Is it possible to have ssh public key id_dsa.pub stored on a centralized server

ssh

Another solution would be exported resources and puppet.

Procedure

  1. place the public ssh key on the puppet server
  2. configure exported resources to place the file in $HOME/.ssh/authorized_keys
  3. collect the keys on all the other boxes

This requires a centralized puppet infrastructure with a server. Exported resources are only available with a puppet server (which by coincidence is the default setup in nearly all of the howtos and documentation)

References

  • https://puppet.com/docs/puppet/latest/lang_exported.html
  • https://projects.puppetlabs.com/projects/puppet/wiki/Module_Ssh_Auth_Patterns

I'd prefer that over patching SSH since you can work with you default distro package this way without having to resort to you package (which then introduces the problem of installing that on all hosts, even with a repository you need to configure yum or apt to know about it).

Puppet too requires touching every single host. But only one time, after that you can manage everything from you workstation. And yes: it could be done with chef, bcfg2 or cfengine (or a fancy ssh for loop) I just happen to like puppet more than the other options.

Also: This is not a 5 minutes and I'm done solution. But once you manage your hosts you'll aks yourself why it all started with ssh keys, you won't need to log in after all (in a perfect world)

EDIT: Just read in the comment above/below (depending on your sorting) you don't have control over everything. I suggest you take a good look at it and decide wether it's worth the effort of introducing something like this. Fabric might be an alternative since you can run commands on a ton of hosts with a single password entry, therefore entering you password only once and distribute the key, then run fabric even without password if you find further uses for it.


One way to address this is by storing your public ssh keys on an ldap server. I'm not sure if any ssh implementations have this built in, but you can use patch OpenSSH with OpenSSH-LPK to make that work. I haven't tried it, and presumably that only works if you've already got an ldap infrastructure set up.

Related

How can I easily manage constantly changing public IP addresses in my many security groups
What kind of slide rails do I need?
Trusted Platform Module (TPM) versions 1.2 vs 2.0 and header number of pins
Configure DNS routing in wireguard
Why is my upstream localhost? Getting 500 but no app error in Nginx. " no live upstreams while connecting to upstream"
Memory consumed quickly on my server [duplicate]
http 500 error on first visit only
GCP doesn't allow me to create a new project even if no other project is active
How to run a script only during first install of a package and not during upgrades?
Valgrind does debug error
How to install 64-bit .deb file on a 32-bit machine?
Tool for viewing LibreOffice Writer files in terminal window