Is it possible to have ssh public key id_dsa.pub stored on a centralized server

Another solution would be exported resources and puppet.

Procedure

  1. place the public ssh key on the puppet server
  2. configure exported resources to place the file in $HOME/.ssh/authorized_keys
  3. collect the keys on all the other boxes

This requires a centralized puppet infrastructure with a server. Exported resources are only available with a puppet server (which by coincidence is the default setup in nearly all of the howtos and documentation)

References

  • https://puppet.com/docs/puppet/latest/lang_exported.html
  • https://projects.puppetlabs.com/projects/puppet/wiki/Module_Ssh_Auth_Patterns

I'd prefer that over patching SSH since you can work with you default distro package this way without having to resort to you package (which then introduces the problem of installing that on all hosts, even with a repository you need to configure yum or apt to know about it).

Puppet too requires touching every single host. But only one time, after that you can manage everything from you workstation. And yes: it could be done with chef, bcfg2 or cfengine (or a fancy ssh for loop) I just happen to like puppet more than the other options.

Also: This is not a 5 minutes and I'm done solution. But once you manage your hosts you'll aks yourself why it all started with ssh keys, you won't need to log in after all (in a perfect world)

EDIT: Just read in the comment above/below (depending on your sorting) you don't have control over everything. I suggest you take a good look at it and decide wether it's worth the effort of introducing something like this. Fabric might be an alternative since you can run commands on a ton of hosts with a single password entry, therefore entering you password only once and distribute the key, then run fabric even without password if you find further uses for it.


One way to address this is by storing your public ssh keys on an ldap server. I'm not sure if any ssh implementations have this built in, but you can use patch OpenSSH with OpenSSH-LPK to make that work. I haven't tried it, and presumably that only works if you've already got an ldap infrastructure set up.