From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id C396F138CD0 for ; Wed, 20 May 2015 22:03:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 740A8E09CB; Wed, 20 May 2015 22:02:53 +0000 (UTC) Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 38182E09AE for ; Wed, 20 May 2015 22:02:52 +0000 (UTC) Received: by wichy4 with SMTP id hy4so75078734wic.1 for ; Wed, 20 May 2015 15:02:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=axstSv+fnNankGSDP4SjG56uyYpPasr11w7KFVN/kvg=; b=W6Go0eVdtcUxifO3WSJVJyVV8Hr6UElH/+5ashI92eDP3102xPFcf52q67MgNslk62 ohRFPKfMsDOLTqmU1J38w+8cnx6M3S5p8pibWrmpFZnmkQNjQQVQrEEQuZa3xhk84E1w eZCJ/DqIkuDKddYhIONP0Cv5CTrU6yNAPWQ6HoCuYG7Bmzg3/1/n+yt4lCqKfhVnPi1z xyf3SwIqHRHxMWnniFCeDdRj8slgQK2Jfcgp+SC68WrjqJTN4Xvv0EU2JYLcpegwZCzA 7Ey+KkxVFFvgmlRb55ll1LXMMCmA8qhsLArJ0Nzp569jLEiC9VKxRDe9ntN+zujHYvx1 Hz6A== X-Received: by 10.180.106.195 with SMTP id gw3mr63634wib.25.1432159370943; Wed, 20 May 2015 15:02:50 -0700 (PDT) Received: from [172.20.0.40] (105-237-52-15.access.mtnbusiness.co.za. [105.237.52.15]) by mx.google.com with ESMTPSA id hn7sm4622587wjc.16.2015.05.20.15.02.49 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 May 2015 15:02:50 -0700 (PDT) Message-ID: <555D0485.1020000@gmail.com> Date: Thu, 21 May 2015 00:02:45 +0200 From: Alan McKinnon User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] user config provisioning References: <555CF761.90307@xunil.at> In-Reply-To: <555CF761.90307@xunil.at> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Archives-Salt: edb3990a-138b-4f6e-9d9d-76e74e0690be X-Archives-Hash: 11cf313c2cc4f6e2514b0cb8543617d4 On 20/05/2015 23:06, Stefan G. Weichinger wrote: > > I am currently trying to slim down and minimize my own few machines. > > Way too much customer servers out there so I'd like to keep it simple in > here at least. > > This lead me to configuring and provisioning my machines via ansible. > > The goals: > > * make sure that my user exists > * roll out configs/dotfiles/git-repos/home-dir > * maybe roll out some system-configs as well (systemd-units, timers) / > ... separate ansible-role, OT here > > etc > > I have set up and maintained quite a list of bash-aliases to access my > customer-servers in daily work. > > Something like: > > alias abcd-server='ssh -p 51023 174.183.26.11' # demo only > > This is based on ssh-pubkey-authentication, sure. > > My questions: > > * if I have a user X on each machine, should each userX@machine have its > own ssh-pubkey? Or is it OK to roll out the same ~/.ssh to all machines? > > * same q for ~/.gnupg ... > > I can deploy the pubkeys to the servers via ansible, sure. > But I would like to keep it simple. stupid. > > ;) > My opinion on this question is that it's irrelevant really. Whether you have one or X key pairs really doesn't matter, as you effectively only have one from a security POV. What do I mean by that? Well, all your private keys are likely in one place, ~/.ssh on your own workstation, as it doesn't scale well to do it any other way. You probably store the passphrase for all keys in the same wallet, all protected by the same password. Let's be honest, we *all* do it like this :-) So effectively we do not have X keys, we have 1 key as they are all protected by the same thing. >From a convenience POV, managing multiple keys is a huge PITA and there's no fast, accurate simple way to tell them apart. You have to store them in different places, or examine the trailing comment in each. My usual recommendation is to use the same key for everything, except those servers where you have a very good reason not to. Examples might be a customer contract where you agreed to deploy a unique key used nowhere else, or an exceptional machine with exceptional security needs. Or even an ancient machine that you can't update that can only use ssh-1 keys :-) Limit the number of things you have to keep in your head, that let's you focus on improving a smaller number of security aspects and is also more convenient. Additionally, the simpler your policy rules, the easier it is to write an ansible play to implement them. -- Alan McKinnon alan.mckinnon@gmail.com