lives alongside
> each users personal .ssh/config, or even have them separated by
> customer.  Only it looks like someone submitted an almost-working patch
> for this in 2009 to a different few places that never got worked on or
> integrated, and I've seen feature requests going back 5+ years with no
> progress on that front.  So I'm not holding my breath.
>
> In lieu of being able to do ssh includes, a few people with the same
> idea seem to be doing things with ssh proxies that contain the more
> advanced configs, or running scripts in their bash profile that cat a
> bunch of disparate files together into one .ssh/config.  We could make
> the company-wide config a part of the global ssh conf for every system
> we use it on, until we get to stuff like my jumphost at home that I
> share with my family and need that data to be account/profile specific.
> There are some enterprise tools that I believe could help manage all
> this, and things I could probably do with pam/domain policy/config
> management servers, I'm just finding us sitting right in a gap between
> 'that's probably overkill right now from a time and money perspective,
> but in the meantime we also have too much manage by hand much longer'.
>
> Anyone run into this before and figured out a graceful,
> easily-maintainable way of doing this on a small/medium scale?  I'm not
> looking to invest a huge amount of time in building out custom tools,
> but anything that has a reasonably low barrier to entry/deploy is good.
> The issue isn't so much getting the raw data out to user systems, git
> handles that just fine as would a number of other options, it's managing
> how ssh knows where to find and use said data when it comes from
> different sources that I'm beating my head on.
>
> Tanks!
> --
> Jill
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
<http://it-clowns.com>Safeway.com
Automation Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20120611/a1d8fdf8/attachment.html>


More information about the PLUG-discuss mailing list